VYPR

CWE-345

Insufficient Verification of Data Authenticity

ClassDraft

Description

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701

CVEs mapped to this weakness (306)

page 13 of 16
  • CVE-2023-45292Dec 11, 2023
    risk 0.00cvss epss 0.00

    When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to…

  • CVE-2023-44402Dec 1, 2023
    risk 0.00cvss epss 0.00

    Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not…

  • CVE-2023-49087Nov 30, 2023
    risk 0.00cvss epss 0.00

    xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree…

  • CVE-2023-47631Nov 14, 2023
    risk 0.00cvss epss 0.00

    vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the…

  • CVE-2023-47630Nov 14, 2023
    risk 0.00cvss epss 0.00

    Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The…

  • CVE-2023-46446Nov 14, 2023
    risk 0.00cvss epss 0.01

    An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."

  • CVE-2023-46445Nov 14, 2023
    risk 0.00cvss epss 0.01

    An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."

  • CVE-2023-5548Nov 9, 2023
    risk 0.00cvss epss 0.00

    Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.

  • CVE-2023-43800Oct 18, 2023
    risk 0.00cvss epss 0.00

    Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his…

  • CVE-2023-43666Oct 16, 2023
    risk 0.00cvss epss 0.00

    Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve…

  • CVE-2023-39347Sep 26, 2023
    risk 0.00cvss epss 0.00

    Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses…

  • CVE-2015-8371Sep 21, 2023
    risk 0.00cvss epss 0.01

    Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the…

  • CVE-2023-43636Sep 20, 2023
    risk 0.00cvss epss 0.00

    In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective…

  • CVE-2023-26141Sep 14, 2023
    risk 0.00cvss epss 0.01

    Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.

  • CVE-2023-41045Aug 31, 2023
    risk 0.00cvss epss 0.00

    Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against…

  • CVE-2023-0264Aug 4, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session…

  • CVE-2023-37920Jul 25, 2023
    risk 0.00cvss epss 0.00

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an…

  • CVE-2023-37264Jul 7, 2023
    risk 0.00cvss epss 0.00

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will…

  • CVE-2023-32993May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

  • CVE-2023-23941Feb 3, 2023
    risk 0.00cvss epss 0.00

    SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.…