Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true. Likelihood: MEDIUM Confidence: MEDIUM CWE: - CWE-347: Improper Verification of Cryptographic Signature
OWASP: - A02:2021 - Cryptographic Failures
X509Certificate2-privkey
X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to null or set it to another key without deleting it first, the private key will be left on disk. Likelihood: LOW Confidence: LOW CWE: - CWE-310: CWE CATEGORY: Cryptographic Issues
OWASP: - A02:2021 - Cryptographic Failures
X509-subject-name-validation
Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead. Likelihood: LOW Confidence: MEDIUM CWE: - CWE-295: Improper Certificate Validation
OWASP: - A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures