Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2021-22735 Schneider Electric homeLYnk和spaceLYnk 数据伪造问题漏洞 — homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior 7.2 -2021-05-26
CVE-2021-22734 Schneider Electric spaceLYnk和homeLYnk 数据伪造问题漏洞 — homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior 6.7 -2021-05-26
CVE-2021-3445 Red Hat libdnf 数据伪造问题漏洞 — libdnf 8.8 -2021-05-19
CVE-2021-3421 Red Hat Package Manager 数据伪造问题漏洞 — rpm 5.5 -2021-05-19
CVE-2021-29455 Missing validation of JWT signature in `grassrootza/grassroot-platform` — grassroot-platform 7.5 High2021-04-19
CVE-2021-29451 Missing validation of JWT signature in `ManyDesigns/Portofino` — Portofino 9.1 Critical2021-04-16
CVE-2021-21405 BLS Signature "Malleability" — lotus 5.9 Medium2021-04-15
CVE-2021-1375 Cisco IOS XE Software Fast Reload Vulnerabilities — Cisco IOS XE Software 6.7 -2021-03-24
CVE-2021-1376 Cisco IOS XE Software Fast Reload Vulnerabilities — Cisco IOS XE Software 6.7 -2021-03-24
CVE-2021-1453 Cisco IOS XE Software for the Catalyst 9000 Family Arbitrary Code Execution Vulnerability — Cisco IOS XE Software 6.8 Medium2021-03-24
CVE-2021-3406 CNCF Keylime 信任管理问题漏洞 — keylime 8.2 -2021-02-25
CVE-2021-1366 Cisco AnyConnect Secure Mobility Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability — Cisco AnyConnect Secure Mobility Client 7.8 High2021-02-17
CVE-2021-3033 Prisma Cloud Compute: SAML Authentication Bypass Vulnerability in Console — Prisma Cloud Compute 9.1 Critical2021-02-10
CVE-2021-1136 Cisco IOS XR Software for Cisco 8000 Series Routers and Network Convergence System 540 Series Routers Image Verification Vulnerabilities — Cisco IOS XR Software 6.7 Medium2021-02-04
CVE-2021-1244 Cisco IOS XR Software for Cisco 8000 Series Routers and Network Convergence System 540 Series Routers Image Verification Vulnerabilities — Cisco IOS XR Software 6.7 Medium2021-02-04
CVE-2021-21238 SAML XML Signature wrapping — pysaml2 6.5 Medium2021-01-21
CVE-2021-21239 Open default xmlsec1 key-type preference — pysaml2 6.5 Medium2021-01-21
CVE-2020-26290 Critical security issues in XML encoding in Dex — dex 9.3 Critical2020-12-28
CVE-2020-11093 Authorization bypass in Hyperledger Indy — indy-node 7.5 High2020-12-24
CVE-2020-24439 Acrobat Reader DC for macOS Signature Validation Bypass — Acrobat Reader 2.8 Low2020-11-05
CVE-2020-24429 Acrobat Reader DC for macOS Signature Verification Bypass Could Lead to Privilege Escalation — Acrobat Reader 7.7 High2020-11-05
CVE-2020-15216 Signature Validation Bypass in goxmldsig — goxmldsig 5.3 Medium2020-09-29
CVE-2020-14365 Red Hat Ansible 数据伪造问题漏洞 — ansible 7.1 -2020-09-23
CVE-2019-1736 Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability — Cisco Identity Services Engine Software 6.6 -2020-09-23
CVE-2020-14515 WIBU CodeMeter 数据伪造问题漏洞 — CodeMeter 7.5 -2020-09-16
CVE-2020-10759 fwupd 数据伪造问题漏洞 — fwupd 6.0 -2020-09-15
CVE-2020-15705 GRUB2: avoid loading unsigned kernels when GRUB is booted directly under secureboot without shim — grub2 in Ubuntu 6.4 Medium2020-07-29
CVE-2020-10608 多款OSIsoft产品数据伪造问题漏洞 — OSIsoft PI System multiple products and versions 7.8 -2020-07-24
CVE-2016-7064 Pritunl-client 数据伪造问题漏洞 — pritunl-client-electron 7.5 -2020-07-21
CVE-2020-15093 Improper verification of signature threshold in tough — tough 8.6 High2020-07-09

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.