VYPR

CWE-354

Improper Validation of Integrity Check Value

BaseDraftLikelihood: Medium

Description

The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-145 · CAPEC-463 · CAPEC-75

CVEs mapped to this weakness (56)

page 3 of 3
  • CVE-2026-32600Mar 13, 2026
    risk 0.00cvss epss 0.00

    xml-security is a library that implements XML signatures and encryption. Prior to versions 2.3.1 and 1.13.9, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an…

  • CVE-2026-32313Mar 13, 2026
    risk 0.00cvss epss 0.00

    xmlseclibs is a library written in PHP for working with XML Encryption and Signatures. Prior to 3.1.5, XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an…

  • CVE-2026-31839Mar 11, 2026
    risk 0.00cvss epss 0.00

    Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content,…

  • CVE-2026-26275Feb 19, 2026
    risk 0.00cvss epss 0.00

    httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if…

  • CVE-2026-25934Feb 9, 2026
    risk 0.00cvss epss 0.00

    go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted…

  • CVE-2025-25183Feb 7, 2025
    risk 0.00cvss epss 0.00

    vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use…

  • CVE-2024-52550Nov 13, 2024
    risk 0.00cvss epss 0.00

    Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile)…

  • CVE-2024-41909Aug 12, 2024
    risk 0.00cvss epss 0.01

    Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to…

  • CVE-2023-46445Nov 14, 2023
    risk 0.00cvss epss 0.01

    An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation."

  • CVE-2023-46446Nov 14, 2023
    risk 0.00cvss epss 0.01

    An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack."

  • CVE-2023-34459Jun 16, 2023
    risk 0.00cvss epss 0.00

    OpenZeppelin Contracts is a library for smart contract development. Starting in version 4.7.0 and prior to version 4.9.2, when the `verifyMultiProof`, `verifyMultiProofCalldata`, `procesprocessMultiProof`, or `processMultiProofCalldat` functions are in use, it is possible to…

  • CVE-2022-35961Aug 14, 2022
    risk 0.00cvss epss 0.00

    OpenZeppelin Contracts is a library for secure smart contract development. The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature…

  • CVE-2022-29173May 5, 2022
    risk 0.00cvss epss 0.01

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker…

  • CVE-2021-41206Nov 5, 2021
    risk 0.00cvss epss 0.00

    TensorFlow is an open source platform for machine learning. In affected versions several TensorFlow operations are missing validation for the shapes of the tensor arguments involved in the call. Depending on the API, this can result in undefined behavior and segfault or…

  • CVE-2021-20184Jan 28, 2021
    risk 0.00cvss epss 0.01

    It was found in Moodle before version 3.10.1, 3.9.4 and 3.8.7 that a insufficient capability checks in some grade related web services meant students were able to view other students grades.

  • CVE-2020-13845Jul 14, 2020
    risk 0.00cvss epss 0.01

    Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a…