CWE-295

A Go framework for robotics, drones, and IoT devices skips verification of root CA certificates by default.

Chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). The code's whitespace indentation did not reflect the actual control flow (CWE-1114) and did not explicitly delimit the block (CWE-483), which could have made it more difficult for human code auditors to detect the vulnerability.

Chain: router's firmware update procedure uses curl with "-k" (insecure) option that disables certificate validation (CWE-295), allowing adversary-in-the-middle (AITM) compromise with a malicious firmware image (CWE-494).

Verification function trusts certificate chains in which the last certificate is self-signed.

Web browser uses a TLS-related function incorrectly, preventing it from verifying that a server's certificate is signed by a trusted certification authority (CA)

Web browser does not check if any intermediate certificates are revoked.

Operating system does not check Certificate Revocation List (CRL) in some cases, allowing spoofing using a revoked certificate.

Mobile banking application does not verify hostname, leading to financial loss.

Cloud-support library written in Python uses incorrect regular expression when matching hostname.

Web browser does not correctly handle '\0' character (NUL) in Common Name, allowing spoofing of https sites.