Lucene search
K

147 matches found

OSV
OSV
added 2022/08/01 7:50 p.m.22 views

CVE-2022-31183 mTLS client verification is skipped in fs2 on Node.js

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on...

9.1CVSS9AI score0.00641EPSS
Exploits1References5
GitLab Advisory Database
GitLab Advisory Database
added 2022/08/01 12:0 a.m.34 views

Improper Certificate Validation

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on...

9.8CVSS3.2AI score0.00641EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2022/08/01 12:0 a.m.22 views

Improper Certificate Validation

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on...

9.8CVSS3.2AI score0.00641EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2022/08/01 12:0 a.m.40 views

Improper Certificate Validation

fs2 is a compositional, streaming I/O library for Scala. When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on...

9.8CVSS3.2AI score0.00641EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2022/07/29 10:24 p.m.54 views

fs2-io skips mTLS client verification

Impact When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on Node.js. The JVM TLS implementation is completely...

9.8CVSS9.1AI score0.00641EPSS
Exploits1References7Affected Software6
GitLab Advisory Database
GitLab Advisory Database
added 2022/07/29 12:0 a.m.68 views

fs2-io skips mTLS client verification

Impact When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. fs2-io running on Node.js. The JVM TLS implementation is completely...

9.8CVSS1AI score0.00641EPSS
Exploits1References5Affected Software1
Prion
Prion
added 2022/07/06 12:15 p.m.22 views

Design/Logic Flaw

The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead o...

3.3CVSS5AI score0.00224EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2022/07/06 11:12 a.m.39 views

CVE-2022-32290

The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access Control. It listens on a random, unprivileged TCP port and exposes an HTTP proxy to facilitate API calls from additional client components running on the device. However, it listens on all network interfaces instead o...

5.3AI score0.00224EPSS
Exploits0References2
CVE
CVE
added 2022/07/06 11:12 a.m.418 views

CVE-2022-32290

CVE-2022-32290 affects Northern.tech Mender client versions 3.2.0–3.2.2. The issue is incorrect access control where the Mender Client exposes an HTTP proxy on a non-localhost TCP port across all network interfaces. This allows any device on the same network to connect to the proxy and forward AP...

4.3CVSS5AI score0.00224EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2022/02/16 10:30 p.m.56 views

Skip the router TLS configuration when the host header is an FQDN

Impact People that configure mTLS between Traefik and clients. For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. - When sending a request using FQDN handled by a router configured with a dedicated TLS...

7.5CVSS7.4AI score0.01688EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2022/02/16 10:30 p.m.118 views

GHSA-HRHX-6H34-J5HC Skip the router TLS configuration when the host header is an FQDN

Impact People that configure mTLS between Traefik and clients. For a request, the TLS configuration choice can be different than the router choice, which implies the use of a wrong TLS configuration. - When sending a request using FQDN handled by a router configured with a dedicated TLS...

7.4CVSS7.4AI score0.01688EPSS
Exploits0References6
NVD
NVD
added 2021/07/09 9:15 p.m.22 views

CVE-2021-36371

Emissary-Ingress formerly Ambassador API Gateway through 1.13.9 allows attackers to bypass client certificate requirements i.e., mTLS certrequired on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate...

4.3CVSS0.00738EPSS
Exploits1References2
OSV
OSV
added 2021/07/09 9:15 p.m.10 views

CVE-2021-36371

Emissary-Ingress formerly Ambassador API Gateway through 1.13.9 allows attackers to bypass client certificate requirements i.e., mTLS certrequired on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate...

3.7CVSS6.8AI score
Exploits0References2
Prion
Prion
added 2021/07/09 9:15 p.m.12 views

Design/Logic Flaw

Emissary-Ingress formerly Ambassador API Gateway through 1.13.9 allows attackers to bypass client certificate requirements i.e., mTLS certrequired on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate...

4.3CVSS4.3AI score0.00738EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2021/07/09 8:19 p.m.79 views

CVE-2021-36371

CVE-2021-36371 is reported for Emissary-Ingress (formerly Ambassador API Gateway). The vulnerability allows bypassing client certificate requirements (mTLS cert_required) on backend upstreams when more than one TLSContext exists and any configuration does not require client cert authentication. T...

4.3CVSS4.3AI score0.00738EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2021/05/18 6:20 p.m.43 views

Improper Certificate Validation in HashiCorp Nomad

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3...

9.8CVSS9AI score0.00983EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2020/07/14 10:5 p.m.85 views

CVE-2020-15104

CVE-2020-15104 describes a TLS certificate validation issue in Envoy prior to 1.12.6, 1.13.4, 1.14.4, and 1.15.0 where a wildcard DNS SAN could apply to multiple subdomains, e.g., *.example.com allowing nested.subdomain.example.com instead of only subdomain.example.com. The defect affects both cl...

5.5CVSS5.2AI score0.00252EPSS
Exploits0References1Affected Software1
Veracode
Veracode
added 2020/02/03 4:13 a.m.17 views

Privilege Escalation

github.com/hashicorp/nomad is vulnerable to privilege escalation. The role and region associated with TLS certificates that are used for the mTLS RPC are not properly validated, allowing an attacker to obtain unauthorized access with a malicious TLS certificate...

9.8CVSS5.1AI score0.00983EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2020/01/31 1:15 p.m.24 views

CVE-2020-7956

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3...

9.8CVSS9.6AI score0.00983EPSS
Exploits0References2
OSV
OSV
added 2020/01/31 1:15 p.m.18 views

CVE-2020-7956

HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly validated role/region associated with TLS certificates used for mTLS RPC, and were susceptible to privilege escalation. Fixed in 0.10.3...

9.8CVSS6.8AI score
Exploits0References2
Rows per page
Query Builder