CWE-297: Improper Validation of Certificate with Host Mismatch
low-riskThe product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Common Consequences
Detection Methods
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Set up an untrusted endpoint (e.g. a server) with which the product will connect. Create a test certificate that uses an invalid hostname but is signed by a trusted CA and provide this certificate from the untrusted endpoint. If the product performs any operations instead of disconnecting and reporting an error, then this indicates that the hostname is not being checked and the test certificate has been accepted.
When Certificate Pinning is being used in a mobile application, consider using a tool such as Spinner [REF-955]. This methodology might be extensible to other technologies.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2018-10936 | 8.1 | 0.8% | — |
| CVE-2018-10936 | 8.1 | 0.8% | — |
| CVE-2024-37015 | 7.4 | 0.3% | — |
| CVE-2022-32153 | 8.1 | 0.3% | — |
| CVE-2020-1758 | 5.3 | 0.3% | — |
| CVE-2024-49782 | 6.8 | 0.2% | — |
| CVE-2017-2911 | 5.9 | 0.2% | — |
| CVE-2020-11050 | 9.0 | 0.2% | — |
| CVE-2021-21385 | 8.8 | 0.2% | — |
| CVE-2020-15260 | 6.8 | 0.2% | — |