{"@ID": "347", "@Name": "Improper Verification of Cryptographic Signature", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-347-Diagram.png", "Description": "The product does not verify, or incorrectly verifies, the cryptographic signature for data.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "345", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "345", "@View_ID": "1003", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation", "Note": "REALIZATION: This weakness is caused during implementation of an architectural security tactic."}]}, "Common_Consequences": {"Consequence": {"Scope": ["Access Control", "Integrity", "Confidentiality"], "Impact": ["Gain Privileges or Assume Identity", "Modify Application Data", "Execute Unauthorized Code or Commands"], "Note": "An attacker could gain access to sensitive data and possibly execute unauthorized code."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Demonstrative_Examples": {"Demonstrative_Example": {"Intro_Text": "In the following code, a JarFile object is created from a downloaded file.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": null, "#text": "File f = new File(downloadedFilePath);JarFile jf = new JarFile(f);"}}, "Body_Text": "The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead."}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2002-1796", "Description": "Does not properly verify signatures for \"trusted\" entities.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1796"}, {"Reference": "CVE-2005-2181", "Description": "Insufficient verification allows spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2181"}, {"Reference": "CVE-2005-2182", "Description": "Insufficient verification allows spoofing.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2182"}, {"Reference": "CVE-2002-1706", "Description": "Accepts a configuration file without a Message Integrity Check (MIC) signature.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-1706"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Improperly Verified Signature"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "SEC06-J", "Entry_Name": "Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 3-3", "Entry_Name": "Req SR 1.9"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-1", "Entry_Name": "Req SM-6"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req EDR 3.12"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req NDR 3.12"}, {"@Taxonomy_Name": "ISA/IEC 62443", "Entry_ID": "Part 4-2", "Entry_Name": "Req HDR 3.12"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "463"}, {"@CAPEC_ID": "475"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Sean Eidemiller", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "added/updated demonstrative examples"}, {"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Description, Name"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Related_Attack_Patterns, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Demonstrative_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-01-19", "Modification_Version": "2.10", "Modification_ReleaseDate": "2017-01-19", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-11-19", "Modification_Version": "4.16", "Modification_ReleaseDate": "2024-11-19", "Modification_Comment": "updated Diagram"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Contribution": [{"@Type": "Content", "Contribution_Name": "\"Mapping CWE to 62443\" Sub-Working Group", "Contribution_Organization": "CWE-CAPEC ICS/OT SIG", "Contribution_Date": "2023-04-25", "Contribution_Comment": "Suggested mappings to ISA/IEC 62443."}, {"@Type": "Content", "Contribution_Name": "Abhi Balakrishnan", "Contribution_Date": "2024-09-10", "Contribution_Version": "4.16", "Contribution_ReleaseDate": "2024-11-19", "Contribution_Comment": "Provided diagram to improve CWE usability"}], "Previous_Entry_Name": {"@Date": "2009-05-27", "#text": "Improperly Verified Signature"}}}
