Lucene search
K

68 matches found

RedhatCVE
RedhatCVE
added 2026/06/11 2:59 p.m.17 views

CVE-2026-47838

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7....

8.1CVSS5.4AI score0.00116EPSS
Exploits0References1
OSV
OSV
added 2026/06/10 12:31 a.m.2 views

GHSA-293Q-567P-WMWQ Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

In Spring Security Web, SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

6.8CVSS5.8AI score0.00116EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/09 11:50 p.m.8 views

CVE-2026-47838 Unauthorized User Impersonation when Using X.509 Client Certificates

SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7....

6.8CVSS5.4AI score0.00116EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/09 12:0 a.m.5 views

User Impersonation

Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to User Impersonation via username extraction in SubjectDnX509PrincipalExtractor. An attacker can impersonate another user by...

8.1CVSS5.4AI score0.00116EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/27 12:53 p.m.5 views

CVE-2026-22747

A flaw was found in Spring Security. This vulnerability allows a remote attacker to impersonate another user. The SubjectX500PrincipalExtractor component incorrectly handles certain malformed X.509 certificate Common Name CN values, which can lead to the system reading an incorrect username. By...

8.1CVSS5.5AI score0.00296EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 12:24 p.m.3 views

User Impersonation

Overview org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to User Impersonation in the SubjectX500PrincipalExtractor component. An attacker can gain...

8.6CVSS5.5AI score0.00296EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.11 views

Spring Security 安全漏洞

Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. Versions of Spring Security 7.0.4 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the improper handling of certain malformed X.509...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.16 views

PT-2026-34251

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

6.8CVSS5.8AI score0.00296EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/11/11 7:29 p.m.6 views

CVE-2025-64432

KubeVirt is a virtual machine management add-on for Kubernetes. Versions 1.5.3 and below, and 1.6.0 contained a flawed implementation of the Kubernetes aggregation layer's authentication flow which could enable bypass of RBAC controls. It was discovered that the virt-api component fails to...

6.5CVSS5.1AI score0.00129EPSS
Exploits1References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2024-29724

Malicious code in bioql PyPI...

8.1CVSS6.5AI score0.00173EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2025/04/23 2:47 a.m.6 views

SUSE CVE-2012-6153

http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via...

4.3CVSS6.2AI score0.05844EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2023/06/29 8:7 p.m.6 views

jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name

It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service FPS merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

5.8CVSS7.4AI score0.09254EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 6:13 a.m.5 views

SUSE CVE-2006-6772

Format string vulnerability in the inputAnswer function in file.c in w3m before 0.5.2, when run with the dump or backend option, allows remote attackers to execute arbitrary code via format string specifiers in the Common Name CN field of an SSL certificate associated with an https URL...

9.3CVSS7.9AI score0.04665EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 6:3 a.m.6 views

SUSE CVE-2009-2408

Mozilla Network Security Services NSS before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to...

5.9CVSS6.7AI score0.05741EPSS
Exploits4References26
SUSE CVE
SUSE CVE
added 2023/02/15 6:3 a.m.5 views

SUSE CVE-2009-2474

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate...

5.8CVSS6.8AI score0.0138EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 6:2 a.m.4 views

SUSE CVE-2009-3765

muttssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a...

6.8CVSS7.5AI score0.01084EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 6:2 a.m.6 views

SUSE CVE-2009-3767

libraries/libldap/tlso.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers vi...

4.3CVSS7.5AI score0.03094EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2023/02/15 6:1 a.m.9 views

SUSE CVE-2009-4034

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which 1 allows man-in-the-middle...

5.8CVSS7AI score0.0213EPSS
Exploits2References5
SUSE CVE
SUSE CVE
added 2023/02/15 5:59 a.m.3 views

SUSE CVE-2010-1192

libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification...

6.8CVSS7.5AI score0.00865EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 5:55 a.m.6 views

SUSE CVE-2010-5076

QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority...

4.3CVSS6.5AI score0.01402EPSS
Exploits1References3
Rows per page
Query Builder