User Impersonation

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to User...

OESA-2023-1391 bouncycastle security update

A Java implementation of cryptographic algorithms. Security Fixes: A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to...

SUSE CVE-2006-7246

NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used...

SUSE CVE-2011-1429

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766...

RHEL 8 : nodejs:14 (RHSA-2022:7830)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7830 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs: Incorrect handling of certificate subject and issuer fields

A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries...

RHEL 7 : rh-nodejs14-nodejs (RHSA-2022:7044)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7044 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs: Incorrect handling of certificate subject and issuer fields

A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries...

Node.js < 12.22.9 < 14.18.3 < 16.13.2 and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name for example in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.

...

DEBIAN-CVE-2021-44533

Node.js 12.22.9, 14.18.3, 16.13.2, and 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in...

Code injection

Node.js 12.22.9, 14.18.3, 16.13.2, and 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in...

PT-2022-1546 · Node.Js +7 · Node.Js +7

Name of the Vulnerable Software and Affected Versions: Node.js versions prior to 12.22.9 Node.js versions prior to 14.18.3 Node.js versions prior to 16.13.2 Node.js versions prior to 17.3.1 Description: The issue is related to errors in the certificate authentication procedure, specifically with...

CVE-2015-0210

wpasupplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack...

CVE-2015-0210

wpasupplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack...

CVE-2015-0210

CVE-2015-0210 affects wpa_supplicant 2.0-16 and involves improper validation of the server certificate subject name, enabling remote MITM risk. Multiple connected sources (SUSE SUSE-SU-2018:1659-1, CNVD/CVEs, NVD entry) corroborate a vulnerability in wpa_supplicant 2.0-16 and describe the issue a...

DEBIAN-CVE-2011-1429

Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766...

UBUNTU-CVE-2011-1428

Wee Enhanced Environment for Chat aka WeeChat 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect...

firefox/nss: doesn't handle NULL in Common Name properly

Mozilla Network Security Services NSS before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name CN field of an X.509 certificate, which allows man-in-the-middle attackers to...