30 matches found
Improper Certificate Validation
Caddy is vulnerable to Improper Certificate Validation. The vulnerability is due to swallowed errors in ClientAuthentication.provision, where failures loading trustedcacertfile or trustedcacertspemfiles are ignored, causing mTLS authentication to fail open and accept any client certificate signed...
CVE-2026-33248
A flaw was found in NATS-Server, a high-performance messaging system. When configured to use mutual Transport Layer Security mTLS for client identity, and specifically the verifyandmap feature, certain patterns within a client certificate's Subject Distinguished Name DN were not correctly enforce...
CVE-2026-33248
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...
CVE-2026-33248 NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...
CVE-2026-33248
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using mTLS for client identity, with verifyandmap to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to use of P256 certificates. An attacker can evade blocklist enforcement by exploiting ECDSA signature malleability to generate a certificate with a different fingerprint, allowing us...
Blocklist Bypass possible via ECDSA Signature Malleability
Impact When using P256 certificates which is not the default configuration, it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. In order for this to affect a...
GHSA-69X3-G4R3-P962 Blocklist Bypass possible via ECDSA Signature Malleability
Impact When using P256 certificates which is not the default configuration, it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. In order for this to affect a...
Improper Authentication
Elasticsearch is vulnerable to Improper Authentication. The vulnerability is due to insufficient validation of client certificates in the PKI realm, which allows an attacker with a specially crafted certificate signed by a trusted CA to impersonate other users...
CVE-2025-37731
A flaw was found in Elasticsearch. This vulnerability allows user impersonation via specially crafted client certificates signed by a legitimate, trusted Certificate Authority CA. Mitigation To reduce the risk of exploitation, ensure that the Certificate Authority CA used for the Elasticsearch PK...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation via the PKI realm. An attacker can impersonate other users by presenting specially crafted client certificates signed by a trusted Certificate Authority. Note: This is only exploitable if the attacker...
Improper Certificate Validation
Overview org.elasticsearch.plugin:x-pack-security is an Elasticsearch Expanded Pack Plugin - Security Affected versions of this package are vulnerable to Improper Certificate Validation via the PKI realm. An attacker can impersonate other users by presenting specially crafted client certificates...
UBUNTU-CVE-2025-37731
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority...
EUVD-2025-203360
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority...
CVE-2025-37731 Elasticsearch Improper Authentication
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority...
PT-2025-51212
Name of the Vulnerable Software and Affected Versions Elasticsearch affected versions not specified Description A flaw exists in the PKI realm authentication process within Elasticsearch. This issue allows a malicious actor to impersonate users by presenting a specially crafted client certificate...
Incorrect Permission Assignment for Critical Resource
Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource due to the virt-api component failing to validate the CN field in client TLS certificates against allowed values in the extension-apiserver-authentication configmap. An attacker can...
CVE-2025-7395
A certificate verification error in wolfSSL when building with the WOLFSSLSYSCACERTS and WOLFSSLAPPLENATIVECERTVALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardles...
wolfSSL(CyaSSL) 安全漏洞
wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL CyaSSL that stems from a certificate validation error that could cause a client to accept a certificate...
PVS Server Down In Console After Upgrade to 2402CU1
After upgrading the first PVS Server in the FARM to 2402 CU1 and running the Configuration Wizard the PVS Server appears down in the console. The Configuration Wizard completes with errors. The following is one example found in the AOT logs:...