VYPR

CWE-347

Improper Verification of Cryptographic Signature

BaseDraft

Description

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-463 · CAPEC-475

CVEs mapped to this weakness (357)

page 9 of 18
  • CVE-2026-9793MedMay 28, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit…

  • CVE-2025-54549MedOct 29, 2025
    risk 0.38cvss 5.9epss 0.00

    Cryptographic validation of upgrade images could be circumventing by dropping a specifically crafted file into the upgrade ISO

  • CVE-2024-8036MedOct 25, 2024
    risk 0.38cvss 5.9epss 0.00

    ABB is aware of privately reported vulnerabilities in the product versions referenced in this CVE. An attacker could exploit these vulnerabilities by sending a specially crafted firmware or configuration to the system node, causing the node to stop, become inaccessible, or…

  • CVE-2018-0501MedAug 21, 2018
    risk 0.38cvss 5.9epss 0.01

    The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.

  • CVE-2018-6664MedMay 25, 2018
    risk 0.38cvss 5.8epss 0.01

    Application Protections Bypass vulnerability in Microsoft Windows in McAfee Data Loss Prevention (DLP) Endpoint before 10.0.500 and DLP Endpoint before 11.0.400 allows authenticated users to bypass the product block action via a command-line utility.

  • CVE-2018-4111MedApr 3, 2018
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the "Mail" component. It allows man-in-the-middle attackers to read S/MIME encrypted message content by sending HTML e-mail that references remote resources but lacks a valid…

  • CVE-2017-15090MedJan 23, 2018
    risk 0.38cvss 5.9epss 0.01

    An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in…

  • CVE-2026-34068MedApr 22, 2026
    risk 0.37cvss 6.8epss 0.00

    nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, the staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the…

  • CVE-2026-21002MedMar 16, 2026
    risk 0.36cvss 5.5epss 0.00

    Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.

  • CVE-2025-43521MedDec 12, 2025
    risk 0.36cvss 5.5epss 0.00

    A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.3, macOS Tahoe 26.2. An app may be able to access sensitive user data.

  • CVE-2025-43468MedNov 4, 2025
    risk 0.36cvss 5.5epss 0.00

    A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.

  • CVE-2024-1721MedMay 21, 2024
    risk 0.36cvss epss 0.00

    Improper Verification of Cryptographic Signature vulnerability in HYPR Passwordless on Windows allows Malicious Software Update.This issue affects HYPR Passwordless: before 9.1.

  • CVE-2018-10407MedJun 13, 2018
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in Carbon Black Cb Response. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by…

  • CVE-2016-8021MedMar 14, 2017
    risk 0.36cvss 5.0epss 0.03

    Improper verification of cryptographic signature vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to spoof update server and execute arbitrary code via a crafted input file.

  • CVE-2025-68113MedDec 16, 2025
    risk 0.35cvss 6.5epss 0.00

    ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce,…

  • CVE-2018-10470MedJun 12, 2018
    risk 0.35cvss 5.3epss 0.01

    Little Snitch versions 4.0 to 4.0.6 use the SecStaticCodeCheckValidityWithErrors() function without the kSecCSCheckAllArchitectures flag and therefore do not validate all architectures stored in a fat binary. An attacker can maliciously craft a fat binary containing multiple…

  • CVE-2018-6459MedFeb 20, 2018
    risk 0.35cvss 5.3epss 0.01

    The rsa_pss_params_parse function in libstrongswan/credentials/keys/signature_params.c in strongSwan 5.6.1 allows remote attackers to cause a denial of service via a crafted RSASSA-PSS signature that lacks a mask generation function parameter.

  • CVE-2025-67903MedMay 27, 2026
    risk 0.34cvss 5.3epss 0.00

    Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.

  • CVE-2026-6966MedApr 24, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept…

  • CVE-2024-50347MedOct 31, 2024
    risk 0.34cvss epss 0.00

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as…