Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-299 (证书撤销验证不恰当) — Vulnerability Class 8

8 vulnerabilities classified as CWE-299 (证书撤销验证不恰当). AI Chinese analysis included.

CWE-299 represents a critical cryptographic weakness where software fails to verify the revocation status of a digital certificate before establishing a secure connection. This flaw is typically exploited by attackers who obtain or compromise a valid certificate, then revoke it to mask malicious activity or use it in conjunction with other vulnerabilities. By ignoring revocation checks, an application may trust a compromised certificate, allowing an attacker to perform man-in-the-middle attacks or impersonate legitimate services without detection. To mitigate this risk, developers must implement robust certificate validation processes that actively query Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) responders. Ensuring these checks occur during every handshake prevents the acceptance of revoked credentials, thereby maintaining the integrity and authenticity of encrypted communications against sophisticated threats.

MITRE CWE Description
The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.
Common Consequences (3)
Access ControlGain Privileges or Assume Identity
Trust may be assigned to an entity who is not who it claims to be.
Integrity, OtherOther
Data from an untrusted (and possibly malicious) source may be integrated.
ConfidentialityRead Application Data
Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.
Mitigations (2)
Architecture and DesignEnsure that certificates are checked for revoked status.
ImplementationIf certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.
Examples (1)
The following OpenSSL code ensures that there is a certificate before continuing execution.
if (cert = SSL_get_peer_certificate(ssl)) { // got a certificate, do secret things
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-4428 CRL Distribution Point Scope Check Logic Error in AWS-LC — AWS-LC 7.4 High2026-03-19
CVE-2025-11955 Incorrect validation of OCSP certificates in TheGreenBow VPN Client Windows Enterprise — TheGreenBow VPN Client Windows Enterprise 5.3AIMediumAI2025-10-27
CVE-2025-36057 IBM Cognos Analytics Mobile (iOS) authentication bypass — Cognos Analytics Mobile 5.2 Medium2025-07-21
CVE-2025-3085 MongoDB Server running on Linux may allow unexpected connections where intermediate certificates are revoked — MongoDB Server 8.1 High2025-04-01
CVE-2024-56138 Timestamp signature generation lacks certificate revocation check in notion-go — notation-go 4.0 Medium2025-01-13
CVE-2023-23690 Dell EMC Storage信任管理问题漏洞 — Cloud Mobility for Dell Storage 7.0 High2023-01-19
CVE-2020-1675 Juniper Networks Mist Cloud UI: SAML authentication certificate vulnerability. — MIST Cloud UI 8.3 High2020-10-16
CVE-2020-16228 Philips Patient Monitoring Devices Improper Check for Certificate Revocation — Patient Information Center iX (PICiX) 6.4 -2020-09-11

Vulnerabilities classified as CWE-299 (证书撤销验证不恰当) represent 8 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.