CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1127 vulnerabilities reference this CWE, most recent first.
GHSA-P72W-R6FV-6G5H
Vulnerability from github – Published: 2024-09-17 21:30 – Updated: 2025-03-14 21:41Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.druid.extensions:druid-pac4j"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "30.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45384"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T22:14:49Z",
"nvd_published_at": "2024-09-17T19:15:28Z",
"severity": "LOW"
},
"details": "Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.\nThis could allow an attacker to manipulate a pac4j session cookie.\n\nThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\nSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\n\nWhile we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.",
"id": "GHSA-p72w-r6fv-6g5h",
"modified": "2025-03-14T21:41:15Z",
"published": "2024-09-17T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45384"
},
{
"type": "WEB",
"url": "https://github.com/apache/druid/commit/74cab7a76c99da457c3a883939cc0b03301b8771"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/druid"
},
{
"type": "WEB",
"url": "https://github.com/apache/druid/releases/tag/druid-30.0.1"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/09/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "druid-pac4j, Apache Druid extension, has Padding Oracle vulnerability"
}
GHSA-P7W3-XCQR-PR4R
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2021-34715"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.",
"id": "GHSA-p7w3-xcqr-pr4r",
"modified": "2022-05-24T19:11:29Z",
"published": "2022-05-24T19:11:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34715"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewver-c6WZPXRx"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P847-Q8VX-C3FG
Vulnerability from github – Published: 2026-07-16 06:31 – Updated: 2026-07-16 06:31The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because Mo_SAML_Utilities::mo_saml_cast_key() reads the SignatureMethod Algorithm attribute directly from the attacker-controlled SAMLResponse parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.
{
"affected": [],
"aliases": [
"CVE-2026-15013"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-16T05:16:18Z",
"severity": "CRITICAL"
},
"details": "The SAML Single Sign On \u2013 SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP\u0027s RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account \u2014 including administrators \u2014 obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.",
"id": "GHSA-p847-q8vx-c3fg",
"modified": "2026-07-16T06:31:27Z",
"published": "2026-07-16T06:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15013"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-saml-20-single-sign-on/tags/5.4.3/class-mo-saml-login-validate.php#L119"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-saml-20-single-sign-on/tags/5.4.3/class-mo-saml-utilities.php#L416"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-saml-20-single-sign-on/tags/5.4.3/class-mo-saml-utilities.php#L444"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-saml-20-single-sign-on/tags/5.4.3/class-mo-saml-utilities.php#L561"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/miniorange-saml-20-single-sign-on/tags/5.4.3/includes/lib/SAML2Core/class-mo-saml-xml-security-key.php#L722"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3601345%40miniorange-saml-20-single-sign-on\u0026new=3601345%40miniorange-saml-20-single-sign-on"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee95092d-6351-4612-872d-284165bc1201?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P88H-9FMR-WJ9Q
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-31 03:31Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2026-20997"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:18:10Z",
"severity": "MODERATE"
},
"details": "Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication.",
"id": "GHSA-p88h-9fmr-wj9q",
"modified": "2026-03-31T03:31:25Z",
"published": "2026-03-16T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20997"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026\u0026month=03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P8C3-7RJ8-Q963
Vulnerability from github – Published: 2020-06-26 16:54 – Updated: 2023-01-31 01:29Impact
Jsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as:
- wrong multi-byte ASN.1 length of TLV (ex. 0x820045 even though 0x45 is correct)
- prepending zeros with ASN.1 INTEGER value (ex. 0x00000123 even though 0x0123 is correct)
- appending zeros to signature of ASN.1 TLV (ex. 0x3082....1fbc000000 even though 0x3082....1fbc, appending zeros are ignored.)
This vulnerability was fixed by strict ASN.1 DER checking.
Here is an assessment of this vulnerability:
- If you are not use ECDSA signature validation, this vulnerability is not affected.
- Not ASN.1 format signature like just concatenation of R and S value is not affected such as Bitcoin.
- This vulnerability is affected to all ECC curve parameters.
- Risk to accept a forged or crafted message to be signed is low.
- Risk to raise memory corruption is low since jsrsasign uses BigInteger class.
- ECDSA signatures semantically the same to valid one may be accepted as valid. There are many malleable variants.
As discussed here, there is no standards like X9.62 which requires ASN.1 DER. So ASN.1 BER can be applied to ECDSA however most of implementations like OpenSSL do strict ASN.1 DER checking.
Patches
Users using ECDSA signature validation should upgrade to 8.0.19.
Workarounds
Do strict ASN.1 DER checking for ASN.1 encoded ECDSA signature value.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-14966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966 https://vuldb.com/?id.157123 https://github.com/kjur/jsrsasign/issues/437 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html https://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER https://www.itu.int/rec/T-REC-X.690
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsrsasign"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "8.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-14966"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-26T16:54:00Z",
"nvd_published_at": "2020-06-22T12:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nJsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as:\n\n- wrong multi-byte ASN.1 length of TLV (ex. 0x820045 even though 0x45 is correct)\n- prepending zeros with ASN.1 INTEGER value (ex. 0x00000123 even though 0x0123 is correct)\n- appending zeros to signature of ASN.1 TLV (ex. 0x3082....1fbc000000 even though 0x3082....1fbc, appending zeros are ignored.)\n\nThis vulnerability was fixed by strict ASN.1 DER checking. \n\nHere is an assessment of this vulnerability:\n\n- If you are not use ECDSA signature validation, this vulnerability is not affected.\n- Not ASN.1 format signature like just concatenation of R and S value is not affected such as Bitcoin.\n- This vulnerability is affected to all ECC curve parameters.\n- Risk to accept a forged or crafted message to be signed is low.\n- Risk to raise memory corruption is low since jsrsasign uses BigInteger class.\n- ECDSA signatures semantically the same to valid one may be accepted as valid. There are many malleable variants.\n\nAs discussed [here](https://crypto.stackexchange.com/questions/24862/ber-or-der-x9-62-for-ecdsa-signature), there is no standards like X9.62 which requires ASN.1 DER. So ASN.1 BER can be applied to ECDSA however most of implementations like OpenSSL do strict ASN.1 DER checking.\n\n### Patches\nUsers using ECDSA signature validation should upgrade to 8.0.19.\n\n### Workarounds\nDo strict ASN.1 DER checking for ASN.1 encoded ECDSA signature value.\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14966\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966\nhttps://vuldb.com/?id.157123\nhttps://github.com/kjur/jsrsasign/issues/437\nhttps://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html\nhttps://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER\nhttps://www.itu.int/rec/T-REC-X.690\n\n",
"id": "GHSA-p8c3-7rj8-q963",
"modified": "2023-01-31T01:29:53Z",
"published": "2020-06-26T16:54:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14966"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/issues/437"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/commit/6087412d072a57074d3c4c1b40bdde0460d53a7f"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966"
},
{
"type": "PACKAGE",
"url": "https://github.com/kjur/jsrsasign"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/releases/tag/8.0.17"
},
{
"type": "WEB",
"url": "https://github.com/kjur/jsrsasign/releases/tag/8.0.18"
},
{
"type": "WEB",
"url": "https://kjur.github.io/jsrsasign"
},
{
"type": "WEB",
"url": "https://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER"
},
{
"type": "WEB",
"url": "https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200724-0001"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.157123"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/jsrsasign"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding in jsrsasign"
}
GHSA-P8P9-354J-7MHR
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Because the Hardened Runtime protection mechanism is not applied to code signing, code injection (or an information leak) can occur.
{
"affected": [],
"aliases": [
"CVE-2020-26540"
],
"database_specific": {
"cwe_ids": [
"CWE-347",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-02T08:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Because the Hardened Runtime protection mechanism is not applied to code signing, code injection (or an information leak) can occur.",
"id": "GHSA-p8p9-354j-7mhr",
"modified": "2022-05-24T17:30:02Z",
"published": "2022-05-24T17:30:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26540"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P97V-RWHV-427H
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.
{
"affected": [],
"aliases": [
"CVE-2025-13662"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:17:36Z",
"severity": "HIGH"
},
"details": "Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.",
"id": "GHSA-p97v-rwhv-427h",
"modified": "2025-12-09T18:30:35Z",
"published": "2025-12-09T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13662"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCGW-QCV5-H8CH
Vulnerability from github – Published: 2026-03-18 20:19 – Updated: 2026-03-18 20:19Summary
The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decode_logout_request.go:60-62 silently falls through to process the unverified XML element instead of rejecting it. An attacker who can reach the SP's Single Logout endpoint can forge a LogoutRequest for any user, terminating their session without possessing the IdP's signing key.
Affected Version
- Library:
github.com/russellhaering/gosaml2 - Version: All versions up to and including the latest commit on
main(as of 2026-03-16) - File:
decode_logout_request.go, lines 58-69
Vulnerable Code
// decode_logout_request.go:57-69
var requestSignatureValidated bool
if !sp.SkipSignatureValidation {
el, err = sp.validateElementSignature(el)
if err == dsig.ErrMissingSignature {
// Unfortunately we just blew away our Response
el = doc.Root() // <-- BUG: falls through with unsigned element
} else if err != nil {
return nil, err
} else if el == nil {
return nil, fmt.Errorf("missing transformed logout request")
} else {
requestSignatureValidated = true
}
}
When ErrMissingSignature is returned, the code resets el to the raw document root and continues. The requestSignatureValidated variable remains false, but no error is returned. The unsigned LogoutRequest is unmarshalled and passed to ValidateDecodedLogoutRequest, which performs attribute/issuer checks but does not verify that a signature was present.
Attack Details
| Property | Value |
|---|---|
| Attack vector | Network (HTTP POST to SLO endpoint) |
| Authentication required | None |
| Payload size | ~450 bytes (unsigned XML) |
| User interaction | None |
| Complexity | Low -- only requires knowledge of the SP's SLO URL and IdP issuer |
| CVSS estimate | 7.5 (High) -- Network/Low/None/None, Availability impact |
Impact
- Arbitrary session termination: An attacker can force-logout any user by forging a
LogoutRequestwith the victim'sNameID. This is a targeted denial-of-service. - Business disruption: Critical users (executives, admins, operators) can be repeatedly logged out, disrupting access to the application during incidents or time-sensitive operations.
- Security control bypass: If session termination triggers downstream effects (e.g., revoking tokens, clearing caches), an attacker can weaponize this to force re-authentication flows and potentially intercept them.
- No cryptographic material needed: The attacker does not need the IdP's private key. The forged request contains zero cryptographic elements.
Suggested Fix
When ErrMissingSignature is returned and SkipSignatureValidation is false, the function should return an error instead of falling through:
// decode_logout_request.go -- fixed version
var requestSignatureValidated bool
if !sp.SkipSignatureValidation {
el, err = sp.validateElementSignature(el)
if err == dsig.ErrMissingSignature {
// FIXED: reject unsigned requests when signature validation is required
return nil, fmt.Errorf("logout request is not signed: %w", dsig.ErrMissingSignature)
} else if err != nil {
return nil, err
} else if el == nil {
return nil, fmt.Errorf("missing transformed logout request")
} else {
requestSignatureValidated = true
}
}
This ensures that unsigned LogoutRequest messages are rejected when SkipSignatureValidation is false, matching the behavior that operators expect when they configure signature enforcement.
Attached lab f1_unsigned_logout.zip
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.10.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/russellhaering/gosaml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T20:19:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe `ValidateEncodedLogoutRequestPOST` function in gosaml2 accepts completely unsigned SAML `LogoutRequest` messages even when `SkipSignatureValidation` is set to `false`. When `validateElementSignature` returns `dsig.ErrMissingSignature`, the code in `decode_logout_request.go:60-62` silently falls through to process the unverified XML element instead of rejecting it. An attacker who can reach the SP\u0027s Single Logout endpoint can forge a `LogoutRequest` for any user, terminating their session without possessing the IdP\u0027s signing key.\n\n## Affected Version\n\n- **Library**: `github.com/russellhaering/gosaml2`\n- **Version**: All versions up to and including the latest commit on `main` (as of 2026-03-16)\n- **File**: `decode_logout_request.go`, lines 58-69\n\n## Vulnerable Code\n\n```go\n// decode_logout_request.go:57-69\nvar requestSignatureValidated bool\nif !sp.SkipSignatureValidation {\n el, err = sp.validateElementSignature(el)\n if err == dsig.ErrMissingSignature {\n // Unfortunately we just blew away our Response\n el = doc.Root() // \u003c-- BUG: falls through with unsigned element\n } else if err != nil {\n return nil, err\n } else if el == nil {\n return nil, fmt.Errorf(\"missing transformed logout request\")\n } else {\n requestSignatureValidated = true\n }\n}\n```\n\nWhen `ErrMissingSignature` is returned, the code resets `el` to the raw document root and continues. The `requestSignatureValidated` variable remains `false`, but no error is returned. The unsigned `LogoutRequest` is unmarshalled and passed to `ValidateDecodedLogoutRequest`, which performs attribute/issuer checks but does **not** verify that a signature was present.\n\n## Attack Details\n\n| Property | Value |\n|---|---|\n| **Attack vector** | Network (HTTP POST to SLO endpoint) |\n| **Authentication required** | None |\n| **Payload size** | ~450 bytes (unsigned XML) |\n| **User interaction** | None |\n| **Complexity** | Low -- only requires knowledge of the SP\u0027s SLO URL and IdP issuer |\n| **CVSS estimate** | 7.5 (High) -- Network/Low/None/None, Availability impact |\n\n## Impact\n\n- **Arbitrary session termination**: An attacker can force-logout any user by forging a `LogoutRequest` with the victim\u0027s `NameID`. This is a targeted denial-of-service.\n- **Business disruption**: Critical users (executives, admins, operators) can be repeatedly logged out, disrupting access to the application during incidents or time-sensitive operations.\n- **Security control bypass**: If session termination triggers downstream effects (e.g., revoking tokens, clearing caches), an attacker can weaponize this to force re-authentication flows and potentially intercept them.\n- **No cryptographic material needed**: The attacker does not need the IdP\u0027s private key. The forged request contains zero cryptographic elements.\n\n## Suggested Fix\n\nWhen `ErrMissingSignature` is returned and `SkipSignatureValidation` is `false`, the function should return an error instead of falling through:\n\n```go\n// decode_logout_request.go -- fixed version\nvar requestSignatureValidated bool\nif !sp.SkipSignatureValidation {\n el, err = sp.validateElementSignature(el)\n if err == dsig.ErrMissingSignature {\n // FIXED: reject unsigned requests when signature validation is required\n return nil, fmt.Errorf(\"logout request is not signed: %w\", dsig.ErrMissingSignature)\n } else if err != nil {\n return nil, err\n } else if el == nil {\n return nil, fmt.Errorf(\"missing transformed logout request\")\n } else {\n requestSignatureValidated = true\n }\n}\n```\n\nThis ensures that unsigned `LogoutRequest` messages are rejected when `SkipSignatureValidation` is `false`, matching the behavior that operators expect when they configure signature enforcement.\n\nAttached lab \n[f1_unsigned_logout.zip](https://github.com/user-attachments/files/26038319/f1_unsigned_logout.zip)",
"id": "GHSA-pcgw-qcv5-h8ch",
"modified": "2026-03-18T20:19:24Z",
"published": "2026-03-18T20:19:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/russellhaering/gosaml2/security/advisories/GHSA-pcgw-qcv5-h8ch"
},
{
"type": "PACKAGE",
"url": "https://github.com/russellhaering/gosaml2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unsigned SAML LogoutRequest Acceptance in gosaml2"
}
GHSA-PCWW-JM77-2JG3
Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2022-05-14 03:08An issue was discovered in Carbon Black Cb Response. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute.
{
"affected": [],
"aliases": [
"CVE-2018-10407"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-13T22:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Carbon Black Cb Response. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute.",
"id": "GHSA-pcww-jm77-2jg3",
"modified": "2022-05-14T03:08:35Z",
"published": "2022-05-14T03:08:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10407"
},
{
"type": "WEB",
"url": "https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PF4J-PF3W-95F9
Vulnerability from github – Published: 2026-04-22 19:22 – Updated: 2026-04-27 16:22Impact
The staking contract accepts UpdateValidator transactions that set new_voting_key=Some(...) while omitting new_proof_of_knowledge. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated.
Because tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature.
While the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely.
Patches
The patch for this vulnerability is included as part of v1.3.0.
Workarounds
No known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nimiq-transaction"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34068"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T19:22:53Z",
"nvd_published_at": "2026-04-22T21:17:08Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe staking contract accepts `UpdateValidator` transactions that set `new_voting_key=Some(...)` while omitting `new_proof_of_knowledge`. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated.\n\nBecause tendermint macro block justification verification aggregates validator voting keys and verifies a single aggregated BLS signature against that aggregate public key, a rogue-key voting key in the validator set can allow an attacker to forge a quorum-looking justification while only producing a single signature.\n\nWhile the impact is critical, the exploitability is low: The voting keys are fixed for the epoch, so the attacker would need to know the next epoch validator set (chosen through VRF), which is unlikely.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/commit/e7f0ab7d2115e17d6e5548ddc60f10df1a5d645f) is included as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).\n\n### Workarounds\nNo known workarounds.",
"id": "GHSA-pf4j-pf3w-95f9",
"modified": "2026-04-27T16:22:49Z",
"published": "2026-04-22T19:22:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-pf4j-pf3w-95f9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34068"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/pull/3654"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/commit/e7f0ab7d2115e17d6e5548ddc60f10df1a5d645f"
},
{
"type": "PACKAGE",
"url": "https://github.com/nimiq/core-rs-albatross"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.