Live Active security incident? Get immediate response
CWE Reference

CWE-324: Use of a Key Past its Expiration Date

Official CWE-324 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.

Release 4.20weaknessDraft
Search CWE CWE Dictionary

Glexia's Take

CWE-324: Use of a Key Past its Expiration Date

Use of a Key Past its Expiration Date represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Executive Impact

  • Access Control: Bypass Protection Mechanism,Gain Privileges or Assume Identity: The cryptographic key in question may be compromised, providing a malicious user with a method for authenticating as the victim.

Developer Pattern

CWE-324 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.

Confidence

high confidence from CWE-324, 4.20.

Official CWE Definition

CWE-324: Use of a Key Past its Expiration Date

The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.

While the expiration of keys does not necessarily ensure that they are compromised, it is a significant concern that keys which remain in use for prolonged periods of time have a decreasing probability of integrity. For this reason, it is important to replace keys within a period of time proportional to their strength.

Type
weakness
Abstraction
Base
Status
Draft
Source
MITRE CWE definition

Developer And Remediation Guidance

How teams prevent and detect this weakness

Causes

  • The following code attempts to verify that a certificate is valid. The code checks if the certificate is not yet valid, but it fails to check if a certificate is past its expiration date, thus treating expired certificates as valid.

Remediation

  • Architecture and Design: Adequate consideration should be put in to the user interface in order to notify users previous to the key's expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.

Detection

  • Code review
  • SAST
  • DAST
  • Focused regression tests

Mappings

Related CVEs, CWEs, and ATT&CK context

Related CWEs

Related CVEs

Related CVE mappings appear after CVE records are cross-indexed.

Open CWE CVE mapping

ATT&CK Relevance

ATT&CK relevance is shown only when reviewed or responsibly inferred.