CWE-599

Missing Validation of OpenSSL Certificate

AI Translation Available

The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

Status

incomplete

Abstraction

variant

Affected Platforms

Extended Description

AI Translation

This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.

Technical Details

AI Translation

Common Consequences

confidentiality access control

Impacts

read application data bypass protection mechanism gain privileges or assume identity

Potential Mitigations

Phases:

architecture and design implementation

Descriptions:

• Ensure that proper authentication is included in the system design.

• Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

AI Generated Translation

Common Consequences

riservatezza controllo degli accessi

Impacts

leggere dati applicazione elusione del meccanismo di protezione ottenere privilegi o assumere identità

Potential Mitigations

Phases:

architettura e design implementazione

Descriptions:

• Assicurarsi che l'autenticazione corretta sia inclusa nella progettazione del sistema.

• Comprendere e implementare correttamente tutti i controlli necessari per garantire l'identità delle entità coinvolte nelle comunicazioni criptate.

CWE-599

Common Consequences

Impacts

Potential Mitigations

Common Consequences

Impacts

Potential Mitigations

Iscriviti alla newsletter