Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1127 vulnerabilities reference this CWE, most recent first.

GHSA-CH3C-V47X-4PGP

Vulnerability from github – Published: 2023-08-29 17:36 – Updated: 2023-08-29 17:36
VLAI
Summary
Cleartext Signed Message Signature Spoofing in openpgp
Details

Impact

OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This text is signed.
-----BEGIN PGP SIGNATURE-----

wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+
BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd
WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM=
-----END PGP SIGNATURE-----

These messages typically contain a "Hash: ..." header declaring the hash algorithm used to compute the signature digest. OpenPGP.js up to v5.9.0 ignored any data preceding the "Hash: ..." texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed.

A user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned verified property, discarding the associated data information, and instead visually trusting the contents of the original message:

const cleartextMessage = `
-----BEGIN PGP SIGNED MESSAGE-----
This text is not signed but you might think it is. Hash: SHA256

This text is signed.
-----BEGIN PGP SIGNATURE-----

wnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+
BwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd
WJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM=
-----END PGP SIGNATURE-----
`;
const message = await openpgp.readCleartextMessage({ cleartextMessage });
const verificationResult = await verifyCleartextMessage({ message, verificationKeys });
console.log(await verificationResult.verified); // output: true
console.log(verificationResult.data); // output: 'This text is signed.'

Since verificationResult.data would always contain the actual signed data, users and apps that check this information are not vulnerable. Similarly, given a CleartextMessage object, retrieving the data using getText() or the text field returns only the contents that are considered when verifying the signature. Finally, re-armoring a CleartextMessage object (using armor() will also result in a "sanitised" version, with the extraneous text being removed. Because of this, we consider the vulnerability impact to be very limited when the CleartextMessage is processed programmatically; this is reflected in the Severity CVSS assessment, specifically in the scope's score ("Unchanged").

Patches

  • v5.10.1 (current stable version) will reject messages when calling openpgp.readCleartextMessage()
  • v4.10.11 (legacy version) will reject messages when calling openpgp.cleartext.readArmored()

Workarounds

Check the contents of verificationResult.data to see what data was actually signed, rather than visually trusting the contents of the armored message.

References

Similar CVE: https://sec-consult.com/vulnerability-lab/advisory/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openpgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "openpgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T17:36:40Z",
    "nvd_published_at": "2023-08-29T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nOpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools:\n\n```\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nThis text is signed.\n-----BEGIN PGP SIGNATURE-----\n\nwnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+\nBwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd\nWJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM=\n-----END PGP SIGNATURE-----\n```\nThese messages typically contain a \"Hash: ...\" header declaring the hash algorithm used to compute the signature digest.\nOpenPGP.js up to v5.9.0 ignored any data preceding the \"Hash: ...\" texts when verifying the signature. As a result, malicious parties could add arbitrary text to a third-party Cleartext Signed Message, to lead the victim to believe that the arbitrary text was signed.\n\nA user or application is vulnerable to said attack vector if it verifies the CleartextMessage by only checking the returned `verified` property, discarding the associated `data` information, and instead _visually trusting_ the contents of the original message:\n\n```js\nconst cleartextMessage = `\n-----BEGIN PGP SIGNED MESSAGE-----\nThis text is not signed but you might think it is. Hash: SHA256\n\nThis text is signed.\n-----BEGIN PGP SIGNATURE-----\n\nwnUEARMIACcFgmTkrNAJkInXCgj0fgcIFiEE1JlKzzDGQxZmmHkYidcKCPR+\nBwgAAKXDAQDWGhI7tPbhB+jlKwe4+yPJ+9X8aWDUG60XFNi/w8T7ZgEAsAGd\nWJrkm/H5AXGZsqyqqO6IWGF0geTCd4mWm/CsveM=\n-----END PGP SIGNATURE-----\n`;\nconst message = await openpgp.readCleartextMessage({ cleartextMessage });\nconst verificationResult = await verifyCleartextMessage({ message, verificationKeys });\nconsole.log(await verificationResult.verified); // output: true\nconsole.log(verificationResult.data); // output: \u0027This text is signed.\u0027\n```\nSince `verificationResult.data` would always contain the actual signed data, users and apps that check this information are not vulnerable.\nSimilarly, given a CleartextMessage object, retrieving the data using `getText()` or the `text` field returns only the contents that are considered when verifying the signature.\nFinally, re-armoring a CleartextMessage object (using `armor()` will also result in a \"sanitised\" version, with the extraneous text being removed.\nBecause of this, we consider the vulnerability impact to be very limited when the CleartextMessage is processed programmatically; this is reflected in the Severity CVSS assessment, specifically in the scope\u0027s score (\"Unchanged\").\n\n### Patches\n- v5.10.1 (current stable version) will reject messages when calling `openpgp.readCleartextMessage()`\n- v4.10.11 (legacy version) will reject messages when calling `openpgp.cleartext.readArmored()`\n\n### Workarounds\nCheck the contents of `verificationResult.data` to see what data was actually signed, rather than visually trusting the contents of the armored message.\n\n### References\nSimilar CVE: https://sec-consult.com/vulnerability-lab/advisory/cleartext-message-spoofing-in-go-cryptography-libraries-cve-2019-11841/\n",
  "id": "GHSA-ch3c-v47x-4pgp",
  "modified": "2023-08-29T17:36:40Z",
  "published": "2023-08-29T17:36:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-ch3c-v47x-4pgp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41037"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openpgpjs/openpgpjs/commit/6b43e02a254853f5ff508ebd1b07541f78b7c566"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openpgpjs/openpgpjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openpgpjs/openpgpjs/releases/tag/v4.10.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openpgpjs/openpgpjs/releases/tag/v5.10.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cleartext Signed Message Signature Spoofing in openpgp"
}

GHSA-CHQ4-235Q-JP7W

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-06-09 12:32
VLAI
Details

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T18:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.",
  "id": "GHSA-chq4-235q-jp7w",
  "modified": "2026-06-09T12:32:00Z",
  "published": "2025-12-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59719"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-647"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CHW7-Q7HH-9VC2

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-07-11 00:00
VLAI
Details

Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-06T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants\u0027 websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.",
  "id": "GHSA-chw7-q7hh-9vc2",
  "modified": "2022-07-11T00:00:18Z",
  "published": "2022-05-24T17:46:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23533"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/347.html"
    },
    {
      "type": "WEB",
      "url": "https://www.dropbox.com/s/6smwnbrp0kgsgrc/poc_code.py?dl=0"
    },
    {
      "type": "WEB",
      "url": "https://www.dropbox.com/s/czbkdr73tclq2nr/UnionPay_Vulnerability_Report.txt?dl=0"
    },
    {
      "type": "WEB",
      "url": "http://mobitec.ie.cuhk.edu.hk/cve_2020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJ56-5C53-9QJF

Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 18:33
VLAI
Details

wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now rejects the object when no signer signature has actually been verified, so a PKCS#7 carrying no valid signature is no longer reported as verified. This is enforced regardless of the PKCS7_NOVERIFY flag, which only suppresses signer certificate chain validation and was never intended to waive the requirement that a signature exist. Only affects OpenSSL compatibility builds that call the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-55961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T18:16:41Z",
    "severity": "HIGH"
  },
  "details": "wolfSSL_PKCS7_verify() returning success for a degenerate (certs-only) PKCS#7 object that contains no signer. Such an object has empty signerInfos, so the underlying signed-data verification succeeds without authenticating any content. The compatibility-layer verify path now rejects the object when no signer signature has actually been verified, so a PKCS#7 carrying no valid signature is no longer reported as verified. This is enforced regardless of the PKCS7_NOVERIFY flag, which only suppresses signer certificate chain validation and was never intended to waive the requirement that a signature exist. Only affects OpenSSL compatibility builds that call the PKCS7_verify() compatibility API on potentially degenerate PKCS#7 bundles.",
  "id": "GHSA-cj56-5c53-9qjf",
  "modified": "2026-06-26T18:33:49Z",
  "published": "2026-06-25T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55961"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/pull/10702"
    },
    {
      "type": "WEB",
      "url": "https://www.wolfssl.com/docs/security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CM49-FH74-75CH

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2022-11-23 15:30
VLAI
Details

Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-26391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-09T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient verification of multiple header signatures while loading a Trusted Application (TA) may allow an attacker with privileges to gain code execution in that TA or the OS/kernel.",
  "id": "GHSA-cm49-fh74-75ch",
  "modified": "2022-11-23T15:30:22Z",
  "published": "2022-11-10T12:01:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26391"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CMJG-6Q27-6FR4

Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-07 12:31
VLAI
Details

Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.

This issue affects Liman MYS: before release.Master.1107.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T12:16:28Z",
    "severity": "HIGH"
  },
  "details": "Improper verification of cryptographic signature vulnerability in HAVELSAN Inc. Liman MYS allows Fake the Source of Data.\n\nThis issue affects Liman MYS: before release.Master.1107.",
  "id": "GHSA-cmjg-6q27-6fr4",
  "modified": "2026-07-07T12:31:36Z",
  "published": "2026-07-07T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11348"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0504"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CP57-FQ8G-QH6V

Vulnerability from github – Published: 2026-03-26 18:00 – Updated: 2026-03-26 18:00
VLAI
Summary
libcrux has an Incorrect Check of Signer Response Norm During Verification
Details

The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation.

libcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check is correctly performed during signing.

Impact

Applications using libcrux-ml-dsa for signature verification would have accepted signatures that would be rejected by a conforming implementation.

Mitigation

Starting from version 0.0.8, signature verification uses the correct value for $\gamma_1$ in the signer response norm check.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ml-dsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:00:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The ML-DSA verification algorithm as specified in [FIPS 204, subsection 6.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.6.3) requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\\gamma_1 - \\beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation.\n\nlibcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check is correctly performed during signing.\n\n## Impact\nApplications using libcrux-ml-dsa for signature verification would have accepted signatures that would be rejected by a conforming implementation.\n\n## Mitigation\nStarting from version `0.0.8`, signature verification uses the correct value for $\\gamma_1$ in the signer response norm check.",
  "id": "GHSA-cp57-fq8g-qh6v",
  "modified": "2026-03-26T18:00:28Z",
  "published": "2026-03-26T18:00:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1347"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cryspen/libcrux"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "libcrux has an Incorrect Check of Signer Response Norm During Verification"
}

GHSA-CPPW-2MF8-QPM5

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-09-24 15:48
VLAI
Summary
Improper Verification of Cryptographic Signature in matrix-synapse
Details

Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-18835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-19T19:32:08Z",
    "nvd_published_at": "2019-11-08T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over `/send_join`, `/send_leave`, and `/invite` may not be correctly signed, or may not come from the expected servers.",
  "id": "GHSA-cppw-2mf8-qpm5",
  "modified": "2024-09-24T15:48:55Z",
  "published": "2022-05-24T22:01:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/pull/6262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/commit/172f264ed38e8bef857552f93114b4ee113a880b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/matrix-org/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/matrix-org/synapse/releases/tag/v1.5.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-186.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Verification of Cryptographic Signature in matrix-synapse"
}

GHSA-CQGF-G3QQ-HHXW

Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2025-02-13 18:32
VLAI
Details

Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch RadeonInstaller.exe without validating the file signature potentially leading to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-14T19:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch RadeonInstaller.exe without validating the file signature potentially leading to arbitrary code execution.",
  "id": "GHSA-cqgf-g3qq-hhxw",
  "modified": "2025-02-13T18:32:03Z",
  "published": "2023-11-14T21:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20568"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-6003"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00971.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQVM-J2R2-HWPG

Vulnerability from github – Published: 2023-03-17 14:42 – Updated: 2023-03-17 14:42
VLAI
Summary
russh may use insecure Diffie-Hellman keys
Details

Summary

Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality.

Details

Russh does not validate Diffie-Hellman keys.

It accepts received DH public keys $e$ where $e<0$, $e=1$, or $e \geq p-1$ from a misbehaving peer annd successfully performs key exchange.

This is a violation of RFC 4253, section 8 and RFC 8268, section 4, which state that:

DH Public Key values MUST be checked and both conditions:

  • $1 < e < p-1$
  • $1 < f < p-1$

MUST be true. Values not within these bounds MUST NOT be sent or accepted by either side. If either one of these conditions is violated, then the key exchange fails.

For example, a DH client public key $e=1$ would mean that the shared secret that the server calculates is always $K = e^y \mod{p} = 1^y \mod{p} = 1$. In other cases, an insecure order-2 subgroup may be used.

Also, the code does not look like it ensures that the generated secret key $y$ is in the valid interval $0 < y < q$ (or, if russh is the client, that the secret key $x$ satisfies $1 < x < q$): https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76 For example, rng.gen_biguint() might return a number consisting of zeroes, so that $y = 0$.

The public key is not validated either: https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81

Impact

Due to the issues in the DH key generation, I think any connection that uses Diffie-Hellman key exchange is affected. Connections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping.

Most other implementations reject such keys, so this is mainly an interoperability issue in such a case.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.36.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "russh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.37.0"
            },
            {
              "fixed": "0.37.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28113"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T14:42:45Z",
    "nvd_published_at": "2023-03-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nDiffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality.\n\n### Details\n\nRussh does not validate Diffie-Hellman keys.\n\nIt accepts received DH public keys $e$ where $e\u003c0$, $e=1$, or $e \\geq p-1$ from a misbehaving peer annd successfully performs key exchange.\n\nThis is a violation of [RFC 4253, section 8](https://www.rfc-editor.org/rfc/rfc4253#section-8) and [RFC 8268, section 4](https://www.rfc-editor.org/rfc/rfc8268#section-4), which state that:\n\n\u003eDH Public Key values MUST be checked and both conditions:\n\u003e\n\u003e - $1 \u003c e \u003c p-1$\n\u003e - $1 \u003c f \u003c p-1$\n\u003e\n\u003e MUST be true.  Values not within these bounds MUST NOT be sent or\n\u003e accepted by either side.  If either one of these conditions is\n\u003e violated, then the key exchange fails.\n\nFor example, a DH client public key $e=1$ would mean that the shared secret that the server calculates is always $K = e^y \\mod{p} = 1^y \\mod{p} = 1$.\nIn other cases, an insecure order-2 subgroup may be used.\n\nAlso, the code does not look like it ensures that the generated secret key $y$ is in the valid interval $0 \u003c y \u003c q$ (or, if russh is the client, that the secret key $x$ satisfies $1 \u003c x \u003c q$):\nhttps://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76\nFor example, `rng.gen_biguint()` might return a number consisting of zeroes, so that $y = 0$.\n\nThe public key is not validated either:\nhttps://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81\n\n### Impact\n\nDue to the issues in the DH key generation, I think any connection that uses Diffie-Hellman key exchange is affected.\nConnections between a russh client and server or those of a russh peer with some other misbehaving peer are most likely to be problematic. These may vulnerable to eavesdropping.\n\nMost other implementations reject such keys, so this is mainly an interoperability issue in such a case.\n",
  "id": "GHSA-cqvm-j2r2-hwpg",
  "modified": "2023-03-17T14:42:45Z",
  "published": "2023-03-17T14:42:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/security/advisories/GHSA-cqvm-j2r2-hwpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28113"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/commit/45d2d82930bf4a675bd57abfafec8fe4065befcd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/commit/d831a3716d3719dc76f091fcea9d94bd4ef97c6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/warp-tech/russh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L72-L76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/blob/master/russh/src/kex/dh/groups.rs#L78-L81"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/releases/tag/v0.36.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warp-tech/russh/releases/tag/v0.37.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "russh may use insecure Diffie-Hellman keys"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.