Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 362

362 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-33185 Incorrect signature verification in django-ses — django-ses 4.6 Medium2023-05-26
CVE-2022-4418 Acronis Cyber Protect 数据伪造问题漏洞 — Acronis Cyber Protect Home Office 7.8 -2023-05-18
CVE-2023-25934 Dell EMC ECS 数据伪造问题漏洞 — ECS 5.9 Medium2023-05-04
CVE-2023-28228 Windows Spoofing Vulnerability — Windows 10 Version 1809 5.5 Medium2023-04-11
CVE-2023-28226 Windows Enroll Engine Security Feature Bypass Vulnerability — Windows 10 Version 1809 5.3 Medium2023-04-11
CVE-2022-20929 Cisco Enterprise NFV Infrastructure Software 数据伪造问题漏洞 — Cisco Enterprise NFV Infrastructure Software 7.8 High2023-03-08
CVE-2021-43074 Fortinet FortiSwitch和FortiWeb数据伪造问题漏洞 — FortiSwitch 4.1 Medium2023-02-16
CVE-2023-23940 OpenZeppelin Contracts for Cairo is vulnerable to signature validation bypass — cairo-contracts 6.4 Medium2023-02-03
CVE-2022-34459 多款Dell产品 数据伪造问题漏洞 — Dell Command Update (DCU) 7.8 High2023-02-01
CVE-2023-23928 reason-jose ignores signature checks — reason-jose 5.9 Medium2023-02-01
CVE-2023-22742 libgit2 fails to verify SSH keys by default — libgit2 5.3 Medium2023-01-20
CVE-2022-46176 Cargo did not verify SSH host keys — cargo 5.3 Medium2023-01-11
CVE-2022-23507 Light client verification not taking into account chain ID — tendermint-rs 5.4 Medium2022-12-15
CVE-2022-41666 Schneider Electric EcoStruxure Operator Terminal Expert 数据伪造问题漏洞 — EcoStruxure Operator Terminal Expert 7.0 High2022-11-04
CVE-2022-41669 Schneider Electric EcoStruxure Operator Terminal Expert 数据伪造问题漏洞 — EcoStruxure Operator Terminal Expert 7.0 High2022-11-04
CVE-2022-31123 Grafana plugin signature bypass vulnerability — grafana 6.1 Medium2022-10-13
CVE-2022-39300 Signature bypass via multiple root elements in node-SAML — node-saml 7.7 High2022-10-13
CVE-2022-39299 Signature bypass via multiple root elements in Passport-SAML — passport-saml 7.4 High2022-10-12
CVE-2022-20944 Cisco IOS XE Software for Catalyst 9200 Series Switches Arbitrary Code Execution Vulnerability — Cisco IOS XE Software 6.1 Medium2022-10-10
CVE-2022-39237 Digital Signature Hash Algorithms Not Validated in sylabs/sif — sif 6.3 Medium2022-10-06
CVE-2022-36056 Vulnerabilities with blob verification in sigstore cosign — cosign 5.5 Medium2022-09-14
CVE-2022-39200 Signature checks not applied to some retrieved missing events — dendrite 7.3 High2022-09-12
CVE-2021-3521 Red Hat Enterprise Linux 数据伪造问题漏洞 — RPM 5.3 -2022-08-22
CVE-2022-2790 Emerson Proficy Machine Edition 数据伪造问题漏洞 — Proficy Machine Edition 5.9 Medium2022-08-19
CVE-2022-28752 Local Privilege Escalation in the Zoom Rooms for Windows Client — Zoom Room for Conference Room for Windows 8.8 High2022-08-17
CVE-2022-28751 Local Privilege Escalation in Zoom Client for Meetings for MacOS — Zoom Client for Meetings for MacOS 8.8 High2022-08-17
CVE-2022-28756 Local Privilege Escalation in Auto Updater for Zoom Client for Meetings for macOS — Zoom Client for Meetings for MacOS 8.8 High2022-08-15
CVE-2022-35930 Ability to bypass attestation verification in sigstore PolicyController — policy-controller 7.1 High2022-08-04
CVE-2022-35929 False positive signature verification in cosign — cosign 7.1 High2022-08-04
CVE-2020-35169 Dell BSAFE 输入验证错误漏洞 — Dell BSAFE Crypto-C Micro Edition 9.1 Critical2022-07-11

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 362 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.