Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-27813 Micro-Star MSI Center 安全漏洞 — Center 8.1 High2025-04-10
CVE-2025-31489 MinIO performs incomplete signature validation for unsigned-trailer uploads — minio 6.5AIMediumAI2025-04-03
CVE-2025-31335 OpenSAML 安全漏洞 — OpenSAML C++ library 4.0 Medium2025-03-28
CVE-2025-29775 xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment — xml-crypto 9.8 -2025-03-14
CVE-2025-29774 xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References — xml-crypto 8.8 -2025-03-14
CVE-2020-36843 EdDSA-Java 安全漏洞 — ed25519-java 4.3 Medium2025-03-13
CVE-2025-25292 Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential) — ruby-saml 9.8 -2025-03-12
CVE-2025-25291 ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential) — ruby-saml 9.8 -2025-03-12
CVE-2025-20143 Cisco IOS XR Software Secure Boot Bypass Vulnerability — Cisco IOS XR Software 6.7 Medium2025-03-12
CVE-2025-2233 Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability — SmartThings 8.8 -2025-03-11
CVE-2025-27773 SimpleSAMLphp SAML2 library has incorrect signature verification for HTTP-Redirect binding — saml2 8.6 High2025-03-11
CVE-2025-24043 WinDbg Remote Code Execution Vulnerability — WinDbg 7.5 High2025-03-11
CVE-2025-20206 Cisco Secure Client for Windows with VPN Posture (HostScan) Module DLL Hijacking Vulnerability — Cisco Secure Client 7.1 High2025-03-05
CVE-2024-11957 Arbitrary Code Execution in WPS Office — WPS Office 7.8 -2025-03-04
CVE-2025-27498 AEADs/ascon-aead: Plaintext exposed in decrypt_in_place_detached even on tag verification failure — AEADs 7.5 -2025-03-03
CVE-2023-25574 JupyterHub's LTI13Authenticator: JWT signature not validated — ltiauthenticator 10.0 Critical2025-02-25
CVE-2024-10237 SMC BMC Firmware Image Authentication Design Issue — MBD-X12DPG-OA6 7.2 High2025-02-04
CVE-2024-56161 AMD SEV-SNP 安全漏洞 — AMD EPYC™ 7001 Series 7.2 High2025-02-03
CVE-2025-23369 Improper Verification of Cryptographic Signature in GitHub Enterprise Server Allows Signature Spoofing by Improper Validation — Enterprise Server 7.5 -2025-01-21
CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk — aws-cdk 8.1 -2025-01-17
CVE-2024-13172 Ivanti EPM 数据伪造问题漏洞 — Endpoint Manager 7.8 High2025-01-14
CVE-2024-54150 Algorithm Confusion Vulnerability in cjwt — cjwt 9.1 -2024-12-19
CVE-2024-43106 Microsoft Office 安全漏洞 — Excel 7.1 High2024-12-18
CVE-2024-42220 Microsoft Office 安全漏洞 — Outlook 7.1 High2024-12-18
CVE-2024-42004 Microsoft Teams 安全漏洞 — Teams (work or school) 7.1 High2024-12-18
CVE-2024-41165 Microsoft Office 安全漏洞 — Word 7.1 High2024-12-18
CVE-2024-41159 Microsoft Office 安全漏洞 — OneNote 7.1 High2024-12-18
CVE-2024-41145 Microsoft Teams 安全漏洞 — Teams (work or school) 7.1 High2024-12-18
CVE-2024-41138 Microsoft Teams 安全漏洞 — Teams (work or school) 7.1 High2024-12-18
CVE-2024-39804 Microsoft Office PowerPoint 安全漏洞 — PowerPoint 7.1 High2024-12-18

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.