Is the received server certificate and the trust chain properly validated?
I believe that this statement is in the wrong OT10 item should be (re)moved.
If you look at the corresponding CWE, this is primarily a case of CWE-296: Improper Following of a Certificate's Chain of Trust. It has little, if anything, to do with a cryptographic failure, but rather it is an authentication failure as CWE-296 makes obvious if you follow the CWE chain to its parent CWE-295.
I believe (and I think MITRE would agree) that this bullet item that I referenced is an authentication failure. specifically, it is a failure of properly authenticating the host you are intending to connect to over a TLS connection. Indeed, I believe a better fit for this statement would be to move it A07:2021.
In A02:2021 - Cryptographic Failures, under the Description section, it states:
I believe that this statement is in the wrong OT10 item should be (re)moved.
If you look at the corresponding CWE, this is primarily a case of CWE-296: Improper Following of a Certificate's Chain of Trust. It has little, if anything, to do with a cryptographic failure, but rather it is an authentication failure as CWE-296 makes obvious if you follow the CWE chain to its parent CWE-295.
I believe (and I think MITRE would agree) that this bullet item that I referenced is an authentication failure. specifically, it is a failure of properly authenticating the host you are intending to connect to over a TLS connection. Indeed, I believe a better fit for this statement would be to move it A07:2021.