Vulnerabilities (CVE)

Filtered by CWE-295
Total 1411 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-45197 1 Slixmpp Project 1 Slixmpp 2026-06-17 N/A 7.5 HIGH
Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.
CVE-2022-45100 1 Dell 1 Emc Powerscale Onefs 2026-06-17 N/A 8.1 HIGH
Dell PowerScale OneFS, versions 8.2.x-9.3.x, contains an Improper Certificate Validation vulnerability. An remote unauthenticated attacker could potentially exploit this vulnerability, leading to a full compromise of the system.
CVE-2022-43892 3 Apple, Ibm, Microsoft 3 Macos, Security Verify Privilege On-premises, Windows 2026-06-17 N/A 3.7 LOW
IBM Security Verify Privilege On-Premises 11.5 does not validate, or incorrectly validates, a certificate which could disclose sensitive information which could aid further attacks against the system. IBM X-Force ID: 240455.
CVE-2022-43705 1 Botan Project 1 Botan 2026-06-17 N/A 9.1 CRITICAL
In Botan before 2.19.3, it is possible to forge OCSP responses due to a certificate verification error. This issue was introduced in Botan 1.11.34 (November 2016).
CVE-2022-42979 1 Rydesharing 1 Ryde 2026-06-17 N/A 8.8 HIGH
Information disclosure due to an insecure hostname validation in the RYDE application 5.8.43 for Android and iOS allows attackers to take over an account via a deep link.
CVE-2022-42813 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2026-06-17 N/A 9.8 CRITICAL
A certificate validation issue existed in the handling of WKWebView. This issue was addressed with improved validation. This issue is fixed in tvOS 16.1, iOS 16.1 and iPadOS 16, macOS Ventura 13, watchOS 9.1. Processing a maliciously crafted certificate may lead to arbitrary code execution.
CVE-2022-42131 1 Liferay 2 Digital Experience Platform, Liferay Portal 2026-06-17 N/A 4.8 MEDIUM
Certain Liferay products are affected by: Missing SSL Certificate Validation in the Dynamic Data Mapping module's REST data providers. This affects Liferay Portal 7.1.0 through 7.4.2 and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 17, and 7.3 before service pack 3.
CVE-2022-41747 2 Microsoft, Trendmicro 2 Windows, Apex One 2026-06-17 N/A 7.8 HIGH
An improper certification validation vulnerability in Trend Micro Apex One agents could allow a local attacker to load a DLL file with system service privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CVE-2022-41316 1 Hashicorp 1 Vault 2026-06-17 N/A 5.3 MEDIUM
HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.4, 1.10.7, and 1.9.10.
CVE-2022-41244 1 Jenkins 1 View26 Test-reporting 2026-06-17 N/A 8.1 HIGH
Jenkins View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
CVE-2022-41243 1 Jenkins 1 Smalltest 2026-06-17 N/A 8.1 HIGH
Jenkins SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured View26 server that could be abused using a man-in-the-middle attack to intercept these connections.
CVE-2022-40620 1 Netgear 20 R6230, R6230 Firmware, R6260 and 17 more 2026-06-17 N/A 7.7 HIGH
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26.
CVE-2022-40147 1 Siemens 1 Industrial Edge Management 2026-06-17 N/A 7.4 HIGH
A vulnerability has been identified in Industrial Edge Management (All versions < V1.5.1). The affected software does not properly validate the server certificate when initiating a TLS connection. This could allow an attacker to spoof a trusted entity by interfering in the communication path between the client and the intended server.
CVE-2022-3913 1 Rapid7 1 Nexpose 2026-06-17 N/A 5.3 MEDIUM
Rapid7 Nexpose and InsightVM versions 6.6.82 through 6.6.177 fail to validate the certificate of the update server when downloading updates. This failure could allow an attacker in a privileged position on the network to provide their own HTTPS endpoint, or intercept communications to the legitimate endpoint. The attacker would need some pre-existing access to at least one node on the network path between the Rapid7-controlled update server and the Nexpose/InsightVM application, and the ability to either spoof the update server's FQDN or redirect legitimate traffic to the attacker's server in order to exploit this vulnerability. Note that even in this scenario, an attacker could not normally replace an update package with a malicious package, since the update process validates a separate, code-signing certificate, distinct from the HTTPS certificate used for communication. This issue was resolved on February 1, 2023 in update 6.6.178 of Nexpose and InsightVM.
CVE-2022-3761 1 Openvpn 1 Connect 2026-06-17 N/A 5.9 MEDIUM
OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials
CVE-2022-39948 1 Fortinet 2 Fortios, Fortiproxy 2026-06-17 N/A 4.8 MEDIUM
An improper certificate validation vulnerability [CWE-295] in FortiOS 7.2.0 through 7.2.3, 7.0.0 through 7.0.7, 6.4 all versions, 6.2 all versions, 6.0 all versions and FortiProxy 7.0.0 through 7.0.6, 2.0 all versions, 1.2 all versions may allow a remote and unauthenticated attacker to perform a Man-in-the-Middle attack on the communication channel between the FortiOS/FortiProxy device and remote servers hosting threat feeds (when the latter are configured as Fabric connectors in FortiOS/FortiProxy)
CVE-2022-39334 1 Nextcloud 1 Desktop 2026-06-17 N/A 3.9 LOW
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
CVE-2022-39264 2 Fedoraproject, Nheko-reborn 2 Fedora, Nheko 2026-06-17 N/A 8.6 HIGH
nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.
CVE-2022-39161 1 Ibm 1 Websphere Application Server 2026-06-17 N/A 4.8 MEDIUM
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and IBM WebSphere Application Server Liberty, when configured to communicate with the Web Server Plug-ins for IBM WebSphere Application Server, could allow an authenticated user to conduct spoofing attacks. A man-in-the-middle attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 235069.
CVE-2022-38666 1 Jenkins 1 Ns-nd Integration Performance Publisher 2026-06-17 N/A 7.5 HIGH
Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.