A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
View on MITREWhen the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.
Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
No detection method information available for this CWE.
The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.
If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.
CWE-298: Improper Validation of Certificate Expiration is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
If exploited, CWE-298 (Improper Validation of Certificate Expiration) it can compromise Integrity, Other and Authentication, leading to outcomes such as Other.
Recommended mitigations for CWE-298 include: Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.
CWE-298 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-298 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.