CWE-295 证书验证不恰当类漏洞列表 474

CWE-295 证书验证不恰当类弱点 474 条 CVE 漏洞汇总，含 AI 中文分析。

CWE-295 属于证书验证不当漏洞，指软件未正确验证数字证书的有效性或完整性。攻击者常利用此缺陷实施中间人攻击，通过伪造证书拦截并篡改通信数据，窃取敏感信息或注入恶意代码。开发者应确保严格校验证书链、域名匹配及有效期，禁用弱算法，并启用证书固定机制，以保障传输层安全，防止身份冒充和数据泄露。

MITRE CWE 官方描述

CWE：CWE-295 证书验证不当英文：产品未对证书进行验证，或验证不正确。

常见影响 (1)

Integrity, AuthenticationBypass Protection Mechanism, Gain Privileges or Assume Identity

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The product might connect to a malicious host while believing it is a trusted host, or the product might be deceived into accepting s…

缓解措施 (2)

Architecture and Design, ImplementationCertificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key.

ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

代码示例 (2)

This code checks the certificate of a connected peer.

if ((cert = SSL_get_peer_certificate(ssl)) && host) foo=SSL_get_verify_result(ssl); if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) // certificate looks good, host can be trusted

Bad · C

The following OpenSSL code obtains a certificate and verifies it.

cert = SSL_get_peer_certificate(ssl); if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { // do secret things }

Bad · C

CVE ID	标题	CVSS	风险等级	Published
CVE-2026-42225	GnuTLS verify_peer为false时静默跳过证书链验证漏洞 — pjproject	-	-	2026-05-07
CVE-2026-5787	Ivanti EPMM证书验证漏洞影响12.6.1.1及更早版本 — Endpoint Manager Mobile	8.9	High	2026-05-07
CVE-2026-7821	Ivanti EPMM证书验证不当致信息泄露 — Endpoint Manager Mobile	7.4	High	2026-05-07
CVE-2026-42011	GnuTLS 名称约束处理不当导致的安全绕过漏洞 — Red Hat Enterprise Linux 10	7.4	High	2026-05-07
CVE-2026-40243	Incus OVN TLS验证接受对端根证书，允许端点伪造 — incus	-	-	2026-05-06
CVE-2025-42611	MikroTik RouterOS 多服务证书验证绕过漏洞 — RouterOS	6.5	Medium	2026-05-05
CVE-2026-41016	Apache Airflow SMTP 提供商 STARTTLS 证书验证缺失 — Apache Airflow Providers SMTP	7.4^AI	High^AI	2026-04-30
CVE-2025-10539	DeskTime Time Tracking App 信任管理问题漏洞 — DeskTime Time Tracking App	8.1^AI	High^AI	2026-04-28
CVE-2026-40974	VMware Spring Boot 信任管理问题漏洞 — Spring Boot	5.0	Medium	2026-04-27
CVE-2026-40971	VMware Spring Boot 信任管理问题漏洞 — Spring Boot	5.0	Medium	2026-04-27
CVE-2026-40970	VMware Spring Boot 信任管理问题漏洞 — Spring Boot	5.0	Medium	2026-04-27
CVE-2026-40557	Apache Storm Prometheus Reporter 信任管理问题漏洞 — Apache Storm Prometheus Reporter	7.4^AI	High^AI	2026-04-27
CVE-2026-40944	oxia 信任管理问题漏洞 — oxia	7.5^AI	High^AI	2026-04-21
CVE-2026-39388	OpenBao 信任管理问题漏洞 — openbao	7.5^AI	High^AI	2026-04-21
CVE-2026-23776	Dell PowerProtect Data Domain（Dell PowerProtect DD）安全漏洞 — PowerProtect Data Domain	7.2	High	2026-04-17
CVE-2026-20184	Cisco Webex Services 安全漏洞 — Cisco Webex Meetings	9.8	Critical	2026-04-15
CVE-2026-39984	Sigstore Timestamp Authority 安全漏洞 — timestamp-authority	5.5	Medium	2026-04-14
CVE-2025-40745	Siemens多款产品信任管理问题漏洞 — Siemens Software Center	3.7	Low	2026-04-14
CVE-2026-0233	Palo Alto Networks Autonomous Digital Experience Manager 安全漏洞 — Autonomous Digital Experience Manager	8.8	-	2026-04-13
CVE-2026-5501	wolfSSL 安全漏洞 — wolfSSL	5.9	-	2026-04-10
CVE-2026-5263	wolfSSL（CyaSSL）安全漏洞 — wolfSSL	7.5^AI	High^AI	2026-04-09
CVE-2026-5194	wolfSSL 安全漏洞 — wolfSSL	5.3^AI	Medium^AI	2026-04-09
CVE-2026-35207	dde-control-center 信任管理问题漏洞 — dde-control-center	5.4	Medium	2026-04-09
CVE-2026-33753	rfc3161-client 安全漏洞 — rfc3161-client	6.2	Medium	2026-04-08
CVE-2026-34580	Botan 信任管理问题漏洞 — botan	5.3^AI	Medium^AI	2026-04-07
CVE-2026-4740	Red Hat rhacm2 信任管理问题漏洞 — Multicluster Engine for Kubernetes	8.2	High	2026-04-07
CVE-2026-32144	Erlang/OTP 安全漏洞 — OTP	5.9^AI	Medium^AI	2026-04-07
CVE-2026-35389	Bulwark Webmail 信任管理问题漏洞 — webmail	5.3^AI	Medium^AI	2026-04-06
CVE-2026-35560	Amazon Athena ODBC driver 安全漏洞 — Amazon Athena ODBC driver	7.4	High	2026-04-03
CVE-2026-29140	SEPPmail Secure Email Gateway 安全漏洞 — Secure Email Gateway	7.5^AI	High^AI	2026-04-02

CWE-295（证书验证不恰当）是常见的弱点类别，本平台收录该类弱点关联的 474 条 CVE 漏洞。

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

CWE-295 证书验证不恰当 类漏洞列表 474

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

CWE-295 证书验证不恰当类漏洞列表 474