12 matches found
ALPINE-CVE-2026-11564
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA...
CVE-2026-11564
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA...
CVE-2026-11564
CVE-2026-11564 (libcurl) describes an issue where libcurl keeps previously used connections in a pool and may continue trusting the native CA store after an application switches a handle to custom CA material for a later transfer. The connected sources confirm this behavior across multiple feeds ...
Native CA trust persist
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA...
PT-2026-51741
Name of the Vulnerable Software and Affected Versions libcurl affected versions not specified Description An issue exists in the certificate authentication procedure where the library maintains a connection pool for reusing connections in subsequent transfers. If a handle initially uses the defau...
curl: Schannel custom-CA path skips Extended Key Usage enforcement
Hi all, We believe the Schannel custom-CA verification path in lib/vtls/schannelverify.c may skip Extended Key Usage enforcement. In particular, a certificate that chains to the trusted custom CA but contains only id-kp-clientAuth, rather than id-kp-serverAuth, may pass peer verification on Windo...
Understanding Student Experiences with TLS Client Authentication
Mutual TLS mTLS provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client...
CVE-2026-27134 Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication
Strimzi provides a way to run an Apache Kafka cluster on Kubernetes or OpenShift in various deployment configurations. In versions 0.49.0 through 0.50.0, when using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted...
CVE-2025-9708 Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks
A vulnerability exists in the Kubernetes C client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority CA without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially...
Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks
CVSS Rating: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N — Medium 6.8 A vulnerability exists in the Kubernetes C client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority CA without properly verifying the trust chain. This flaw allows ...
CVE-2022-0759
A flaw was found in all versions of kubeclient up to but not including v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up accepting any certificate it wrongly returns...
CVE-2017-2639
It was found that CloudForms does not verify that the server hostname matches the domain name in the certificate when using a custom CA and communicating with Red Hat Virtualization RHEV and OpenShift. This would allow an attacker to spoof RHEV or OpenShift systems and potentially harvest sensiti...