483 matches found
python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns
A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate,...
IBM Rational ClearCase Unauthorized Operation Vulnerability
IBM Rational ClearCase is a suite of software configuration management solutions from IBM in the United States. The solution provides version control, workspace management, parallel development support and build auditing. A security vulnerability exists in IBM Rational ClearCase that stems from t...
Proxmox VE Insecure Hostname Checking Vulnerability
Proxmox VE Proxmox Virtual Environment is an environment with integrated OPENVZ support for KVM applications. Since Proxmox VE fails to validate the "hostname" parameter provided by the user, CRLF injection is able to overwrite the configuration file. Attackers are able to obtain user credentials...
mysql: ssl-validate-cert incorrect hostname check
It was found that the MariaDB client library did not properly check host names against server identities noted in the X.509 certificates when establishing secure connections using TLS/SSL. A man-in-the-middle attacker could possibly use this flaw to impersonate a server to a client...
Design/Logic Flaw
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original...
RubyGems Redirection Vulnerability
RubyGems is a Ruby package manager from the RubyGems organization, which is used to distribute and manage Ruby packages. RubyGems programs fail to validate hostnames when fetching gem or constructing API requests, allowing remote attackers to submit specially crafted DNS SRV records to redirect...
DEBIAN-CVE-2015-3900
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."...
CVE-2015-3900
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."...
CVE-2015-3900
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."...
CVE-2015-1376
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com...
Code injection
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com...
PYSEC-2014-94
PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
MGASA-2014-0133 Updated lighttpd package fixes security vulnerabilities
SQL injection vulnerability in lighttpd before 1.4.35 when modmysqlvhost is in use, due to insufficient validation of hostnames in HTTP requests CVE-2014-2323. Possible path traversal vulnerabilities in lighttpd before 1.4.35 when either modevhost or modsimplevhost are in use, due to insufficient...
CVE-2014-1263
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate when accessing a...
CVE-2013-3109
SSL vaildation failed to validate hostnames...
UBUNTU-CVE-2013-3109
SSL vaildation failed to validate hostnames...
Code injection
Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof...
PT-2012-6129 · Codehaus · Xfire
Name of the Vulnerable Software and Affected Versions: Codehaus XFire versions 1.2.6 and earlier Description: The issue allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate because it does not verify that the server hostname matches a domain name in the...
CVE-2011-0633
The Net::HTTPS module in libwww-perl LWP before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof...
HylaFAX hfaxd unauthorized fax access
During authorization of fax access by hostname, hostname sent by remote side is used...