Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-23518 Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment — fleet 9.4AICriticalAI2026-01-21
CVE-2025-36418 Multiple vulnerabilities found in IBM ApplinX. — ApplinX 7.3 High2026-01-20
CVE-2025-12007 Supermicro BMC firmware update validation bypass — X13SEM-F 6.2 -2026-01-16
CVE-2025-12006 Supermicro BMC firmware update validation bypass — X12STW-F 7.2 High2026-01-16
CVE-2026-22817 JWT Algorithm Confusion via Unsafe Default (HS256) in Hono JWT Middleware Allows Token Forgery and Auth Bypass — hono 8.2 High2026-01-13
CVE-2026-22818 JWT algorithm confusion in Hono JWK Auth Middleware when JWK lacks "alg" (untrusted header.alg fallback) — hono 8.2 High2026-01-13
CVE-2025-68925 Jervis has a JWT Algorithm Confusion Vulnerability — jervis 9.8AICriticalAI2026-01-13
CVE-2026-20965 Windows Admin Center Elevation of Privilege Vulnerability — Windows Admin Center in Azure Portal 7.5 High2026-01-13
CVE-2025-68972 GNUPG 数据伪造问题漏洞 — GnuPG 5.9 Medium2025-12-27
CVE-2023-53951 Ever Gauzy v0.281.9 JWT Authentication Weakness via HMAC Secret — ever gauzy 9.8 Critical2025-12-19
CVE-2025-64786 Acrobat Reader | Improper Verification of Cryptographic Signature (CWE-347) — Acrobat Reader 3.3 Low2025-12-09
CVE-2025-64787 Acrobat Reader | Improper Verification of Cryptographic Signature (CWE-347) — Acrobat Reader 3.3 Low2025-12-09
CVE-2025-59718 Fortinet多款产品 数据伪造问题漏洞 — FortiSwitchManager 9.1 Critical2025-12-09
CVE-2025-59719 Fortinet FortiWeb 数据伪造问题漏洞 — FortiWeb 9.1 Critical2025-12-09
CVE-2025-13662 Ivanti Endpoint Manager 数据伪造问题漏洞 — Endpoint Manager 7.8 High2025-12-09
CVE-2025-66568 ruby-saml Libxml2 Canonicalization errors can bypass Digest/Signature validation — ruby-saml 7.4AIHighAI2025-12-09
CVE-2025-66567 ruby-saml has a SAML authentication bypass due to namespace handling (parser differential) — ruby-saml 9.1AICriticalAI2025-12-09
CVE-2025-65945 auth0/node-jws improper HMAC signature verification vulnerability — node-jws 7.5 High2025-12-04
CVE-2025-40934 XML-Sig prior to 0.68 for Perl improperly validates XML without signatures — XML::Sig 7.5AIHighAI2025-11-26
CVE-2025-34324 GoSign Desktop < 2.4.1 Insecure Update Mechanism RCE — GoSign Desktop 7.5AIHighAI2025-11-18
CVE-2025-64740 Zoom Workplace VDI Client for Windows - Improper Verification of Cryptographic Signature — Zoom Workplace VDI Client 7.5 High2025-11-13
CVE-2025-64186 Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves — evervault-go 8.7 High2025-11-12
CVE-2025-64456 JetBrains ReSharper 数据伪造问题漏洞 — ReSharper 8.4 High2025-11-10
CVE-2025-54549 Cryptographic validation of upgrade images could be circumventing by dropping a specifically crafted file into the upgrade ISO — DANZ Monitoring Fabric 5.9 Medium2025-10-29
CVE-2025-58356 Constellation allows insecure use of LUKS2 persistent storage partitions — constellation 6.5AIMediumAI2025-10-27
CVE-2025-12295 D-Link DAP-2695 Firmware Update sub_40C6B8 signature verification — DAP-2695 6.6 Medium2025-10-27
CVE-2025-34503 Shuffle Master Deck Mate 1 Unauthenticated EEPROM Firmware Execution — Deck Mate 1 6.8 -2025-10-24
CVE-2025-55039 Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks — Apache Spark 5.9AIMediumAI2025-10-15
CVE-2025-59288 Playwright Spoofing Vulnerability — microsoft/playwright 5.3 Medium2025-10-14
CVE-2025-46774 Fortinet FortiClient MacOS installer 数据伪造问题漏洞 — FortiClientMac 6.8 High2025-10-14

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.