CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1128 vulnerabilities reference this CWE, most recent first.
GHSA-4HJ2-QWWR-PXG3
Vulnerability from github – Published: 2023-08-30 18:30 – Updated: 2024-01-25 18:30A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device.
This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20266"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-30T17:15:08Z",
"severity": "HIGH"
},
"details": "A vulnerability in Cisco Emergency Responder, Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), and Cisco Unity Connection could allow an authenticated, remote attacker to elevate privileges to root on an affected device.\n\n This vulnerability exists because the application does not properly restrict the files that are being used for upgrades. An attacker could exploit this vulnerability by providing a crafted upgrade file. A successful exploit could allow the attacker to elevate privileges to root. To exploit this vulnerability, the attacker must have valid platform administrator credentials on an affected device.",
"id": "GHSA-4hj2-qwwr-pxg3",
"modified": "2024-01-25T18:30:43Z",
"published": "2023-08-30T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20266"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-priv-esc-D8Bky5eg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4MQG-7W7J-8X9R
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32Improper verification of cryptographic signature in App Control for Business (WDAC) allows an unauthorized attacker to bypass a security feature locally.
{
"affected": [],
"aliases": [
"CVE-2025-33069"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:22:53Z",
"severity": "MODERATE"
},
"details": "Improper verification of cryptographic signature in App Control for Business (WDAC) allows an unauthorized attacker to bypass a security feature locally.",
"id": "GHSA-4mqg-7w7j-8x9r",
"modified": "2025-06-10T18:32:29Z",
"published": "2025-06-10T18:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33069"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33069"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4MXG-3P6V-XGQ3
Vulnerability from github – Published: 2025-07-28 20:38 – Updated: 2025-08-08 14:53Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature.
This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.
To conduct the attack an attacker would need a validly signed document from the identity provider (IdP).
In fixing this we made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.
Note: this is distinct from the previous xml-crypto CVEs.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.1"
},
"package": {
"ecosystem": "npm",
"name": "@node-saml/node-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "passport-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.1"
},
"package": {
"ecosystem": "npm",
"name": "@node-saml/passport-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54419"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-28T20:38:44Z",
"nvd_published_at": "2025-07-28T20:17:48Z",
"severity": "CRITICAL"
},
"details": "Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature.\n\nThis allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.\n\nTo conduct the attack an attacker would need a validly signed document from the identity provider (IdP).\n\nIn fixing this we made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up. \n\nNote: this is distinct from the previous xml-crypto CVEs.",
"id": "GHSA-4mxg-3p6v-xgq3",
"modified": "2025-08-08T14:53:55Z",
"published": "2025-07-28T20:38:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54419"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-saml/node-saml"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Node-SAML SAML Signature Verification Vulnerability"
}
GHSA-4P9J-M37V-X8J7
Vulnerability from github – Published: 2024-09-25 12:30 – Updated: 2024-09-25 12:30Improper verification of cryptographic signature during installation of a Printer driver via the TeamViewer_service.exe component of TeamViewer Remote Clients prior version 15.58.4 for Windows allows an attacker with local unprivileged access on a Windows system to elevate their privileges and install drivers.
{
"affected": [],
"aliases": [
"CVE-2024-7481"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-25T11:15:12Z",
"severity": "HIGH"
},
"details": "Improper verification of cryptographic signature during installation of a Printer driver via the TeamViewer_service.exe component of TeamViewer Remote Clients prior version 15.58.4 for Windows allows an attacker with local unprivileged access on a Windows system to elevate their privileges and install drivers.",
"id": "GHSA-4p9j-m37v-x8j7",
"modified": "2024-09-25T12:30:40Z",
"published": "2024-09-25T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7481"
},
{
"type": "WEB",
"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2024-1006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4PXQ-QC65-2PQQ
Vulnerability from github – Published: 2023-10-23 15:30 – Updated: 2024-04-04 08:53Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6.
{
"affected": [],
"aliases": [
"CVE-2023-28796"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T14:15:09Z",
"severity": "HIGH"
},
"details": "\nImproper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. This issue affects Zscaler Client Connector for Linux: before 1.3.1.6.\n\n\n\n",
"id": "GHSA-4pxq-qc65-2pqq",
"modified": "2024-04-04T08:53:02Z",
"published": "2023-10-23T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28796"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux\u0026applicable_version=1.3.1\u0026deployment_date=2022-09-19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4Q4X-67HX-5MPG
Vulnerability from github – Published: 2021-08-25 20:44 – Updated: 2023-06-13 17:43Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid. This allows an attacker to impersonate any node identity.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libp2p-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15545"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T21:23:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate did not properly verify ed25519 signatures. Any signature with a correct length was considered valid. This allows an attacker to impersonate any node identity.",
"id": "GHSA-4q4x-67hx-5mpg",
"modified": "2023-06-13T17:43:58Z",
"published": "2021-08-25T20:44:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15545"
},
{
"type": "PACKAGE",
"url": "https://github.com/libp2p/rust-libp2p"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2019-0004.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Failure to properly verify ed25519 signatures in libp2p-core"
}
GHSA-4QFQ-VJF3-59QG
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR SAML authentication that enables an unauthenticated network-based attacker with specific knowledge of the Cortex XSOAR instance to access protected resources and perform unauthorized actions on the Cortex XSOAR server. This issue impacts: Cortex XSOAR 5.5.0 builds earlier than 1578677; Cortex XSOAR 6.0.2 builds earlier than 1576452; Cortex XSOAR 6.1.0 builds earlier than 1578663; Cortex XSOAR 6.2.0 builds earlier than 1578666. All Cortex XSOAR instances hosted by Palo Alto Networks are protected from this vulnerability; no additional action is required for these instances.
{
"affected": [],
"aliases": [
"CVE-2021-3051"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T17:15:00Z",
"severity": "HIGH"
},
"details": "An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR SAML authentication that enables an unauthenticated network-based attacker with specific knowledge of the Cortex XSOAR instance to access protected resources and perform unauthorized actions on the Cortex XSOAR server. This issue impacts: Cortex XSOAR 5.5.0 builds earlier than 1578677; Cortex XSOAR 6.0.2 builds earlier than 1576452; Cortex XSOAR 6.1.0 builds earlier than 1578663; Cortex XSOAR 6.2.0 builds earlier than 1578666. All Cortex XSOAR instances hosted by Palo Alto Networks are protected from this vulnerability; no additional action is required for these instances.",
"id": "GHSA-4qfq-vjf3-59qg",
"modified": "2022-05-24T19:13:20Z",
"published": "2022-05-24T19:13:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3051"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2021-3051"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4V5M-7XCR-CG68
Vulnerability from github – Published: 2025-10-25 00:30 – Updated: 2025-10-25 00:30Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.
{
"affected": [],
"aliases": [
"CVE-2025-34503"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T23:15:47Z",
"severity": "HIGH"
},
"details": "Deck Mate 1 executes firmware directly from an external EEPROM without verifying authenticity or integrity. An attacker with physical access can replace or reflash the EEPROM to run arbitrary code that persists across reboots. Because this design predates modern secure-boot or signed-update mechanisms, affected systems should be physically protected or retired from service. The vendor has not indicated that firmware updates are available for this legacy model.",
"id": "GHSA-4v5m-7xcr-cg68",
"modified": "2025-10-25T00:30:39Z",
"published": "2025-10-25T00:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34503"
},
{
"type": "WEB",
"url": "https://www.ioactive.com/wp-content/uploads/2025/05/IOActive-card-shuffler-security.pdf"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/shuffle-master-deck-mate-1-unauthenticated-eeprom-firmware-execution"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4V9X-X766-GMM3
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28This issue was addressed by verifying host keys when connecting to a previously-known SSH server. This issue is fixed in iOS 13.1 and iPadOS 13.1. An attacker in a privileged network position may be able to intercept SSH traffic from the “Run script over SSH” action.
{
"affected": [],
"aliases": [
"CVE-2019-8901"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-27T21:15:00Z",
"severity": "MODERATE"
},
"details": "This issue was addressed by verifying host keys when connecting to a previously-known SSH server. This issue is fixed in iOS 13.1 and iPadOS 13.1. An attacker in a privileged network position may be able to intercept SSH traffic from the \u201cRun script over SSH\u201d action.",
"id": "GHSA-4v9x-x766-gmm3",
"modified": "2022-05-24T22:28:12Z",
"published": "2022-05-24T22:28:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8901"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT210603"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4VC4-M8QH-G8JM
Vulnerability from github – Published: 2025-03-12 20:20 – Updated: 2025-11-03 21:33Summary
An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.
Impact
This issue may lead to authentication bypass.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "ruby-saml"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25291"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-12T20:20:24Z",
"nvd_published_at": "2025-03-12T21:15:42Z",
"severity": "CRITICAL"
},
"details": "### Summary\nAn authentication bypass vulnerability was found in ruby-saml due to a parser differential.\nReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack.\n\n### Impact\nThis issue may lead to authentication bypass.",
"id": "GHSA-4vc4-m8qh-g8jm",
"modified": "2025-11-03T21:33:11Z",
"published": "2025-03-12T20:20:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-4vc4-m8qh-g8jm"
},
{
"type": "WEB",
"url": "https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25291"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released"
},
{
"type": "WEB",
"url": "https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials"
},
{
"type": "PACKAGE",
"url": "https://github.com/SAML-Toolkits/ruby-saml"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4"
},
{
"type": "WEB",
"url": "https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-saml/CVE-2025-25291.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00011.html"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=43374519"
},
{
"type": "WEB",
"url": "https://portswigger.net/research/saml-roulette-the-hacker-always-wins"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250314-0010"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2024-329_GHSL-2024-330_ruby-saml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.