Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-599 (缺失对OpenSSL证书的验证) — Vulnerability Class 2

2 vulnerabilities classified as CWE-599 (缺失对OpenSSL证书的验证). AI Chinese analysis included.

CWE-599 represents a critical validation weakness where applications utilizing OpenSSL fail to rigorously verify digital certificates before establishing secure connections. This oversight typically occurs when developers rely on default trust behaviors or neglect to invoke the SSL_get_verify_result() function, thereby bypassing essential checks for certificate validity, expiration, and chain integrity. Attackers exploit this vulnerability by performing man-in-the-middle attacks, intercepting traffic through forged or self-signed certificates that the application erroneously accepts as legitimate. To mitigate this risk, developers must explicitly implement comprehensive certificate validation logic, ensuring that every connection attempt is scrutinized against a trusted root store. By strictly enforcing verification routines and rejecting any certificate that fails to meet security requirements, organizations can prevent unauthorized access and safeguard data integrity against sophisticated interception attempts.

MITRE CWE Description
The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
Common Consequences (3)
ConfidentialityRead Application Data
The data read may not be properly secured - it might be viewed by an attacker.
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Trust afforded to the system in question may allow for spoofing or redirection attacks.
Access ControlGain Privileges or Assume Identity
If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a dif…
Mitigations (2)
Architecture and DesignEnsure that proper authentication is included in the system design.
ImplementationUnderstand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.
Examples (1)
The following OpenSSL code ensures that the host has a certificate.
if (cert = SSL_get_peer_certificate(ssl)) { // got certificate, host can be trusted //foo=SSL_get_verify_result(ssl); //if (X509_V_OK==foo) ... }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-25060 OpenList Insecure TLS Default Configuration — OpenList 8.1 High2026-02-02
CVE-2025-12553 Server Certificate Verification Disabled — BLU-IC2 7.5 -2025-10-31

Vulnerabilities classified as CWE-599 (缺失对OpenSSL证书的验证) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.