Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-297 (对宿主不匹配的证书验证不恰当) — Vulnerability Class 36

36 vulnerabilities classified as CWE-297 (对宿主不匹配的证书验证不恰当). AI Chinese analysis included.

CWE-297 represents a critical validation weakness where software fails to verify that an SSL/TLS certificate’s identity matches the intended host. This flaw allows attackers to exploit the trust relationship by presenting a valid, properly signed certificate issued for a different domain. Consequently, malicious actors can perform man-in-the-middle attacks, intercepting sensitive data or injecting malicious content without triggering security warnings. Developers prevent this vulnerability by implementing strict hostname verification during the TLS handshake. This process involves comparing the server’s hostname against the Common Name or Subject Alternative Name fields in the certificate. By ensuring the certificate explicitly authorizes the specific host being contacted, applications maintain data integrity and confidentiality, effectively neutralizing impersonation attempts even when the certificate chain itself is technically valid.

MITRE CWE Description
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. Even if a certificate is well-formed, signed, and follows the chain of trust, it may simply be a valid certificate for a different site than the site that the product is interacting with. In order to ensure data integrity, the certificate must be valid, and it must pertain to the site that is being accessed. Even if the product attempts to check the hostname, it is still possible to incorrectly check the hostname. For example, attackers could create a certificate with a name that begins with a trusted name followed by a NUL byte, which could cause some string-based comparisons to only examine the portion that contains the trusted name.
Common Consequences (3)
Access ControlGain Privileges or Assume Identity
The data read from the system vouched for by the certificate may not be from the expected system.
Authentication, OtherOther
Trust afforded to the system in question - based on the malicious certificate - may allow for spoofing or redirection attacks.
Access Control, OtherGain Privileges or Assume Identity, Other
If the certificate's host-specific data is not properly checked - such as the Common Name (CN) in the Subject or the Subject Alternative Name (SAN) extension of an X.509 certificate - it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provid…
Mitigations (2)
Architecture and DesignFully check the hostname of the certificate and provide the user with adequate information about the nature of the problem and how to proceed.
ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.
Examples (1)
The following OpenSSL code obtains a certificate and verifies it.
cert = SSL_get_peer_certificate(ssl); if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) { // do secret things }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2020-14387 rsync rsync-ssl 存在安全漏洞 — rsync 7.4 -2021-05-27
CVE-2020-15260 Existing TLS connections can be reused without checking remote hostname — pjproject 6.8 Medium2021-03-10
CVE-2020-1758 Red Hat Keycloak 信任管理问题漏洞 — keycloak 5.3 Medium2020-05-15
CVE-2020-11050 Improper Validation of Certificate with Host Mismatch in Java-WebSocket — Java-WebSocket 9.0 Critical2020-05-07
CVE-2020-1887 Facebook osquery 信任管理问题漏洞 — Osquery 7.4 -2020-03-12
CVE-2018-10936 postgresql-jdbc 安全漏洞 — PostgreSQL 7.4 -2018-08-30

Vulnerabilities classified as CWE-297 (对宿主不匹配的证书验证不恰当) represent 36 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.