CWE-345
Insufficient Verification of Data Authenticity
Description
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701
CVEs mapped to this weakness (306)
page 13 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-45292 | 0.00 | — | 0.00 | Dec 11, 2023 | When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to… | |||
| CVE-2023-44402 | 0.00 | — | 0.00 | Dec 1, 2023 | Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not… | |||
| CVE-2023-49087 | — | 0.00 | — | 0.00 | Nov 30, 2023 | xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree… | ||
| CVE-2023-47631 | 0.00 | — | 0.00 | Nov 14, 2023 | vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the… | |||
| CVE-2023-47630 | 0.00 | — | 0.00 | Nov 14, 2023 | Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The… | |||
| CVE-2023-46446 | — | 0.00 | — | 0.01 | Nov 14, 2023 | An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | ||
| CVE-2023-46445 | — | 0.00 | — | 0.01 | Nov 14, 2023 | An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation." | ||
| CVE-2023-5548 | 0.00 | — | 0.00 | Nov 9, 2023 | Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection. | |||
| CVE-2023-43800 | — | 0.00 | — | 0.00 | Oct 18, 2023 | Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his… | ||
| CVE-2023-43666 | 0.00 | — | 0.00 | Oct 16, 2023 | Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve… | |||
| CVE-2023-39347 | 0.00 | — | 0.00 | Sep 26, 2023 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses… | |||
| CVE-2015-8371 | 0.00 | — | 0.01 | Sep 21, 2023 | Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the… | |||
| CVE-2023-43636 | — | 0.00 | — | 0.00 | Sep 20, 2023 | In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective… | ||
| CVE-2023-26141 | 0.00 | — | 0.01 | Sep 14, 2023 | Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests. | |||
| CVE-2023-41045 | 0.00 | — | 0.00 | Aug 31, 2023 | Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against… | |||
| CVE-2023-0264 | 0.00 | — | 0.01 | Aug 4, 2023 | A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session… | |||
| CVE-2023-37920 | — | 0.00 | — | 0.00 | Jul 25, 2023 | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an… | ||
| CVE-2023-37264 | 0.00 | — | 0.00 | Jul 7, 2023 | Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will… | |||
| CVE-2023-32993 | 0.00 | — | 0.00 | May 16, 2023 | Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | |||
| CVE-2023-23941 | — | 0.00 | — | 0.00 | Feb 3, 2023 | SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.… |
- CVE-2023-45292Dec 11, 2023risk 0.00cvss —epss 0.00
When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to…
- CVE-2023-44402Dec 1, 2023risk 0.00cvss —epss 0.00
Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. Apps without these fuses enabled are not…
- CVE-2023-49087Nov 30, 2023risk 0.00cvss —epss 0.00
xml-security is a library that implements XML signatures and encryption. Validation of an XML signature requires verification that the hash value of the related XML-document matches a specific DigestValue-value, but also that the cryptographic signature on the SignedInfo-tree…
- CVE-2023-47631Nov 14, 2023risk 0.00cvss —epss 0.00
vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the…
- CVE-2023-47630Nov 14, 2023risk 0.00cvss —epss 0.00
Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The…
- CVE-2023-46446Nov 14, 2023risk 0.00cvss —epss 0.01
An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."
- CVE-2023-46445Nov 14, 2023risk 0.00cvss —epss 0.01
An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."
- CVE-2023-5548Nov 9, 2023risk 0.00cvss —epss 0.00
Stronger revision number limitations were required on file serving endpoints to improve cache poisoning protection.
- CVE-2023-43800Oct 18, 2023risk 0.00cvss —epss 0.00
Arduino Create Agent is a package to help manage Arduino development. The vulnerability affects the endpoint `/v2/pkgs/tools/installed`. A user who has the ability to perform HTTP requests to the localhost interface, or is able to bypass the CORS configuration, can escalate his…
- CVE-2023-43666Oct 16, 2023risk 0.00cvss —epss 0.00
Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve…
- CVE-2023-39347Sep 26, 2023risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses…
- CVE-2015-8371Sep 21, 2023risk 0.00cvss —epss 0.01
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the…
- CVE-2023-43636Sep 20, 2023risk 0.00cvss —epss 0.00
In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per the “measured boot” design, the PCR values calculated at different stages of the boot process will change if any of their respective…
- CVE-2023-26141Sep 14, 2023risk 0.00cvss —epss 0.01
Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.
- CVE-2023-41045Aug 31, 2023risk 0.00cvss —epss 0.00
Graylog is a free and open log management platform. Graylog makes use of only one single source port for DNS queries. Graylog binds a single socket for outgoing DNS queries and while that socket is bound to a random port number it is never changed again. This goes against…
- CVE-2023-0264Aug 4, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session…
- CVE-2023-37920Jul 25, 2023risk 0.00cvss —epss 0.00
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an…
- CVE-2023-37264Jul 7, 2023risk 0.00cvss —epss 0.00
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will…
- CVE-2023-32993May 16, 2023risk 0.00cvss —epss 0.00
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
- CVE-2023-23941Feb 3, 2023risk 0.00cvss —epss 0.00
SwagPayPal is a PayPal integration for shopware/platform. If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.…