CVE-2023-5422

CRITICAL Year: 2023
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-295
View all →

Vulnerability Description

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Related Vulnerabilities

CVE-2014-8164

CRITICAL
CVSS:9.1(Critical)

A insecure configuration for certificate verification (http.verify_mode = OpenSSL::SSL::VERIFY_NONE) may lead to verification bypass in Red Hat CloudForms 5.x.

CWE-2952014

CVE-2017-17944

CRITICAL
CVSS:9.1(Critical)

The ASUS Vivobaby application before 1.1.09 for Android has Missing SSL Certificate Validation.

CWE-2952017

CVE-2017-17945

CRITICAL
CVSS:9.1(Critical)

The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.

CWE-2952017

CVE-2017-18911

CRITICAL
CVSS:9.1(Critical)

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

CWE-2952017

CVE-2018-5926

CRITICAL
CVSS:9.1(Critical)

A potential vulnerability has been identified in HP Remote Graphics Software’s certificate authentication process version 7.5.0 and earlier.

CWE-2952018

CVE-2019-17560

CRITICAL
CVSS:9.1(Critical)

The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the downloa...

CWE-2952019