The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.