Category: SFP Secondary Cluster: Digital Certificate
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-296 | Improper Following of a Certificate's Chain of Trust | This vulnerability occurs when software fails to properly validate the entire certificate chain back to a trusted root authority. This mistake can cause the system to incorrectly trust a certificate and the resource it represents, creating a security gap. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to the specific host it's connecting to. Even a correctly signed certificate from a trusted authority can be misused if the hostname check is missing or flawed. |
| CWE-298 | Improper Validation of Certificate Expiration | This vulnerability occurs when an application fails to properly check if a digital certificate has expired, potentially trusting certificates that are no longer valid due to their age. |
| CWE-299 | Improper Check for Certificate Revocation | This vulnerability occurs when an application fails to properly verify whether a security certificate has been revoked, potentially allowing it to accept and use a compromised or untrustworthy certificate. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | This vulnerability occurs when an application modifies an OpenSSL context object after it has already been used to create active SSL/TLS connections. |
| CWE-599 | Missing Validation of OpenSSL Certificate | This vulnerability occurs when an application uses OpenSSL but fails to properly verify server certificates by not calling SSL_get_verify_result(). Without this validation, the application may accept insecure or fraudulent certificates. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.