CVEbaza.plSłownik CWECWE-298
Common Weakness Enumeration

CWE-298

Improper Validation of Certificate Expiration

Kategoria: VariantCVE: 7
Opis

Wygaśnięcie certyfikatu nie jest walidowane lub jest walidowane nieprawidłowo. Luka może pozwolić na użycie wygasłych lub nieważnych certyfikatów w komunikacji bezpieczeństwa.

Description (EN)

A certificate expiration is not validated or is incorrectly validated.

Podatności CVE z CWE-298 (7)
10.0
CVSS
CRITICAL
CVE-2025-67108

eProsima Fast-DDS v3.3 zawiera lukę polegającą na nieprawidłowej walidacji odwołania biletów/uprawnień, co prowadzi do nawiązywania niezabezpieczonych połączeń. Podatność otrzymała maksymalny wynik CVSS 10.0 i umożliwia zdalne, nieuwierzytelnione naruszenie integralności i poufności komunikacji.

pub. 2025-12-23
10.0
CVSS
CRITICAL
CVE-2025-67109

Eclipse Cyclone DDS przed wersją 0.10.5 zawiera podatność polegającą na nieprawidłowej weryfikacji znacznika czasu certyfikatu, co pozwala atakującemu ominąć sprawdzanie certyfikatów. Błąd jest krytyczny, ponieważ umożliwia wykonanie poleceń z uprawnieniami systemowymi bez żadnego uwierzytelnienia.

pub. 2025-12-23
7.1
CVSS
HIGH
CVE-2025-61736

Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.

pub. 2025-12-17
6.5
CVSS
MEDIUM
CVE-2023-42446

Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.

pub. 2023-09-18
6.0
CVSS
MEDIUM
CVE-2025-4384

The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly. The use of a client certificate reduces the risk for random devices to take advantage of this flaw.

pub. 2025-05-06
5.5
CVSS
MEDIUM
CVE-2025-59036

Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

pub. 2025-09-09
4.8
CVSS
MEDIUM
CVE-2024-1248

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

pub. 2026-07-04
Informacje
ID: CWE-298
Typ: Variant
Podatności: 7
MITRE CWE ↗
← Słownik CWE