Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-298 (证书过期验证不恰当) — Vulnerability Class 4

4 vulnerabilities classified as CWE-298 (证书过期验证不恰当). AI Chinese analysis included.

CWE-298 represents a critical cryptographic weakness where software fails to properly validate the expiration date of digital certificates. This flaw typically allows attackers to exploit trust relationships by presenting expired or revoked certificates, effectively bypassing authentication mechanisms and enabling man-in-the-middle attacks. By ignoring expiration checks, developers inadvertently permit malicious actors to impersonate legitimate services or intercept sensitive data without detection. To mitigate this risk, developers must implement robust validation logic that strictly verifies certificate validity periods against current system time during every connection establishment. Utilizing established cryptographic libraries that automatically handle expiration checks, rather than relying on custom implementations, ensures consistent enforcement. Additionally, integrating Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) checks provides an extra layer of security, ensuring that even validly dated certificates are not compromised due to prior revocation.

MITRE CWE Description
A certificate expiration is not validated or is incorrectly validated.
Common Consequences (2)
Integrity, OtherOther
The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
Authentication, OtherOther
Trust may be assigned to certificates that have been abandoned due to age.
Mitigations (2)
Architecture and DesignCheck for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
Examples (1)
The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.
if (cert = SSL_get_peer(certificate(ssl)) { foo=SSL_get_verify_result(ssl); if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) //do stuff
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2025-61736 iSTAR- Improper Validation of Certificate Expiration — iSTAReX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra , iSTAR Ultra SE 5.3AIMediumAI2025-12-17
CVE-2025-59036 Infrahub allows authentication with deleted and expired API tokens — infrahub 5.5 Medium2025-09-09
CVE-2025-4384 Certificate validity not properly verified — PcVue 7.5AIHighAI2025-05-06
CVE-2023-42446 Pow Mnesia cache doesn't invalidate all expired keys on startup — pow 6.5 Medium2023-09-18

Vulnerabilities classified as CWE-298 (证书过期验证不恰当) represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.