25 matches found
CVE-2026-10592
Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...
UBUNTU-CVE-2026-10592
Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...
CVE-2026-10592 Wildcard DNS SAN bypasses CA name-constraint checks
Certificates with wildcard DNS SANs e.g. .example.com bypassed CA name-constraint checks. A certificate with a wildcard DNS SAN that should be rejected by the issuing CA's permitted/excluded DNS name constraints could be accepted...
CVE-2026-10592
CVE-2026-10592 concerns certificates with wildcard DNS SANs (e.g., *.example.com) bypassing CA name-constraint checks. A wildcard SAN that should be rejected by the issuing CA’s permitted/excluded DNS name constraints could be accepted, enabling potential mis-issuance. The provided documents refe...
EUVD-2026-27655
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting .example.com, any XYZ.example.com where xyz is a valid name can be used...
BIT-GOLANG-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
CVE-2026-33810
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
CVE-2026-33810 Case-sensitive excludedSubtrees name constraints cause Auth Bypass in crypto/x509
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
CVE-2026-33810
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the...
CVE-2026-33810
CVE-2026-33810 affects the Go crypto/x509 certificate chain validation. The issue occurs when verifying a chain with excluded DNS constraints: constraints are not consistently applied to wildcard DNS SANs if the SANs’ case differs from the constraint, which can affect validation of otherwise trus...
Improper Handling of Case Sensitivity
Overview std/crypto/x509 is a Go standard library package std/crypto/x509 Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity. Go Vulnerability Report: When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly...
CLEANSTART-2026-PK62208 excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate
Multiple security vulnerabilities affect the stakater-reloader-fips package. An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. See references for individual vulnerability details...
Medium: golang
Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...
Medium: oci-add-hooks
Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...
Medium: nerdctl
Issue Overview: crypto/x509: excluded subdomain constraint does not restrict wildcard SANs An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not...
CVE-2025-61727 Improper application of excluded DNS name constraints when verifying wildcard names in crypto/x509
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN .example.com...
CLSA-2023-1688070599 Fix CVE(s): CVE-2023-28322, CVE-2023-28321
SECURITY UPDATE: More POST-after-PUT confusion - debian/patches/CVE-2023-28322.patch: fix mess in upload/method handling - CVE-2023-28322 SECURITY UPDATE: incorrect IDN wildcard match - debian/patches/CVE-2023-28321.patch: fix erroneous logic in wildcard handling, drop support for wildcards in th...
PT-2022-27857 · Mastodon · Mastodon
Name of the Vulnerable Software and Affected Versions: Mastodon versions through 4.0.2 Description: The issue allows attackers to cause a denial of service by creating bot accounts that follow attacker-controlled accounts on certain other servers associated with a wildcard DNS A record, resulting...
Mastodon 安全漏洞
Mastodon is an open source social networking server based on ActivityPub. A security vulnerability exists in Mastodon 4.0.2 and prior versions, which stems from a vulnerability that allows an attacker to cause a denial of service long Sidekiq pull queue by creating a bot account that follows an...
CVE-2014-0350
The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate...