SYM_CS_0037 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Certificate Validation
| Property | Value |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-295: Improper Certificate Validation |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Validating X.509 certificates by comparing the subject name string is insecure, as subject names can be spoofed or manipulated. Instead, certificate validation should use built-in methods like X509Certificate2.Verify() to ensure authenticity.
Impact
If certificates are validated only by subject name, attackers could present forged certificates with matching names to impersonate trusted parties. This can lead to unauthorized access, sensitive data exposure, and undermine the application's trust and authentication mechanisms.