Re: [EXT] Question regarding CWE-295 and its (missing) relationships
Categories by definition are just collections of CWEs that share a common characteristic. They don't reflect hierarchies. In the "Research Concepts" (CWE-1000) view you will find that CWE 295 is a "parent of" CWEs 296-299. Also, in the research view, CWE 295
is a parent of CWE 599.
From: Coles, Matthew Sent: Thursday, July 25, 2019 4:32 PM To:[hidden email] Subject: [EXT] Question regarding CWE-295 and its (missing) relationships
I’d like to raise an potential hierarchy issue with a couple of CWEs. If this has been reported previously my apologies for the duplication.
Recently I was trying to locate the correct CWE for “failing to validate a TLS certificate”. In the CWE search box, I entered “failure to validate” and find the top items related to certificates.
First I found these:
CWE-296: Improper Following of a Certificate's Chain of Trust
CWE-297: Improper Validation of Certificate with Host Mismatch
CWE-298: Improper Validation of Certificate Expiration
CWE-299: Improper Check for Certificate Revocation
Which are in Category: CWE-948 CWE CATEGORY: SFP Secondary Cluster: Digital Certificate
Also in this Category is the very specialized CWE-599: Missing Validation of OpenSSL Certificate
Later, I found CWE-295 Improper Certificate Validation, which probably should be the parent to CWE-296, 297, 298, and 299, and potentially should be part of CWE-948 (but it is not).
Is CWE-599 really special or should it be considered a duplicate of CWE-295?
Thanks in advance for your thoughts,
The information contained in this message may be privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice
that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message!