40 matches found
DEBIAN-CVE-2026-42790
Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeycert and publickey modules allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted e.g...
EEF-CVE-2026-42790 nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification
Summary Improper Certificate Validation vulnerability in Erlang OTP public\key pubkey\cert and public\key modules allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted...
CLEANSTART-2026-IG94553 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the helm-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
CLEANSTART-2026-ON55906 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the mongodb package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
CLEANSTART-2026-TL71584 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the helm-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
CLEANSTART-2026-PH90623 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the prometheus-operator-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
Medium: nerdctl
Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...
OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs
When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com...
CVE-2025-59150 Suricata: Keyword tls.subjectaltname can lead to NULL-ptr deref
Suricata is a network IDS, IPS and NSM engine developed by the OISF Open Information Security Foundation and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed i...
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).
...
ALPINE-CVE-2024-34702
Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints...
SUSE CVE-2008-2809
Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also...
SUSE CVE-2010-1194
The matchcomponent function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName...
SUSE CVE-2012-5662
x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
SUSE CVE-2013-0308
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
SUSE CVE-2013-6444
PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...
SUSE CVE-2014-3577
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...
SUSE CVE-2014-3596
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subjec...
SUSE CVE-2020-36477
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name the cn argument of mbedtlsx509crtverify with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to an...
DEBIAN-CVE-2020-36477
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name the cn argument of mbedtlsx509crtverify with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to an...