Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-37532 IBM WebSphere Application Server identity spoofing — WebSphere Application Server 8.8 High2024-06-20
CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration — security-advisories 5.4 Medium2024-06-14
CVE-2024-2451 Improper fingerprint validation in the TeamViewer Client — Remote (Full Client) 6.4 Medium2024-05-28
CVE-2024-1721 HYPR 安全漏洞 — Passwordless 7.7AIHighAI2024-05-21
CVE-2024-27244 Zoom Workplace VDI App for Windows - Insufficient Verification of Data Authenticity — Zoom Workplace VDI App for Windows 6.7 Medium2024-05-15
CVE-2024-34358 TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController — typo3 5.3 Medium2024-05-14
CVE-2023-50228 Parallels Desktop Updater Improper Verification of Cryptographic Signature Local Privilege Escalation Vulnerability — Desktop 7.8 -2024-05-03
CVE-2024-32962 XML signature verification bypass due improper verification of signature / signature spoofing — xml-crypto 10.0 Critical2024-05-02
CVE-2024-23480 Insecure MacOS code sign check fallback — Client Connector 7.5 High2024-05-01
CVE-2024-27247 Zoom Desktop Client for macOS - Improper Privilege Management — Zoom Desktop Client for macOS 5.5 Medium2024-04-09
CVE-2024-24694 Zoom Desktop Client for Windows - Improper Privilege Management — Zoom Desktop Client for Windows 5.9 Medium2024-04-09
CVE-2024-26194 Secure Boot Security Feature Bypass Vulnerability — Windows 10 Version 1809 7.4 High2024-04-09
CVE-2024-2307 Osbuild-composer: race condition may disable gpg verification for package repositories 6.1 Medium2024-03-19
CVE-2024-1150 Improper validation of update packages — Inventory Agent 7.8 High2024-02-08
CVE-2024-1149 Improper validation of update packages — Inventory Agent 7.8 High2024-02-08
CVE-2024-21917 Rockwell Automation FactoryTalk® Service Platform Service Token Vulnerability — FactoryTalk® Service Platform 9.8 Critical2024-01-31
CVE-2024-21383 Microsoft Edge (Chromium-based) Spoofing Vulnerability — Microsoft Edge (Chromium-based) 3.3 Low2024-01-26
CVE-2024-23680 AWS Encryption SDK for Java Improper Verification of Cryptographic Signature 8.2 -2024-01-19
CVE-2024-0567 Gnutls: rejects certificate chain with distributed trust 7.5 High2024-01-16
CVE-2023-2030 Improper Verification of Cryptographic Signature in GitLab — GitLab 3.5 Low2024-01-12
CVE-2024-21669 Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC — aries-cloudagent-python 9.9 Critical2024-01-11
CVE-2023-5347 Unauthenticated Firmware Upgrade — JetNet Series 9.8 Critical2024-01-09
CVE-2022-3864 ABB Relion 670 Series 和 Relion 650 Series安全漏洞 — Relion 670/650/SAM600-IO Series 4.5 Medium2024-01-04
CVE-2023-23436 Honor Magic Ui 安全漏洞 — Magic OS 7.3 High2023-12-29
CVE-2023-23435 Honor Magic Ui 安全漏洞 — Magic OS 4.0 Medium2023-12-29
CVE-2023-23433 Honor NTH-AN00 安全漏洞 — NTH-AN00 4.0 Medium2023-12-29
CVE-2023-23431 Honor NTH-AN00 安全漏洞 — NTH-AN00 7.3 High2023-12-29
CVE-2023-23432 Honor NTH-AN00 安全漏洞 — NTH-AN00 7.3 High2023-12-29
CVE-2023-49646 Zoom Client 安全漏洞 — Zoom Clients 6.4 Medium2023-12-13
CVE-2023-41337 h2o vulnerable to TLS session resumption misdirection — h2o 6.1 Medium2023-12-12

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.