CWE-298

Improper Validation of Certificate Expiration

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

CVE-2023-42446 (GCVE-0-2023-42446)
Vulnerability from cvelistv5
Published
2023-09-18 21:29
Modified
2024-09-24 18:11
CWE
  • CWE-298 - Improper Validation of Certificate Expiration
Summary
Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session's remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated.
Impacted products
Vendor Product Version
pow-auth pow Version: >= 1.0.14, < 1.0.34
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:38.521Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9"
          },
          {
            "name": "https://github.com/pow-auth/pow/issues/713",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pow-auth/pow/issues/713"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T18:00:47.957433Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T18:11:16.178Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pow",
          "vendor": "pow-auth",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.14, \u003c 1.0.34"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pow is a authentication and user management solution for Phoenix and Plug-based apps. Starting in version 1.0.14 and prior to version 1.0.34, use of `Pow.Store.Backend.MnesiaCache` is susceptible to session hijacking as expired keys are not being invalidated correctly on startup. A session may expire when all `Pow.Store.Backend.MnesiaCache` instances have been shut down for a period that is longer than a session\u0027s remaining TTL. Version 1.0.34 contains a patch for this issue. As a workaround, expired keys, including all expired sessions, can be manually invalidated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-298",
              "description": "CWE-298: Improper Validation of Certificate Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-18T21:29:22.133Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pow-auth/pow/security/advisories/GHSA-3cjh-p6pw-jhv9"
        },
        {
          "name": "https://github.com/pow-auth/pow/issues/713",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pow-auth/pow/issues/713"
        }
      ],
      "source": {
        "advisory": "GHSA-3cjh-p6pw-jhv9",
        "discovery": "UNKNOWN"
      },
      "title": "Pow Mnesia cache doesn\u0027t invalidate all expired keys on startup"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-42446",
    "datePublished": "2023-09-18T21:29:22.133Z",
    "dateReserved": "2023-09-08T20:57:45.572Z",
    "dateUpdated": "2024-09-24T18:11:16.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4384 (GCVE-0-2025-4384)
Vulnerability from cvelistv5
Published
2025-05-06 15:59
Modified
2025-05-15 20:20
CWE
  • CWE-298 - Improper Validation of Certificate Expiration
Summary
The MQTT add-on of PcVue fails to verify that a remote device’s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly. The use of a client certificate reduces the risk for random devices to take advantage of this flaw.
References
Impacted products
Vendor Product Version
arcinfo PcVue Version: 16.0
Version: 15.0
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4384",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T19:28:43.088933Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T19:28:57.621Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "MQTT add-on"
          ],
          "product": "PcVue",
          "vendor": "arcinfo",
          "versions": [
            {
              "status": "unaffected",
              "version": "16.3.0",
              "versionType": "cpe"
            },
            {
              "lessThan": "16.2.5",
              "status": "affected",
              "version": "16.0",
              "versionType": "cpe"
            },
            {
              "status": "affected",
              "version": "15.0",
              "versionType": "cpe"
            }
          ]
        }
      ],
      "datePublic": "2025-05-05T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\u003cbr\u003e\u003cbr\u003eThe use of a client certificate reduces the risk for random devices to take advantage of this flaw.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "The MQTT add-on of PcVue fails to verify that a remote device\u2019s certificate has not already expired or has not yet become valid. This allows malicious devices to present certificates that are not rejected properly.\n\nThe use of a client certificate reduces the risk for random devices to take advantage of this flaw."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "No POC available."
            }
          ],
          "value": "No POC available."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Not known to be exploited."
            }
          ],
          "value": "Not known to be exploited."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/RE:M/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-298",
              "description": "CWE-298 Improper Validation of Certificate Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-15T20:20:48.205Z",
        "orgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
        "shortName": "arcinfo"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.pcvue.com/security/#SB2025-3"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cb\u003e\u003cu\u003eHarden the configuration\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users\u003cbr\u003eThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\u003cbr\u003e\u003cul\u003e\u003cli\u003eUse client certificate when configuring the MQTT add-on.\u003c/li\u003e\u003cli\u003eMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\u003c/li\u003e\u003cli\u003eLocate control system networks and remote devices behind firewalls and isolate them from business networks.\u003c/li\u003e\u003cli\u003eWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e\u003cb\u003e\u003cu\u003eUpdate PcVue\u003c/u\u003e\u003c/b\u003e\u003cbr\u003eWho should apply this recommendation: All users using the affected component\u003cbr\u003eApply the patch by installing a fixed PcVue version.\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cu\u003e\u003cb\u003eAvailable patches:\u003c/b\u003e\u003c/u\u003e\u003cbr\u003eFixed in:\u003cbr\u003e\u003cul\u003e\u003cli\u003ePcVue 16.2.5 and PcVue 16.3.0\u003c/li\u003e\u003c/ul\u003ePlanned in:\u003cul\u003e\u003cli\u003ePcVue 15.2.12\u003c/li\u003e\u003c/ul\u003e\u003cbr\u003e"
            }
          ],
          "value": "Harden the configuration\nWho should apply this recommendation: All users\nThe system operators are highly recommended to take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n  *  Use client certificate when configuring the MQTT add-on.\n  *  Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet unless required.\n  *  Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n  *  When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\n\nUpdate PcVue\nWho should apply this recommendation: All users using the affected component\nApply the patch by installing a fixed PcVue version.\n\n\nAvailable patches:\nFixed in:\n  *  PcVue 16.2.5 and PcVue 16.3.0\n\n\nPlanned in:  *  PcVue 15.2.12"
        }
      ],
      "source": {
        "advisory": "SB2025-3",
        "discovery": "INTERNAL"
      },
      "title": "Certificate validity not properly verified",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932",
    "assignerShortName": "arcinfo",
    "cveId": "CVE-2025-4384",
    "datePublished": "2025-05-06T15:59:27.839Z",
    "dateReserved": "2025-05-06T15:02:58.174Z",
    "dateUpdated": "2025-05-15T20:20:48.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation

Phase: Architecture and Design

Description:

  • Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.
Mitigation

Phase: Implementation

Description:

  • If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page