Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-49079 Misskey's missing signature validation allows arbitrary users to impersonate any remote user. — misskey 9.3 Critical2023-11-29
CVE-2023-5747 Command injection via wave install file — PNV-A6081R 7.2 High2023-11-13
CVE-2023-47122 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. — gitsign 4.2 Medium2023-11-10
CVE-2023-46234 browserify-sign vulnerable via an upper bound check issue in `dsaVerify` that leads to a signature forgery attack — browserify-sign 6.5 Medium2023-10-26
CVE-2023-28804 Linux ZCC allows unsigned updates, allowing elevated Code Execution — Client Connector 8.2 High2023-10-23
CVE-2022-25333 Flawed SK_LOAD module authenticity check in Texas Instruments OMAP L138 — OMAP 8.2 High2023-10-19
CVE-2023-43611 BIG-IP Edge Client for macOS vulnerability — BIG-IP Edge Client 7.8 High2023-10-10
CVE-2023-42811 AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure — AEADs 4.7 Medium2023-09-22
CVE-2023-42806 Snapshot signature not including HeadID will allow replay attacks — hydra 6.5 Medium2023-09-21
CVE-2023-20236 Cisco IOS XR 数据伪造问题漏洞 — Cisco IOS XR Software 6.7 Medium2023-09-13
CVE-2023-20135 Cisco IOS XR 安全漏洞 — Cisco IOS XR Software 5.7 Medium2023-09-13
CVE-2023-41764 Microsoft Office Spoofing Vulnerability — Microsoft Office 2019 5.5 Medium2023-09-12
CVE-2023-40727 Siemens QMS Automotive 数据伪造问题漏洞 — QMS Automotive 7.8 High2023-09-12
CVE-2023-41744 Acronis Agent和Acronis Cyber Protect 数据伪造问题漏洞 — Acronis Agent 7.8 -2023-08-31
CVE-2023-28801 Improper SAML signature verification — ZIA Admin Portal 9.6 Critical2023-08-31
CVE-2023-36811 Archive spoofing vulnerability in borgbackup — borg 4.7 Medium2023-08-30
CVE-2023-20266 Cisco多款产品安全漏洞 — Cisco Emergency Responder 6.5 Medium2023-08-30
CVE-2023-41037 Cleartext Signed Message Signature Spoofing in openpgpjs — openpgpjs 4.3 Medium2023-08-29
CVE-2023-23773 Motorola MBTS Base Radio和Motorola EBTS Base Radio 数据伪造问题漏洞 — EBTS/MBTS Base Radio 7.2 High2023-08-29
CVE-2023-23772 Motorola MBTS Site Controller 数据伪造问题漏洞 — MBTS Site Controller 7.2 High2023-08-29
CVE-2023-40178 @node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError — node-saml 5.3 Medium2023-08-23
CVE-2023-39969 uthenticode signature validation bypass vulnerability — uthenticode 9.1 Critical2023-08-09
CVE-2023-39211 Zoom Rooms 安全漏洞 — Zoom Desktop Client for Windows and Zoom Rooms for Windows 8.8 High2023-08-08
CVE-2023-38418 BIG-IP Edge Client for macOS vulnerability — BIG-IP Edge Client 7.8 High2023-08-02
CVE-2023-3347 Samba: smb2 packet signing is not enforced when "server signing = required" is set — Red Hat Enterprise Linux 8 5.9 Medium2023-07-20
CVE-2023-35373 Mono Authenticode Validation Spoofing Vulnerability — Mono 6.12.0 5.3 Medium2023-07-11
CVE-2023-32449 Dell EMC PowerStore 数据伪造问题漏洞 — PowerStore 7.2 High2023-06-22
CVE-2023-34120 Zoom Rooms 安全漏洞 — Zoom for Windows Client 8.7 High2023-06-13
CVE-2023-28602 Zoom Client 数据伪造问题漏洞 — Zoom for Windows Client 2.8 Low2023-06-13
CVE-2023-33959 Verification bypass can cause users into verifying the wrong artifact — notation-go 8.4 High2023-06-06

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.