Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-3564 ScreenConnect Instance Level Cryptographic Material Exposure — ScreenConnect 9.0 Critical2026-03-17
CVE-2026-4258 sjcl 安全漏洞 — sjcl 7.5 High2026-03-17
CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass — authlib 9.1 Critical2026-03-16
CVE-2026-3562 Philips Hue Bridge hk_hap Ed25519 Signature Verification Authentication Bypass Vulnerability — Hue Bridge 8.8AIHighAI2026-03-13
CVE-2026-32614 Go ShangMi SM9 Infinity-Point Ciphertext Forgery Vulnerability — gmsm 7.5 High2026-03-13
CVE-2026-28432 HTTP signature verification can be bypassed — misskey 7.5AIHighAI2026-03-09
CVE-2025-41767 Signature bypass on update upload — UBR-01 Mk II 7.2 High2026-03-09
CVE-2026-3706 mkj Dropbear S Range Check curve25519.c unpackneg signature verification — Dropbear 3.7 Low2026-03-08
CVE-2026-28802 Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification — authlib 9.1 -2026-03-06
CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass — pac4j-jwt 9.1 Critical2026-03-04
CVE-2026-27445 PGP Signature Reflection — Secure Email Gateway 7.5AIHighAI2026-03-04
CVE-2026-2746 Missing PGP Signature Tag — Secure Email Gateway 5.3AIMediumAI2026-03-04
CVE-2025-15598 Dataease SQLBot JWT Token auth.py validateEmbedded signature verification — SQLBot 3.7 Low2026-03-03
CVE-2026-3338 PKCS7_verify Signature Validation Bypass in AWS-LC — AWS-LC 7.5 High2026-03-02
CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass — keycloak 3.1 Low2026-02-27
CVE-2026-22866 ENS DNSSEC Oracle Vulnerable to RSA Signature Forgery via Missing PKCS#1 v1.5 Padding Validation — ens-contracts 5.9AIMediumAI2026-02-25
CVE-2026-2968 Cesanta Mongoose Poly1305 Authentication Tag tls_chacha20.c mg_chacha20_poly1305_decrypt signature verification — Mongoose 3.7 Low2026-02-23
CVE-2025-32060 Absence of Kernel Module Signature Verification on Linux System of Infotainment ECU — Infotainment system ECU 6.7 Medium2026-02-15
CVE-2026-23687 XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform — SAP NetWeaver AS ABAP and ABAP Platform 8.8 High2026-02-10
CVE-2026-1529 Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation — Red Hat build of Keycloak 26.2 8.1 High2026-02-09
CVE-2026-25793 Nebula Has Possible Blocklist Bypass via ECDSA Signature Malleability — nebula 6.2AIMediumAI2026-02-06
CVE-2026-1568 Rapid7 InsightVM Signature Validation Vulnerability — Vulnerability Management 9.6 Critical2026-02-03
CVE-2026-0750 Payment bypass in Commerce Paybox — Drupal Commerce Paybox 9.8AICriticalAI2026-01-28
CVE-2026-24850 ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices — signatures 5.3 Medium2026-01-28
CVE-2025-15469 'openssl dgst' one-shot codepath silently truncates inputs >16MB — OpenSSL 9.1AICriticalAI2026-01-27
CVE-2026-24807 Buffer Overflow Vulnerability in liuyueyi/quick-media — quick-media 9.1AICriticalAI2026-01-27
CVE-2026-22696 dcap-qvl has Missing Verification for QE Identity — dcap-qvl 7.5AIHighAI2026-01-26
CVE-2026-23992 go-tuf improperly validates the configured threshold for delegations — go-tuf 5.9 Medium2026-01-22
CVE-2026-23965 sm-crypto Affected by Signature Forgery in SM2-DSA — sm-crypto 7.5 High2026-01-22
CVE-2026-23967 sm-crypto Affected by Signature Malleability in SM2-DSA — sm-crypto 7.5 High2026-01-22

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.