Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-1739 2.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347 — ImageCast X firmware 6.8 -2022-06-24
CVE-2022-31053 Signature forgery in Biscuit — biscuit 9.8 Critical2022-06-13
CVE-2022-26510 InHand Networks InRouter302 数据伪造问题漏洞 — InRouter302 6.5 -2022-05-12
CVE-2022-24884 Trivial signature forgery in ecdsautils — ecdsautils 10.0 Critical2022-05-05
CVE-2021-22573 Incorrect signature verification on Google-oauth-java-client — Google-oauth-java-client 8.7 High2022-05-03
CVE-2020-25166 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 7.6 High2022-04-14
CVE-2021-32977 AVEVA System Platform Improper Verification of Cryptographic Signature — AVEVA System Platform 7.2 High2022-04-04
CVE-2022-24772 Improper Verification of Cryptographic Signature in `node-forge` — forge 7.5 High2022-03-18
CVE-2022-24773 Improper Verification of Cryptographic Signature in `node-forge` — forge 5.3 Medium2022-03-18
CVE-2022-24771 Improper Verification of Cryptographic Signature in node-forge — forge 7.5 High2022-03-18
CVE-2022-24759 Failure to validate signature during handshake in @chainsafe/libp2p-noise — js-libp2p-noise 8.1 High2022-03-17
CVE-2022-23610 Improper Verification of Cryptographic Signature in wire-server — wire-server 9.1 Critical2022-03-16
CVE-2021-20319 coreos-installer 数据伪造问题漏洞 — coreos-installer 7.8 -2022-03-04
CVE-2022-23655 Missing server signature validation in OctoberCMS — october 4.8 Medium2022-02-23
CVE-2021-25636 Incorrect trust validation of signature with ambiguous KeyInfo children — LibreOffice 7.5 -2022-02-22
CVE-2022-24115 Local privilege escalation due to unrestricted loading of unsigned libraries — Acronis Cyber Protect Home Office 7.8 -2022-02-04
CVE-2022-21134 Reolink Rlc-410W 数据伪造问题漏洞 — n/a 7.5 -2022-01-28
CVE-2021-41832 Content Manipulation with Certificate Validation Attack — Apache OpenOffice 7.5 -2021-10-11
CVE-2021-41831 Timestamp Manipulation with Signature Wrapping — Apache OpenOffice 4.0 -2021-10-11
CVE-2021-41830 Double Certificate Attack — Apache OpenOffice 7.5 -2021-10-11
CVE-2021-29108 There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below. — Portal for ArcGIS 8.8 High2021-10-01
CVE-2021-34709 Cisco IOS XR Software for Cisco 8000 and Network Convergence System 540 Series Routers Image Verification Vulnerabilities — Cisco IOS XR Software 6.0 Medium2021-09-09
CVE-2021-34708 Cisco IOS XR Software for Cisco 8000 and Network Convergence System 540 Series Routers Image Verification Vulnerabilities — Cisco IOS XR Software 6.0 Medium2021-09-09
CVE-2021-3051 Cortex XSOAR: Authentication Bypass in SAML Authentication — Cortex XSOAR 8.1 High2021-09-08
CVE-2021-34715 Cisco Expressway Series and TelePresence Video Communication Server Image Verification Vulnerability — Cisco TelePresence Video Communication Server (VCS) Expressway 4.7 Medium2021-08-18
CVE-2021-3633 Lenovo Driver Management 代码问题漏洞 — Driver Management 7.3 High2021-08-17
CVE-2021-36277 Dell Command Update 数据伪造问题漏洞 — Alienware Command Center (AWCC) 7.8 High2021-08-09
CVE-2021-22708 Multiple Schneider Electric EVlink Charging Stations 数据伪造问题漏洞 — EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1 ) 7.2 -2021-07-21
CVE-2021-32685 Improper Verification of Cryptographic Signature in tenvoy — tEnvoy 9.8 Critical2021-06-16
CVE-2021-29500 Missing validation of JWT signature — bubble-fireworks 7.5 High2021-06-04

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.