CWE-347
Improper Verification of Cryptographic Signature
Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-463 · CAPEC-475
CVEs mapped to this weakness (357)
page 18 of 18| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-6174 | — | 0.00 | — | 0.01 | Feb 5, 2020 | TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature. | ||
| CVE-2020-5390 | — | 0.00 | — | 0.01 | Jan 13, 2020 | PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus… | ||
| CVE-2019-14859 | — | 0.00 | — | 0.02 | Jan 2, 2020 | A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could… | ||
| CVE-2019-18835 | — | 0.00 | — | 0.01 | Nov 7, 2019 | Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers. | ||
| CVE-2019-3465 | — | 0.00 | — | 0.03 | Nov 7, 2019 | Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML… | ||
| CVE-2019-15545 | — | 0.00 | — | 0.01 | Aug 26, 2019 | An issue was discovered in the libp2p-core crate before 0.8.1 for Rust. Attackers can spoof ed25519 signatures. | ||
| CVE-2016-10932 | — | 0.00 | — | 0.01 | Aug 26, 2019 | An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted. | ||
| CVE-2019-9154 | — | 0.00 | — | 0.02 | Aug 22, 2019 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. | ||
| CVE-2019-9153 | — | 0.00 | — | 0.02 | Aug 22, 2019 | Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature. | ||
| CVE-2019-10201 | 0.00 | — | 0.01 | Aug 14, 2019 | It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this… | |||
| CVE-2019-13177 | — | 0.00 | — | 0.02 | Jul 2, 2019 | verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code… | ||
| CVE-2019-11841 | — | 0.00 | — | 0.02 | May 22, 2019 | A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash"… | ||
| CVE-2018-12356 | Cri | 0.00 | 9.8 | 0.05 | Jun 15, 2018 | An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files… | ||
| CVE-2014-3577 | 0.00 | — | 0.09 | Aug 21, 2014 | org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate,… | |||
| CVE-2013-4346 | 0.00 | — | 0.02 | May 20, 2014 | The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL. | |||
| CVE-2014-1498 | 0.00 | — | 0.02 | Mar 19, 2014 | The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports… | |||
| CVE-2011-3965 | 0.00 | — | 0.01 | Feb 9, 2012 | Google Chrome before 17.0.963.46 does not properly check signatures, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. |
- CVE-2020-6174Feb 5, 2020risk 0.00cvss —epss 0.01
TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature.
- CVE-2020-5390Jan 13, 2020risk 0.00cvss —epss 0.01
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is signed can be in different places and thus…
- CVE-2019-14859Jan 2, 2020risk 0.00cvss —epss 0.02
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could…
- CVE-2019-18835Nov 7, 2019risk 0.00cvss —epss 0.01
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
- CVE-2019-3465Nov 7, 2019risk 0.00cvss —epss 0.03
Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for example by SimpleSAMLphp, performed incorrect validation of cryptographic signatures in XML messages, allowing an authenticated attacker to impersonate others or elevate privileges by creating a crafted XML…
- CVE-2019-15545Aug 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in the libp2p-core crate before 0.8.1 for Rust. Attackers can spoof ed25519 signatures.
- CVE-2016-10932Aug 26, 2019risk 0.00cvss —epss 0.01
An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted.
- CVE-2019-9154Aug 22, 2019risk 0.00cvss —epss 0.02
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed.
- CVE-2019-9153Aug 22, 2019risk 0.00cvss —epss 0.02
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature.
- CVE-2019-10201Aug 14, 2019risk 0.00cvss —epss 0.01
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this…
- CVE-2019-13177Jul 2, 2019risk 0.00cvss —epss 0.02
verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code…
- CVE-2019-11841May 22, 2019risk 0.00cvss —epss 0.02
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash"…
- risk 0.00cvss 9.8epss 0.05
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files…
- CVE-2014-3577Aug 21, 2014risk 0.00cvss —epss 0.09
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate,…
- CVE-2013-4346May 20, 2014risk 0.00cvss —epss 0.02
The Server.verify_request function in SimpleGeo python-oauth2 does not check the nonce, which allows remote attackers to perform replay attacks via a signed URL.
- CVE-2014-1498Mar 19, 2014risk 0.00cvss —epss 0.02
The crypto.generateCRMFRequest method in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not properly validate a certain key type, which allows remote attackers to cause a denial of service (application crash) via vectors that trigger generation of a key that supports…
- CVE-2011-3965Feb 9, 2012risk 0.00cvss —epss 0.01
Google Chrome before 17.0.963.46 does not properly check signatures, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors.