Improper Check for Certificate RevocationID: 299 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The software does not check or incorrectly checks the
revocation status of a certificate, which may cause it to use a certificate that
has been compromised.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | Trust may be assigned to an entity who is not who it claims to
be. |
IntegrityOther | Other | Data from an untrusted (and possibly malicious) source may be
integrated. |
Confidentiality | Read application
data | Data may be disclosed to an entity impersonating a trusted entity,
resulting in information disclosure. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Ensure that certificates are checked for revoked status. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-299 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Failure to check for certificate revocation | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page
347'. Published on 2010.