Category: Identify Actors
Draft
Summary
Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
| CWE-298 | Improper Validation of Certificate Expiration | A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age. |
| CWE-299 | Improper Check for Certificate Revocation | The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. |
| CWE-345 | Insufficient Verification of Data Authenticity | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
| CWE-346 | Origin Validation Error | The product does not properly verify that the source of data or communication is valid. |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check | The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time. |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
| CWE-599 | Missing Validation of OpenSSL Certificate | The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements. |
| CWE-940 | Improper Verification of Source of a Communication Channel | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. |
| CWE-1008 | Architectural Concepts | This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.