CWE-298: Improper Validation of Certificate Expiration

VariantDraftExploit Likelihood: Low

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

View on MITRE
Back to CWE Lookup

Extended Description

When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-298: Improper Validation of Certificate Expiration?+

CWE-298: Improper Validation of Certificate Expiration is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

What are the security consequences of Improper Validation of Certificate Expiration?+

If exploited, CWE-298 (Improper Validation of Certificate Expiration) it can compromise Integrity, Other and Authentication, leading to outcomes such as Other.

How do you prevent or mitigate Improper Validation of Certificate Expiration?+

Recommended mitigations for CWE-298 include: Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

Which programming languages are affected by Improper Validation of Certificate Expiration?+

CWE-298 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-298 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More