VYPR

CWE-347

Improper Verification of Cryptographic Signature

BaseDraft

Description

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-463 · CAPEC-475

CVEs mapped to this weakness (357)

page 16 of 18
  • CVE-2022-24773Mar 18, 2022
    risk 0.00cvss epss 0.01

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification…

  • CVE-2022-24771Mar 18, 2022
    risk 0.00cvss epss 0.01

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals…

  • CVE-2022-24759Mar 17, 2022
    risk 0.00cvss epss 0.00

    `@chainsafe/libp2p-noise` contains TypeScript implementation of noise protocol, an encryption protocol used in libp2p. `@chainsafe/libp2p-noise` before 4.1.2 and 5.0.3 does not correctly validate signatures during the handshake process. This may allow a man-in-the-middle to pose…

  • CVE-2021-20319Mar 4, 2022
    risk 0.00cvss epss 0.01

    An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. An attacker able to modify the original…

  • CVE-2022-23655Feb 23, 2022
    risk 0.00cvss epss 0.01

    Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their…

  • CVE-2021-44878Jan 6, 2022
    risk 0.00cvss epss 0.01

    If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core…

  • CVE-2021-43568Nov 9, 2021
    risk 0.00cvss epss 0.01

    The verify function in the Stark Bank Elixir ECDSA library (ecdsa-elixir) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

  • CVE-2021-43570Nov 9, 2021
    risk 0.00cvss epss 0.01

    The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

  • CVE-2021-43571Nov 9, 2021
    risk 0.00cvss epss 0.01

    The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

  • CVE-2021-43572Nov 9, 2021
    risk 0.00cvss epss 0.01

    The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

  • CVE-2021-43569Nov 9, 2021
    risk 0.00cvss epss 0.01

    The verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) 1.3.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

  • CVE-2021-38195Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the libsecp256k1 crate before 0.5.0 for Rust. It can verify an invalid signature because it allows the R or S parameter to be larger than the curve order, aka an overflow.

  • CVE-2021-3680Aug 4, 2021
    risk 0.00cvss epss 0.00

    showdoc is vulnerable to Missing Cryptographic Step

  • CVE-2021-32738Jul 2, 2021
    risk 0.00cvss epss 0.01

    js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon server. The `Utils.readChallengeTx` function used in SEP-10 Stellar Web Authentication states in its function documentation that it reads and validates the challenge transaction including verifying…

  • CVE-2021-32685Jun 16, 2021
    risk 0.00cvss epss 0.01

    tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any…

  • CVE-2021-29451Apr 16, 2021
    risk 0.00cvss epss 0.01

    Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.

  • CVE-2021-21405Apr 15, 2021
    risk 0.00cvss epss 0.01

    Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2…

  • CVE-2021-30246Apr 7, 2021
    risk 0.00cvss epss 0.01

    In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

  • CVE-2021-30130Apr 6, 2021
    risk 0.00cvss epss 0.01

    phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

  • CVE-2021-21238Jan 21, 2021
    risk 0.00cvss epss 0.01

    PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to validate signed SAML documents are impacted. The vulnerability is a variant of XML…