CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product modifies the SSL context after connection creation has begun.
扩展描述
If the program modifies the SSL_CTX object after creating SSL objects from it, there is the possibility that older SSL objects created from the original context could all be affected by that change.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: No authentication takes place in this process, bypassing an assumed protection of encryption.
影响范围: Confidentiality
技术影响: Read Application Data
说明: The encrypted communication between a user and a trusted host may be subject to a sniffing attack.
潜在缓解措施
阶段: Architecture and Design
描述: Use a language or a library that provides a cryptography framework at a higher level of abstraction.
阶段: Implementation
描述: Most SSL_CTX functions have SSL counterparts that act on SSL-type objects.
阶段: Implementation
描述: Applications should set up an SSL_CTX completely, before creating SSL objects from it.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |