目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-296 证书信任链回溯不恰当 类漏洞列表 10

CWE-296 证书信任链回溯不恰当 类弱点 10 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-296 属于证书信任链验证缺陷。攻击者常利用此漏洞,通过伪造中间证书或引入恶意根证书,使系统误信非法身份,从而实施中间人攻击或数据窃取。开发者应严格实现完整的证书链验证逻辑,确保从终端证书至可信根证书的所有中间证书均经过校验,并禁用对自签名证书的默认信任,以保障通信安全。

MITRE CWE 官方描述
CWE:CWE-296 未正确遵循证书的信任链(Chain of Trust) 该产品未遵循或错误地遵循证书回溯至受信任根证书(Trusted Root Certificate)的信任链(Chain of Trust)。 信任链(Chain of Trust)可能被破坏的方式有多种,包括但不限于:链中的任何证书均为自签名(Self-signed)证书,除非它是根证书;并非从原始证书一直检查到根证书的所有中间证书(Intermediate Certificate);由证书颁发机构(CA)签名的中间证书(Intermediate, CA-signed Certificate)缺少预期的基本约束(Basic Constraints)或其他重要扩展;根证书(Root Certificate)已被泄露或被错误授权给其他方。
常见影响 (2)
Non-RepudiationHide Activities
Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source.
Integrity, Confidentiality, Availability, Access ControlGain Privileges or Assume Identity, Execute Unauthorized Code or Commands
Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity.
缓解措施 (3)
Architecture and DesignEnsure that proper certificate checking is included in the system design.
ImplementationUnderstand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.
ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust.
代码示例 (1)
This code checks the certificate of a connected peer.
if ((cert = SSL_get_peer_certificate(ssl)) && host) foo=SSL_get_verify_result(ssl); if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) // certificate looks good, host can be trusted
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2026-33779 Juniper Networks Junos OS 安全漏洞 — Junos OS 6.5 Medium2026-04-09
CVE-2025-48057 Icinga 安全漏洞 — icinga2 7.4AIHighAI2025-05-27
CVE-2025-22459 Ivanti Endpoint Manager 安全漏洞 — Endpoint Manager 4.8 Medium2025-04-08
CVE-2024-43196 IBM OpenPages with Watson 安全漏洞 — OpenPages with Watson 4.3 Medium2025-02-20
CVE-2025-1146 CrowdStrike Falcon 安全漏洞 — Falcon sensor for Linux 8.1 High2025-02-12
CVE-2021-44532 nodejs 信任管理问题漏洞 — Node 5.3 -2022-02-24
CVE-2021-23162 Gallagher Command Centre Server 信任管理问题漏洞 — Command Centre Mobile Connect for Android 7.7 High2021-11-18
CVE-2021-23155 Gallagher Command Centre Server 信任管理问题漏洞 — Command Centre Mobile Client for Android 9.0 Critical2021-11-18
CVE-2021-1566 Cisco Advanced Malware Protection 信任管理问题漏洞 — Cisco Web Security Appliance (WSA) 7.4 High2021-06-16
CVE-2019-3762 Dell Data Protection Central 信任管理问题漏洞 — Data Protection Central 7.5 -2020-03-18

CWE-296(证书信任链回溯不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 10 条 CVE 漏洞。