VYPR

CWE-347

Improper Verification of Cryptographic Signature

BaseDraft

Description

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-463 · CAPEC-475

CVEs mapped to this weakness (357)

page 7 of 18
  • CVE-2018-15374MedOct 5, 2018
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the Image Verification feature of Cisco IOS XE Software could allow an authenticated, local attacker to install a malicious software image or file on an affected device. The vulnerability is due to the affected software improperly verifying digital signatures…

  • CVE-2018-5383MedAug 7, 2018
    risk 0.44cvss 6.8epss 0.01

    Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a…

  • CVE-2017-12333MedNov 30, 2017
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software image. The vulnerability is due to insufficient NX-OS signature verification for software images. An authenticated, local attacker…

  • CVE-2017-12331MedNov 30, 2017
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in Cisco NX-OS System Software could allow an authenticated, local attacker to bypass signature verification when loading a software patch. The vulnerability is due to insufficient NX-OS signature verification for software patches. An authenticated, local…

  • CVE-2017-8190MedNov 22, 2017
    risk 0.44cvss 6.7epss 0.00

    FusionSphere OpenStack V100R006C00SPC102(NFV)has an improper verification of cryptographic signature vulnerability. The software does not verify the cryptographic signature. An attacker with high privilege may exploit this vulnerability to inject malicious software.

  • CVE-2017-11400MedNov 20, 2017
    risk 0.44cvss 6.8epss 0.00

    An issue has been discovered on the Belden Hirschmann Tofino Xenon Security Appliance before 03.2.00. An incomplete firmware signature allows a local attacker to upgrade the equipment (kernel, file system) with unsigned, attacker-controlled, data. This occurs because the…

  • CVE-2026-42743MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.

  • CVE-2026-50634MedJun 12, 2026
    risk 0.42cvss 6.5epss 0.00

    A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata…

  • CVE-2026-39829HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated…

  • CVE-2026-44714HigMay 15, 2026
    risk 0.42cvss 7.5epss 0.00

    The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both…

  • CVE-2026-42501HigMay 7, 2026
    risk 0.42cvss 7.5epss 0.00

    A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can…

  • CVE-2026-5050HigApr 16, 2026
    risk 0.42cvss 7.5epss 0.00

    The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature…

  • CVE-2026-34240HigMar 31, 2026
    risk 0.42cvss 7.5epss 0.00

    JOSE is a Javascript Object Signing and Encryption (JOSE) library. Prior to version 0.3.5+1, a vulnerability in jose could allow an unauthenticated, remote attacker to forge valid JWS/JWT tokens by using a key embedded in the JOSE header (jwk). The vulnerability exists because…

  • CVE-2026-33895HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (`S >= L`). A valid…

  • CVE-2026-33894HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.00

    Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing…

  • CVE-2026-33487HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.00

    goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when…

  • CVE-2026-4258HigMar 17, 2026
    risk 0.42cvss 7.5epss 0.00

    All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and…

  • CVE-2026-32614HigMar 16, 2026
    risk 0.42cvss 7.5epss 0.00

    Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC. Prior to 0.41.1, the current SM9 decryption implementation contains an infinity-point ciphertext forgery…

  • CVE-2024-36347MedJun 27, 2025
    risk 0.42cvss 6.4epss 0.00

    Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in…

  • CVE-2024-2451MedMay 28, 2024
    risk 0.42cvss 6.4epss 0.00

    Improper fingerprint validation in the TeamViewer Client (Full & Host) prior Version 15.54 for Windows and macOS allows an attacker with administrative user rights to further elevate privileges via executable sideloading.