Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-296 (证书信任链回溯不恰当) — Vulnerability Class 10

10 vulnerabilities classified as CWE-296 (证书信任链回溯不恰当). AI Chinese analysis included.

CWE-296 represents a critical cryptographic weakness where software fails to properly validate the certificate chain of trust back to a trusted root authority. This flaw typically enables attackers to exploit the vulnerability by presenting forged or self-signed certificates that appear valid due to incomplete verification processes. By bypassing intermediate checks, malicious actors can perform man-in-the-middle attacks, intercepting sensitive data or injecting malicious content without detection. To mitigate this risk, developers must implement rigorous validation logic that ensures every certificate in the hierarchy, from the leaf to the root, is authentic and unexpired. Utilizing established cryptographic libraries that enforce strict chain verification by default is essential. Additionally, developers should avoid hardcoding trust anchors and regularly update their systems to recognize revoked certificates, thereby maintaining the integrity of secure communications and preventing unauthorized access.

MITRE CWE Description
The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate. There are several ways in which the chain of trust might be broken, including but not limited to: Any certificate in the chain is self-signed, unless it is the root. Not every intermediate certificate is checked, starting from the original certificate all the way up to the root certificate. An intermediate, CA-signed certificate does not have the expected Basic Constraints or other important extensions. The root certificate has been compromised or authorized to the wrong party.
Common Consequences (2)
Non-RepudiationHide Activities
Exploitation of this flaw can lead to the trust of data that may have originated with a spoofed source.
Integrity, Confidentiality, Availability, Access ControlGain Privileges or Assume Identity, Execute Unauthorized Code or Commands
Data, requests, or actions taken by the attacking entity can be carried out as a spoofed benign entity.
Mitigations (3)
Architecture and DesignEnsure that proper certificate checking is included in the system design.
ImplementationUnderstand, and properly implement all checks necessary to ensure the integrity of certificate trust integrity.
ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the full chain of trust.
Examples (1)
This code checks the certificate of a connected peer.
if ((cert = SSL_get_peer_certificate(ssl)) && host) foo=SSL_get_verify_result(ssl); if ((X509_V_OK==foo) || X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN==foo)) // certificate looks good, host can be trusted
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-33779 Junos OS: SRX Series: Insufficient certificate verification for device to SD cloud communication — Junos OS 6.5 Medium2026-04-09
CVE-2025-48057 Icinga 2 certificate renewal might incorrectly renew an invalid certificate — icinga2 7.4AIHighAI2025-05-27
CVE-2025-22459 Ivanti Endpoint Manager 安全漏洞 — Endpoint Manager 4.8 Medium2025-04-08
CVE-2024-43196 IBM OpenPages data manipulation — OpenPages with Watson 4.3 Medium2025-02-20
CVE-2025-1146 CrowdStrike Falcon Sensor for Linux TLS Issue — Falcon sensor for Linux 8.1 High2025-02-12
CVE-2021-44532 nodejs 信任管理问题漏洞 — Node 5.3 -2022-02-24
CVE-2021-23162 Gallagher Command Centre Server 信任管理问题漏洞 — Command Centre Mobile Connect for Android 7.7 High2021-11-18
CVE-2021-23155 Gallagher Command Centre Server 信任管理问题漏洞 — Command Centre Mobile Client for Android 9.0 Critical2021-11-18
CVE-2021-1566 Cisco Email Security Appliance and Cisco Web Security Appliance Certificate Validation Vulnerability — Cisco Web Security Appliance (WSA) 7.4 High2021-06-16
CVE-2019-3762 Dell Data Protection Central 信任管理问题漏洞 — Data Protection Central 7.5 -2020-03-18

Vulnerabilities classified as CWE-296 (证书信任链回溯不恰当) represent 10 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.