VYPR

CWE-347

Improper Verification of Cryptographic Signature

BaseDraft

Description

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-463 · CAPEC-475

CVEs mapped to this weakness (357)

page 10 of 18
  • CVE-2024-36277MedJun 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper verification of cryptographic signature issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures.

  • CVE-2017-8177MedNov 22, 2017
    risk 0.34cvss 5.3epss 0.00

    Huawei APP HiWallet earlier than 5.0.3.100 versions do not support signature verification for APK file. An attacker could exploit this vulnerability to hijack the APK and upload modified APK file. Successful exploit could lead to the APP is hijacking.

  • CVE-2021-1461MedNov 18, 2024
    risk 0.32cvss 4.9epss 0.00

    A vulnerability in the Image Signature Verification feature of Cisco SD-WAN Software could allow an authenticated, remote attacker with Administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper…

  • CVE-2026-33467MedApr 28, 2026
    risk 0.31cvss 5.9epss 0.00

    Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity…

  • CVE-2026-32883MedMar 30, 2026
    risk 0.31cvss 5.9epss 0.00

    Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in…

  • CVE-2026-32294MedMar 17, 2026
    risk 0.31cvss 4.7epss 0.00

    JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.

  • CVE-2025-27498MedMar 3, 2025
    risk 0.29cvss epss 0.00

    aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be…

  • CVE-2024-53267MedNov 26, 2024
    risk 0.29cvss 5.5epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients…

  • CVE-2026-48523MedMay 28, 2026
    risk 0.28cvss 5.4epss 0.00

    PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms…

  • CVE-2018-1000539MedJun 26, 2018
    risk 0.28cvss 5.3epss 0.01

    Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability in Decryption of AES-GCM encrypted JSON Web Tokens that can result in Attacker can forge a authentication tag. This attack appear to be exploitable via…

  • CVE-2017-13083MedOct 18, 2017
    risk 0.28cvss 5.3epss 0.01

    Akeo Consulting Rufus prior to version 2.17.1187 does not adequately validate the integrity of updates downloaded over HTTP, allowing an attacker to easily convince a user to execute arbitrary code

  • CVE-2016-1494MedJan 13, 2016
    risk 0.28cvss 5.3epss 0.07

    The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

  • CVE-2026-44309MedMay 15, 2026
    risk 0.27cvss 5.3epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying…

  • CVE-2026-41301MedApr 21, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to…

  • CVE-2026-34155MedMar 31, 2026
    risk 0.27cvss 5.3epss 0.00

    RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in a signature which covers only the first few bytes of the payload. Given such a…

  • CVE-2026-24850MedJan 28, 2026
    risk 0.27cvss 5.3epss 0.00

    The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures…

  • CVE-2026-24807MedJan 27, 2026
    risk 0.27cvss epss 0.00

    Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java. This issue…

  • CVE-2026-2625MedApr 3, 2026
    risk 0.26cvss 4.0epss 0.00

    A flaw was found in rust-rpm-sequoia. An attacker can exploit this vulnerability by providing a specially crafted Red Hat Package Manager (RPM) file. During the RPM signature verification process, this crafted file can trigger an error in the OpenPGP signature parsing code,…

  • CVE-2025-31335MedMar 28, 2025
    risk 0.26cvss 4.0epss 0.00

    The OpenSAML C++ library before 3.3.1 allows forging of signed SAML messages via parameter manipulation (when using SAML bindings that rely on non-XML signatures).

  • CVE-2026-45614MedJun 3, 2026
    risk 0.24cvss 4.7epss 0.00

    OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the…