CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1124 vulnerabilities reference this CWE, most recent first.
GHSA-V5RV-HPXG-8X49
Vulnerability from github – Published: 2021-01-13 19:13 – Updated: 2021-01-13 19:12ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "ServiceStack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28042"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-13T19:12:58Z",
"nvd_published_at": "2020-11-02T21:15:00Z",
"severity": "MODERATE"
},
"details": "ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.",
"id": "GHSA-v5rv-hpxg-8x49",
"modified": "2021-01-13T19:12:58Z",
"published": "2021-01-13T19:13:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28042"
},
{
"type": "WEB",
"url": "https://github.com/ServiceStack/ServiceStack/commit/540d4060e877a03ae95343c1a8560a26768585ee"
},
{
"type": "WEB",
"url": "https://forums.servicestack.net/t/servicestack-v5-9-2-released/8850"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-DOTNET-SERVICESTACK-1035519"
},
{
"type": "WEB",
"url": "https://www.nuget.org/packages/ServiceStack"
},
{
"type": "WEB",
"url": "https://www.shielder.it/advisories/servicestack-jwt-signature-verification-bypass"
},
{
"type": "WEB",
"url": "https://www.shielder.it/blog/2020/11/re-discovering-a-jwt-authentication-bypass-in-servicestack"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Signature validation bypass in ServiceStack"
}
GHSA-V6JX-GJW3-J6MV
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-03-24 18:30A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device.
{
"affected": [],
"aliases": [
"CVE-2019-1813"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-15T23:29:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device.",
"id": "GHSA-v6jx-gjw3-j6mv",
"modified": "2023-03-24T18:30:19Z",
"published": "2022-05-24T16:45:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1813"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-sisv2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108425"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V7MH-QPQ8-5G5P
Vulnerability from github – Published: 2024-07-08 21:31 – Updated: 2025-09-26 15:30The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an application calling the SFTPServer component must grant user access without verifying the SSH public key or certificate (which would most likely be a separate vulnerability in the calling application). IPWorks SSH versions 22.0.8945 and 24.0.8945 were released to address this condition by blocking all filesystem and network path requests for SSH public keys or certificates.
{
"affected": [],
"aliases": [
"CVE-2024-6580"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-08T19:15:10Z",
"severity": "LOW"
},
"details": "The /n software IPWorks SSH library SFTPServer component can be induced to make unintended filesystem or network path requests when loading a SSH public key or certificate. To be exploitable, an application calling the SFTPServer component must grant user access without verifying the SSH public key or certificate (which would most likely be a separate vulnerability in the calling application).\u00a0IPWorks SSH versions 22.0.8945 and 24.0.8945 were released to address this condition by blocking all filesystem and network path requests for SSH public keys or certificates.",
"id": "GHSA-v7mh-qpq8-5g5p",
"modified": "2025-09-26T15:30:23Z",
"published": "2024-07-08T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6580"
},
{
"type": "WEB",
"url": "https://www.nsoftware.com/kb/articles/cve-2024-5806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:X/V:D/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V825-MC9M-64QR
Vulnerability from github – Published: 2025-11-27 00:30 – Updated: 2025-11-28 21:31XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.
An attacker can remove the signature from the XML document to make it pass the verification check.
XML-Sig is a Perl module to validate signatures on XML files. An unsigned XML file should return an error message. The affected versions return true when attempting to validate an XML file that contains no signatures.
{
"affected": [],
"aliases": [
"CVE-2025-40934"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-26T23:15:47Z",
"severity": "CRITICAL"
},
"details": "XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.\n\nAn attacker can remove the signature from the XML document to make it pass the verification check.\n\nXML-Sig is a Perl module to validate signatures on XML files.\u00a0 An unsigned XML file should return an error message.\u00a0 The affected versions return true when attempting to validate an XML file that contains no signatures.",
"id": "GHSA-v825-mc9m-64qr",
"modified": "2025-11-28T21:31:18Z",
"published": "2025-11-27T00:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40934"
},
{
"type": "WEB",
"url": "https://github.com/perl-net-saml2/perl-XML-Sig/issues/63"
},
{
"type": "WEB",
"url": "https://github.com/perl-net-saml2/perl-XML-Sig/pull/64"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VC2C-7FWX-X7MR
Vulnerability from github – Published: 2026-06-29 09:30 – Updated: 2026-06-29 09:30Lack of validation for firmware update in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.
This issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.
{
"affected": [],
"aliases": [
"CVE-2025-0824"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T07:16:23Z",
"severity": "LOW"
},
"details": "Lack of validation for firmware update\u00a0in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.\n\nThis issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.",
"id": "GHSA-vc2c-7fwx-x7mr",
"modified": "2026-06-29T09:30:27Z",
"published": "2026-06-29T09:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0824"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_308.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VF4W-FG7R-5V94
Vulnerability from github – Published: 2021-04-07 20:56 – Updated: 2021-04-23 00:22phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpseclib/phpseclib"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpseclib/phpseclib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-30130"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-07T17:29:49Z",
"nvd_published_at": "2021-04-06T15:15:00Z",
"severity": "HIGH"
},
"details": "phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.",
"id": "GHSA-vf4w-fg7r-5v94",
"modified": "2021-04-23T00:22:49Z",
"published": "2021-04-07T20:56:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30130"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/pull/1635"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2021-30130.yaml"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/releases/tag/2.0.31"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/releases/tag/3.0.7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00025.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Certificate Validation in phpseclib"
}
GHSA-VGH8-J259-M77W
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate.
{
"affected": [],
"aliases": [
"CVE-2020-23967"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-08T15:15:00Z",
"severity": "HIGH"
},
"details": "Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\\SYSTEM due to insufficient control during autoupdate.",
"id": "GHSA-vgh8-j259-m77w",
"modified": "2022-05-24T17:43:49Z",
"published": "2022-05-24T17:43:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23967"
},
{
"type": "WEB",
"url": "https://amonitoring.ru/article/drweb"
},
{
"type": "WEB",
"url": "https://habr.com/ru/company/pm/blog/509592"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=q7Kqi7kE59U"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VGQ2-GXQP-V52X
Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52A Security Bypass vulnerability exists in Ubuntu Cobbler before 2,2,2 in the cobbler-ubuntu-import script due to an error when verifying the GPG signature.
{
"affected": [],
"aliases": [
"CVE-2012-2092"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-06T17:15:00Z",
"severity": "MODERATE"
},
"details": "A Security Bypass vulnerability exists in Ubuntu Cobbler before 2,2,2 in the cobbler-ubuntu-import script due to an error when verifying the GPG signature.",
"id": "GHSA-vgq2-gxqp-v52x",
"modified": "2024-04-03T23:52:47Z",
"published": "2022-04-23T00:40:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2092"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74789"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2092"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/04/10/14"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/52971"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VGR7-MV6H-5GWQ
Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2023-02-02 15:30redhat-upgrade-tool: Does not check GPG signatures when upgrading versions
{
"affected": [],
"aliases": [
"CVE-2014-3585"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-22T15:15:00Z",
"severity": "HIGH"
},
"details": "redhat-upgrade-tool: Does not check GPG signatures when upgrading versions",
"id": "GHSA-vgr7-mv6h-5gwq",
"modified": "2023-02-02T15:30:30Z",
"published": "2022-05-17T19:57:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3585"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2014:1396"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2015:2395"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2014-3585"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1126002"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3585"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VJ5W-XW66-QJQ5
Vulnerability from github – Published: 2025-08-21 21:32 – Updated: 2025-08-21 21:32Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network.
{
"affected": [],
"aliases": [
"CVE-2025-55229"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-21T20:15:47Z",
"severity": "MODERATE"
},
"details": "Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network.",
"id": "GHSA-vj5w-xw66-qjq5",
"modified": "2025-08-21T21:32:07Z",
"published": "2025-08-21T21:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55229"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.