CWE-324: Use of a Key Past its Expiration Date
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
扩展描述
While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism Gain Privileges or Assume Identity
说明: The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.
潜在缓解措施
阶段: Architecture and Design
描述: Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
观察示例
参考: CVE-2021-33020
Picture Archiving and Communication System (PACS) system for hospitals uses a cryptographic key or password past its expiration date
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Using a key past its expiration date | - |