155 matches found
OpenJDK: certificate validation issue in TLS session negotiation (8298310)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit...
CVE-2023-30516
Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries, resulting in job configurations using Image Tag Parameters that were created before 2.0 having SSL/TLS certificate validation disabled by defau...
SUSE CVE-2016-9015
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information leakage attacks. Thi...
PT-2022-27493 · Jenkins · Jenkins Ns-Nd Integration Performance Publisher Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.143 and earlier Description: The issue concerns the global and unconditional disabling of SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM...
SUSE-SU-2022:3725-1 Security update for icinga2
This update for icinga2 fixes the following issues: - CVE-2020-14004: prepare-dirs script allows for symlink attack in the icinga user context. bsc1172171 - CVE-2020-29663: ignoring CRL, where revoked certificates due for renewal will automatically be renewed. bsc281137 - CVE-2021-37698: Missing...
CVE-2022-40147
CVE-2022-40147 affects Siemens Industrial Edge Management prior to v1.5.1. Root cause: improper TLS server-certificate validation, enabling an attacker to spoof a trusted entity by intercepting the client–server path. Impact is confidentiality and integrity loss (C/H, I/H), with no availability i...
PT-2022-25421
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker suitably positioned on the network could intercept the update request and deliver a...
CVE-2022-32151 Splunk Enterprise disabled TLS validation using the CA certificate stores in Python 3 libraries by default
The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority CA certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203. Python 3 client libraries...
PT-2022-21125 · Splunk · Splunk Cloud Platform +2
Name of the Vulnerable Software and Affected Versions: Splunk Enterprise and Universal Forwarder versions prior to 9.0 Description: The issue is related to the Splunk command-line interface CLI not validating TLS certificates while connecting to a remote Splunk platform instance by default. This...
Jenkins plugins Multiple Vulnerabilities (2022-03-29)
According to its their self-reported version number, the version of Jenkins plugins running on the remote web server are Jenkins Bitbucket Server Integration Plugin prior to 3.2.0, Continuous Integration with Toad Edge Plugin prior to 2.4, Coverage/Complexity Scatter Plot Plugin 1.1.1 or earlier,...
Missing permission checks in Jenkins Proxmox Plugin
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
GHSA-2MGJ-MWVF-MPG5 Missing permission checks in Jenkins Proxmox Plugin
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
CVE-2022-28144
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
CVE-2022-28144
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
CVE-2022-28143
A cross-site request forgery CSRF vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for the entire Jenkins controller JVM as part ...
Default credentials
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
Cross site request forgery (csrf)
A cross-site request forgery CSRF vulnerability in Jenkins Proxmox Plugin 0.7.0 and earlier allows attackers to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for the entire Jenkins controller JVM as part ...
Design/Logic Flaw
Jenkins Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation globally for the Jenkins controller JVM when configured to ignore SSL/TLS issues...
CVE-2022-28144
Jenkins Proxmox Plugin 0.7.0 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified host using attacker-specified username and password perform a connection test, disable SSL/TLS validation for...
PYSEC-2021-863
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority CA to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store...