CWE-345
Insufficient Verification of Data Authenticity
Description
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-111 · CAPEC-141 · CAPEC-142 · CAPEC-148 · CAPEC-218 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-665 · CAPEC-701
CVEs mapped to this weakness (306)
page 14 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-23940 | — | 0.00 | — | 0.00 | Feb 3, 2023 | OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using… | ||
| CVE-2022-3347 | 0.00 | — | 0.00 | Dec 27, 2022 | DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain. | |||
| CVE-2022-3346 | 0.00 | — | 0.00 | Dec 27, 2022 | DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain… | |||
| CVE-2022-23556 | 0.00 | — | 0.00 | Dec 22, 2022 | CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a… | |||
| CVE-2022-23491 | — | 0.00 | — | 0.01 | Dec 7, 2022 | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from… | ||
| CVE-2022-36111 | 0.00 | — | 0.00 | Nov 23, 2022 | immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not… | |||
| CVE-2022-39199 | 0.00 | — | 0.00 | Nov 22, 2022 | immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not… | |||
| CVE-2022-2255 | 0.00 | — | 0.01 | Aug 25, 2022 | A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing. | |||
| CVE-2022-22846 | — | 0.00 | — | 0.01 | Jan 9, 2022 | The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query. | ||
| CVE-2021-41203 | 0.00 | — | 0.00 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and `CHECK`-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints… | |||
| CVE-2021-41106 | 0.00 | — | 0.00 | Sep 28, 2021 | JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated… | |||
| CVE-2021-41087 | — | 0.00 | — | 0.00 | Sep 21, 2021 | in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass… | ||
| CVE-2021-32014 | — | 0.00 | — | 0.01 | Jul 19, 2021 | SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js. | ||
| CVE-2021-28678 | — | 0.00 | — | 0.01 | Jun 2, 2021 | An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data. | ||
| CVE-2021-20267 | — | 0.00 | — | 0.01 | May 28, 2021 | A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of… | ||
| CVE-2021-32640 | — | 0.00 | — | 0.03 | May 25, 2021 | ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425e… | ||
| CVE-2021-21320 | 0.00 | — | 0.01 | Mar 2, 2021 | matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix… | |||
| CVE-2020-15262 | 0.00 | — | 0.01 | Oct 19, 2020 | In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for… | |||
| CVE-2020-15222 | 0.00 | — | 0.01 | Sep 24, 2020 | In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says… | |||
| CVE-2020-15163 | 0.00 | — | 0.01 | Sep 9, 2020 | Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata… |
- CVE-2023-23940Feb 3, 2023risk 0.00cvss —epss 0.00
OpenZeppelin Contracts for Cairo is a library for secure smart contract development written in Cairo for StarkNet, a decentralized ZK Rollup. `is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. As a result, any contract using…
- CVE-2022-3347Dec 27, 2022risk 0.00cvss —epss 0.00
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.
- CVE-2022-3346Dec 27, 2022risk 0.00cvss —epss 0.00
DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain…
- CVE-2022-23556Dec 22, 2022risk 0.00cvss —epss 0.00
CodeIgniter is a PHP full-stack web framework. This vulnerability may allow attackers to spoof their IP address when the server is behind a reverse proxy. This issue has been patched, please upgrade to version 4.2.11 or later, and configure `Config\App::$proxyIPs`. As a…
- CVE-2022-23491Dec 7, 2022risk 0.00cvss —epss 0.01
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from…
- CVE-2022-36111Nov 23, 2022risk 0.00cvss —epss 0.00
immudb is a database with built-in cryptographic proof and verification. In versions prior to 1.4.1, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not…
- CVE-2022-39199Nov 22, 2022risk 0.00cvss —epss 0.00
immudb is a database with built-in cryptographic proof and verification. immudb client SDKs use server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. SDK does not…
- CVE-2022-2255Aug 25, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
- CVE-2022-22846Jan 9, 2022risk 0.00cvss —epss 0.01
The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query.
- CVE-2021-41203Nov 5, 2021risk 0.00cvss —epss 0.00
TensorFlow is an open source platform for machine learning. In affected versions an attacker can trigger undefined behavior, integer overflows, segfaults and `CHECK`-fail crashes if they can change saved checkpoints from outside of TensorFlow. This is because the checkpoints…
- CVE-2021-41106Sep 28, 2021risk 0.00cvss —epss 0.00
JWT is a library to work with JSON Web Token and JSON Web Signature. Prior to versions 3.4.6, 4.0.4, and 4.1.5, users of HMAC-based algorithms (HS256, HS384, and HS512) combined with `Lcobucci\JWT\Signer\Key\LocalFileReference` as key are having their tokens issued/validated…
- CVE-2021-41087Sep 21, 2021risk 0.00cvss —epss 0.00
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass…
- CVE-2021-32014Jul 19, 2021risk 0.00cvss —epss 0.01
SheetJS and SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.
- CVE-2021-28678Jun 2, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImagePlugin did not properly check that reads (after jumping to file offsets) returned data. This could lead to a DoS where the decoder could be run a large number of times on empty data.
- CVE-2021-20267May 28, 2021risk 0.00cvss —epss 0.01
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of…
- CVE-2021-32640May 25, 2021risk 0.00cvss —epss 0.03
ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425e…
- CVE-2021-21320Mar 2, 2021risk 0.00cvss —epss 0.01
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix…
- CVE-2020-15262Oct 19, 2020risk 0.00cvss —epss 0.01
In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for…
- CVE-2020-15222Sep 24, 2020risk 0.00cvss —epss 0.01
In ORY Fosite (the security first OAuth2 & OpenID Connect framework for Go) before version 0.31.0, when using "private_key_jwt" authentication the uniqueness of the `jti` value is not checked. When using client authentication method "private_key_jwt", OpenId specification says…
- CVE-2020-15163Sep 9, 2020risk 0.00cvss —epss 0.01
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata…