Base weakness

Draft

CWE-296: Improper Following of a Certificate's Chain of Trust

The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Low

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

There are several ways in which the chain of trust might be broken, including but not limited to: Any certificate in the chain is self-signed, unless it is the root. Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. The root certificate has been compromised or authorized to the wrong party.

CWE-296: Improper Following of a Certificate's Chain of Trust

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-296?

What CVEs are caused by CWE-296?

How do you prevent CWE-296?

How is CWE-296 detected?

What are the consequences of CWE-296?

Is CWE-296 actively exploited?

References

Stay ahead of CWE-296

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Peer

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-296?

What CVEs are caused by CWE-296?

How do you prevent CWE-296?

How is CWE-296 detected?

What are the consequences of CWE-296?

Is CWE-296 actively exploited?

References

Stay ahead of CWE-296