Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-347 (密码学签名的验证不恰当) — Vulnerability Class 371

371 vulnerabilities classified as CWE-347 (密码学签名的验证不恰当). AI Chinese analysis included.

CWE-347 represents a critical integrity weakness where software fails to properly validate cryptographic signatures attached to data or code. Attackers typically exploit this flaw by intercepting communications or modifying stored files, substituting legitimate content with malicious payloads that lack valid digital signatures. Because the application accepts these unsigned or tampered inputs as authentic, it executes unauthorized commands or processes corrupted data, potentially leading to complete system compromise or data loss. To prevent this vulnerability, developers must implement rigorous verification routines that strictly check every incoming or processed item against its expected cryptographic signature using trusted public keys. This ensures that any alteration, even a single bit change, is detected and rejected. Additionally, employing secure key management practices and avoiding custom cryptographic implementations further strengthens the system’s defense against signature forgery and tampering attacks.

MITRE CWE Description
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Common Consequences (1)
Access Control, Integrity, ConfidentialityGain Privileges or Assume Identity, Modify Application Data, Execute Unauthorized Code or Commands
An attacker could gain access to sensitive data and possibly execute unauthorized code.
Examples (1)
In the following code, a JarFile object is created from a downloaded file.
File f = new File(downloadedFilePath); JarFile jf = new JarFile(f);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-15216 Signature Validation Bypass in goxmldsig — goxmldsig 5.3 Medium2020-09-29
CVE-2020-14365 Red Hat Ansible 数据伪造问题漏洞 — ansible 7.1 -2020-09-23
CVE-2019-1736 Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability — Cisco Identity Services Engine Software 6.6 -2020-09-23
CVE-2020-14515 WIBU CodeMeter 数据伪造问题漏洞 — CodeMeter 7.5 -2020-09-16
CVE-2020-10759 fwupd 数据伪造问题漏洞 — fwupd 6.0 -2020-09-15
CVE-2020-15705 GRUB2: avoid loading unsigned kernels when GRUB is booted directly under secureboot without shim — grub2 in Ubuntu 6.4 Medium2020-07-29
CVE-2020-10608 多款OSIsoft产品数据伪造问题漏洞 — OSIsoft PI System multiple products and versions 7.8 -2020-07-24
CVE-2016-7064 Pritunl-client 数据伪造问题漏洞 — pritunl-client-electron 7.5 -2020-07-21
CVE-2020-15093 Improper verification of signature threshold in tough — tough 8.6 High2020-07-09
CVE-2020-15091 Denial of Service in TenderMint — tendermint 6.5 Medium2020-07-02
CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication — PAN-OS 10.0 Critical2020-06-29
CVE-2020-9047 exacqVision Software - Improper Verification of Cryptographic Signature — exacqVision Web Service versions 20.03.2.0 and prior 6.8 Medium2020-06-26
CVE-2020-3209 Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability — Cisco IOS XE Software 3.2.0SG 6.8 -2020-06-03
CVE-2020-9753 Naver Whale Browser Installer 数据伪造问题漏洞 — Whale Browser Installer 9.1 -2020-05-20
CVE-2020-12046 Opto 22 SoftPAC Project 数据伪造问题漏洞 — Opto 22 SoftPAC Project 6.5 -2020-05-14
CVE-2020-12042 Opto 22 SoftPAC Project 数据伪造问题漏洞 — Opto 22 SoftPAC Project 5.5 -2020-05-14
CVE-2020-5407 Signature Wrapping Vulnerability with spring-security-saml2-service-provider — Spring Security 8.1 -2020-05-13
CVE-2020-3308 Cisco Firepower Threat Defense Software Signature Verification Bypass Vulnerability — Cisco Firepower Threat Defense Software 6.5 -2020-05-06
CVE-2020-8324 Lenovo System Interface Foundation 输入验证错误漏洞 — LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation 5.0 Medium2020-04-14
CVE-2020-3138 Cisco Enterprise NFV Infrastructure Software Remote Code Execution Vulnerability — NA 6.7 -2020-02-19
CVE-2019-14859 python-ecdsa 数据伪造问题漏洞 — python-ecdsa 9.1 -2020-01-02
CVE-2019-0071 Junos OS: EX2300, EX3400 Series: Veriexec signature checking not enforced in specific versions of Junos OS — Junos OS 7.8 High2019-10-09
CVE-2019-12662 Cisco NX-OS and IOS XE Software Virtual Service Image Signature Bypass Vulnerability — Cisco NX-OS Software 6.0(2)A1(1) 6.7 -2019-09-25
CVE-2019-12649 Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability — Cisco IOS XE Software 3.2.11aSG 6.7 -2019-09-25
CVE-2019-10136 spacewalk 数据伪造问题漏洞 — spacewalk 4.3 -2019-07-02
CVE-2019-1811 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1812 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerabilities — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1813 Cisco NX-OS CLI Command Software Image Signature Verification Vulnerability — Cisco NX-OS Software 6.7 -2019-05-15
CVE-2019-1808 Cisco MDS 9700 Series Multilayer Directors and Nexus 7000/7700 Series Switches Software Patch Signature Verification Vulnerability — Cisco NX-OS Software 4.4 -2019-05-15
CVE-2019-1809 Cisco NX-OS Software Patch Signature Verification Bypass Vulnerability — Cisco NX-OS Software 6.0 -2019-05-15

Vulnerabilities classified as CWE-347 (密码学签名的验证不恰当) represent 371 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.