Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 382

382 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-3138 Cisco Enterprise NFV Infrastructure Software Remote Code Execution Vulnerability — NA 6.7 -2020-02-19
CVE-2019-14859 python-ecdsa 数据伪造问题漏洞 — python-ecdsa 9.1 -2020-01-02
CVE-2019-0071 Junos OS: EX2300, EX3400 Series: Veriexec signature checking not enforced in specific versions of Junos OS — Junos OS 7.8 High2019-10-09
CVE-2019-12662 Cisco NX-OS and IOS XE Software Virtual Service Image Signature Bypass Vulnerability — Cisco NX-OS Software 6.0(2)A1(1) 6.7 -2019-09-25
CVE-2019-12649 Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability — Cisco IOS XE Software 3.2.11aSG 6.7 -2019-09-25
CVE-2019-10136 spacewalk 数据伪造问题漏洞 — spacewalk 4.3 -2019-07-02
CVE-2019-1811 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1812 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1813 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerability — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1808 Cisco MDS 9700 Series Multilayer Directors and Nexus 7000/7700 Series Switches Software Patch Signature Verification Vulnerability — Cisco NX-OS Software 4.4 -2019-05-15
CVE-2019-1809 Cisco NX-OS Software Patch Signature Verification Bypass Vulnerability — Cisco NX-OS Software 6.0 -2019-05-15
CVE-2019-1810 Cisco Nexus 3000 Series and 9000 Series Switches in NX-OS Mode CLI Command Software Image Signature Verification Vulnerability — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1728 Cisco FXOS and NX-OS Software Secure Configuration Bypass Vulnerability — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1615 Cisco NX-OS Software Image Signature Verification Vulnerability — Nexus 3000 Series Switches 6.7 -2019-03-11
CVE-2018-16557 Siemens SIMATIC S7-400 数据伪造问题漏洞 — SIMATIC S7-400 CPU 412-1 DP V7 8.2 High2018-12-13
CVE-2018-15374 Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability — Cisco IOS XE Software 6.7 -2018-10-05
CVE-2018-10470 Objective Development Little Snitch 安全漏洞 — Little Snitch 8.2 -2018-06-12
CVE-2017-15090 PowerDNS Recursor DNSSEC验证组件安全漏洞 — PowerDNS 5.9 -2018-01-23
CVE-2018-0114 Cisco node-jose open source library 数据伪造问题漏洞 — Node-jose Library 7.5 -2018-01-04
CVE-2017-12331 多款Cisco产品Cisco NX-OS System Software 安全漏洞 — Cisco NX-OS 6.7 -2017-11-30
CVE-2017-12333 多款Cisco产品Cisco NX-OS System Software 安全漏洞 — Cisco NX-OS 6.7 -2017-11-30
CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability — Windows 10 Version 1809 5.5 Medium2013-12-11

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 382 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.