Improper Check for Certificate Revocation| ID: 299 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
The software does not check or incorrectly checks the
revocation status of a certificate, which may cause it to use a certificate that
has been compromised.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | Trust may be assigned to an entity who is not who it claims to
be. |
| IntegrityOther | Other | Data from an untrusted (and possibly malicious) source may be
integrated. |
| Confidentiality | Read application
data | Data may be disclosed to an entity impersonating a trusted entity,
resulting in information disclosure. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Ensure that certificates are checked for revoked status. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-299 ChildOf CWE-898 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Failure to check for certificate revocation | |
References:
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 23: Improper Use of PKI, Especially SSL." Page
347'. Published on 2010.
