Base weakness

Draft

CWE-299: Improper Check for Certificate Revocation

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Medium

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

CWE-299: Improper Check for Certificate Revocation

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-299?

What CVEs are caused by CWE-299?

How do you prevent CWE-299?

How is CWE-299 detected?

What are the consequences of CWE-299?

Is CWE-299 actively exploited?

References

Stay ahead of CWE-299

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-299?

What CVEs are caused by CWE-299?

How do you prevent CWE-299?

How is CWE-299 detected?

What are the consequences of CWE-299?

Is CWE-299 actively exploited?

References

Stay ahead of CWE-299