BaseDraft

CWE-299Improper Check for Certificate Revocation

Category: other

Description

The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

Common consequences· 3

  • Access Control — Gain Privileges or Assume Identity
    Trust may be assigned to an entity who is not who it claims to be.
  • Integrity / Other — Other
    Data from an untrusted (and possibly malicious) source may be integrated.
  • Confidentiality — Read Application Data
    Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.

Potential mitigations· 2

  • [Architecture and Design]Ensure that certificates are checked for revoked status.
  • [Implementation]If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the revoked status.

References

  1. https://cwe.mitre.org/data/definitions/299.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-3085cve-2025-30850%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Missing Check for Certificate Revocation after Initial Check
CWE
Improper Validation of Certificate with Host Mismatch
CWE
Improper Certificate Validation
CWE
Improper Following of a Certificate's Chain of Trust
CWE
Improper Verification of Cryptographic Signature
CWE
Missing Validation of OpenSSL Certificate
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.