Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-9485 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token() — OAuth Single Sign On – SSO (OAuth Client) 9.8 Critical2025-10-04
CVE-2025-59934 Formbricks missing JWT signature verification — formbricks 9.4 Critical2025-09-26
CVE-2025-7937 Supermicro BMC firmware update validation bypass — MBD-X12STW 7.2 High2025-09-19
CVE-2025-6198 Supermicro BMC firmware update validation bypass — X13SEM-F 7.2 High2025-09-19
CVE-2025-59334 Linkr allows manifest tampering leading to arbitrary file injection — Linkr 9.7 Critical2025-09-16
CVE-2025-20248 Cisco IOS XR Software Image Verification Bypass Vulnerability — Cisco IOS XR Software 6.0 Medium2025-09-10
CVE-2025-52550 Firmware upgrade packages are unsigned — E3 Supervisory Control 4.9AIMediumAI2025-09-02
CVE-2025-57801 gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks — gnark 7.5AIHighAI2025-08-22
CVE-2025-55229 Windows Certificate Spoofing Vulnerability — Windows 10 Version 1507 5.3 Medium2025-08-21
CVE-2025-4371 Lenovo 510 FHD和Lenovo Performance FHD 安全漏洞 — 510 FHD Webcam 6.8 Medium2025-08-18
CVE-2025-40758 Siemens Mendix SAML 数据伪造问题漏洞 — Mendix SAML (Mendix 10.12 compatible) 8.7 High2025-08-14
CVE-2025-54982 SAML 2.0 Public Key Validation Issue — Authentication Server 9.6 Critical2025-08-05
CVE-2025-43023 HP Linux Imaging and Printing Software - Use of DSA Key — HP Linux Imaging and Printing Software 9.1AICriticalAI2025-07-28
CVE-2025-23364 Siemens TIA Administrator 数据伪造问题漏洞 — TIA Administrator 6.2 Medium2025-07-08
CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment — tiny-secp256k1 5.3AIMediumAI2025-07-01
CVE-2024-36347 AMD Processors 安全漏洞 — AMD EPYC™ 7001 Series 6.4 Medium2025-06-27
CVE-2025-52556 rfc3161-client has insufficient verification for timestamp response signatures — rfc3161-client 7.5AIHighAI2025-06-21
CVE-2025-33069 Windows App Control for Business Security Feature Bypass Vulnerability — Windows 11 Version 24H2 5.1 Medium2025-06-10
CVE-2025-24015 Deno's AES GCM authentication tags are not verified — deno 9.8AICriticalAI2025-06-03
CVE-2022-31807 Siemens SiPass integrated AC5102和Siemens SiPass integrated ACC-AP 数据伪造问题漏洞 — Building X - Security Manager Edge Controller (ACC-AP) 6.2 Medium2025-05-23
CVE-2025-47949 samlify SAML Signature Wrapping attack — samlify 8.8AIHighAI2025-05-19
CVE-2025-47934 OpenPGP.js's message signature verification can be spoofed — openpgpjs 8.2AIHighAI2025-05-19
CVE-2025-20181 Cisco IOS 数据伪造问题漏洞 — IOS 6.8AIMediumAI2025-05-07
CVE-2025-33074 Azure Functions Remote Code Execution Vulnerability — Azure Functions 7.5 High2025-04-30
CVE-2025-2866 PDF signature forgery with adbe.pkcs7.sha1 SubFilter — LibreOffice 6.5 -2025-04-27
CVE-2025-2764 CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability — CPC200-CCPA 8.8 -2025-04-23
CVE-2025-2763 CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability — CPC200-CCPA 6.8 -2025-04-23
CVE-2025-43903 Freedesktop Poppler 安全漏洞 — Poppler 4.3 Medium2025-04-18
CVE-2025-20178 Cisco Secure Network Analytics Privilege Escalation Vulnerability — Cisco Secure Network Analytics 6.0 Medium2025-04-16
CVE-2025-29915 Suricata af-packet: defrag option can lead to truncated packets affecting visibility — suricata 7.5 High2025-04-10

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.