Security Bulletin: IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a man-in-the-middle vulnerability in RFC7250 Raw Public Keys [CVE-2024-12797]

Summary IBM Watson Speech Services Cartridge v4.8.8 is vulnerable to a man-in-the-middle vulnerability in RFC7250 Raw Public Keys RPKs, due to server authentication failure which is susceptible to man-in-the-middle attack CVE-2024-12797. RFC7250 Raw Public Keys are used in our Speech service...

K000151201: OpenSSL vulnerability CVE-2024-12797

Security Advisory Description Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS...

Security Bulletin: IBM Maximo Application Suite - IoT uses cryptography-44.0.0-cp39-abi3-manylinux_2_28_x86_64.whl which is vulnerable to CVE-2024-12797.

Summary IBM Maximo Application Suite - IoT uses cryptography-44.0.0-cp39-abi3-manylinux228x8664.whl which is vulnerable to CVE-2024-12797. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-12797 DESCRIPTION: Issue summary: Clients...

ROS-20250226-16

SSLVERIFYPEER mode vulnerability in the OpenSSL cryptographic library is related to the lack of a mechanism of to notify the user when a communication session is established. Exploitation of the vulnerability could allow an attacker acting remotely to realize a man-in-the-middle attack during a...

CVE-2024-12797

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

CVE-2024-12797

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

CVE-2024-12797 RFC7250 handshakes with unauthenticated servers don't abort as expected

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

CVE-2024-12797 RFC7250 handshakes with unauthenticated servers don't abort as expected

Issue summary: Clients using RFC7250 Raw Public Keys RPKs to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSLVERIFYPEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys m...

CVE-2024-32928

CVE-2024-32928 relates to libcurl where CURLOPT_SSL_VERIFYPEER was disabled on a subset of requests from Nest production devices, enabling potential MITM attacks on traffic to Google Cloud Services. Connected documents confirm the issue is tied to Nest devices and libcurl behavior, with some sour...

GHSA-3Q49-H8F9-9FR9 Missing TLS certificate verification

Faye uses em-http-request6 and faye-websocket10 in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by...