CWE-298
Improper Validation of Certificate Expiration
Bas
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2023-06-29
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Improper Validation of Certificate Expiration
A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
Description du CWE
When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
Informations générales
Modes d'introduction
Implementation : When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete.Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Integrity Other | Other Note: The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing. | |
| Authentication Other | Other Note: Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks. |
Mesures d’atténuation potentielles
Phases : Architecture and DesignCheck for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Phases : Implementation
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-18
The CLASP Application Security ProcessSecure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
REF-44
24 Deadly Sins of Software SecurityMichael Howard, David LeBlanc, John Viega.
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| CLASP | Draft 3 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Description, Name, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Description, Other_Notes | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Demonstrative_Examples, Relationships, Type | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Modes_of_Introduction, Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences, Modes_of_Introduction, Potential_Mitigations, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Relationships, Time_of_Introduction | |
| CWE Content Team | MITRE | updated Mapping_Notes |
