Lucene search
K

40 matches found

OSV
OSV
added 2026/05/27 5:16 p.m.6 views

DEBIAN-CVE-2026-42790

Improper Certificate Validation vulnerability in Erlang OTP publickey pubkeycert and publickey modules allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted e.g...

8.1CVSS5.8AI score0.00338EPSS
Exploits0References1
OSV
OSV
added 2026/05/27 3:9 p.m.8 views

EEF-CVE-2026-42790 nameConstraints DNS bypass via subject CommonName fallback in public_key hostname verification

Summary Improper Certificate Validation vulnerability in Erlang OTP public\key pubkey\cert and public\key modules allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted...

7.6CVSS7AI score0.00338EPSS
Exploits0References6
OSV
OSV
added 2026/02/25 12:49 a.m.4 views

CLEANSTART-2026-IG94553 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the helm-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

9.8CVSS5.8AI score0.00626EPSS
Exploits2References21
OSV
OSV
added 2026/01/30 4:26 p.m.8 views

CLEANSTART-2026-ON55906 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the mongodb package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

9.8CVSS5.6AI score0.83007EPSS
Exploits39References7
OSV
OSV
added 2026/01/30 3:23 p.m.11 views

CLEANSTART-2026-TL71584 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the helm-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

9.8CVSS5.6AI score0.00459EPSS
Exploits2References9
OSV
OSV
added 2026/01/30 2:49 p.m.7 views

CLEANSTART-2026-PH90623 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate

Multiple security vulnerabilities affect the prometheus-operator-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...

9.8CVSS5.6AI score0.00459EPSS
Exploits2References7
Amazon
Amazon
added 2026/01/05 12:0 a.m.5 views

Medium: nerdctl

Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...

7.5CVSS6.9AI score0.00459EPSS
Exploits2
Github Security Blog
Github Security Blog
added 2025/12/09 10:48 p.m.8 views

OpenTofu incorrectly validates excluded subdomain constraint in conjunction with TLS certificates containing wildcard SANs

When OpenTofu is acting as a TLS client authenticating a certificate chain provided by a TLS server, an excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com...

6.5CVSS6.9AI score0.00274EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2025/10/01 8:23 p.m.9 views

CVE-2025-59150 Suricata: Keyword tls.subjectaltname can lead to NULL-ptr deref

Suricata is a network IDS, IPS and NSM engine developed by the OISF Open Information Security Foundation and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. This issue is fixed i...

7.5CVSS6.4AI score0.00492EPSS
Exploits1References8
Microsoft CVE
Microsoft CVE
added 2025/09/03 10:3 p.m.10 views

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

...

5.9CVSS7AI score0.00832EPSS
Exploits0
OSV
OSV
added 2024/07/08 5:15 p.m.4 views

ALPINE-CVE-2024-34702

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to 3.5.0 and 2.19.5, checking name constraints in X.509 certificates is quadratic in the number of names and name constraints...

5.3CVSS6.8AI score0.00845EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2023/02/15 6:7 a.m.5 views

SUSE CVE-2008-2809

Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also...

4CVSS6.6AI score0.0124EPSS
Exploits1References5
SUSE CVE
SUSE CVE
added 2023/02/15 5:59 a.m.4 views

SUSE CVE-2010-1194

The matchcomponent function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName...

6.8CVSS7AI score0.01176EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 5:43 a.m.5 views

SUSE CVE-2012-5662

x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.9AI score0.00621EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 5:42 a.m.4 views

SUSE CVE-2013-0308

The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

4.3CVSS7AI score0.01661EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2023/02/15 5:34 a.m.3 views

SUSE CVE-2013-6444

PyWBEM 0.7 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate...

5.8CVSS6.9AI score0.00907EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 5:28 a.m.3 views

SUSE CVE-2014-3577

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows...

6.5CVSS6.8AI score0.09149EPSS
Exploits1References8
SUSE CVE
SUSE CVE
added 2023/02/15 5:28 a.m.4 views

SUSE CVE-2014-3596

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subjec...

6.5CVSS7.7AI score0.05806EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2023/02/15 3:50 a.m.5 views

SUSE CVE-2020-36477

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name the cn argument of mbedtlsx509crtverify with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to an...

5.9CVSS5.6AI score0.00832EPSS
Exploits0References3
OSV
OSV
added 2021/08/23 2:15 a.m.4 views

DEBIAN-CVE-2020-36477

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name the cn argument of mbedtlsx509crtverify with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to an...

5.9CVSS5.9AI score0.00832EPSS
Exploits0References1
Rows per page
Query Builder