Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1121 vulnerabilities reference this CWE, most recent first.

GHSA-V825-MC9M-64QR

Vulnerability from github – Published: 2025-11-27 00:30 – Updated: 2025-11-28 21:31
VLAI
Details

XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.

An attacker can remove the signature from the XML document to make it pass the verification check.

XML-Sig is a Perl module to validate signatures on XML files.  An unsigned XML file should return an error message.  The affected versions return true when attempting to validate an XML file that contains no signatures.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-26T23:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "XML-Sig versions 0.27 through 0.67 for Perl incorrectly validates XML files if signatures are omitted.\n\nAn attacker can remove the signature from the XML document to make it pass the verification check.\n\nXML-Sig is a Perl module to validate signatures on XML files.\u00a0 An unsigned XML file should return an error message.\u00a0 The affected versions return true when attempting to validate an XML file that contains no signatures.",
  "id": "GHSA-v825-mc9m-64qr",
  "modified": "2025-11-28T21:31:18Z",
  "published": "2025-11-27T00:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40934"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-net-saml2/perl-XML-Sig/issues/63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-net-saml2/perl-XML-Sig/pull/64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC2C-7FWX-X7MR

Vulnerability from github – Published: 2026-06-29 09:30 – Updated: 2026-06-29 09:30
VLAI
Details

Lack of validation for firmware update in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.

This issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-29T07:16:23Z",
    "severity": "LOW"
  },
  "details": "Lack of validation for firmware update\u00a0in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.\n\nThis issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.",
  "id": "GHSA-vc2c-7fwx-x7mr",
  "modified": "2026-06-29T09:30:27Z",
  "published": "2026-06-29T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0824"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_308.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VF4W-FG7R-5V94

Vulnerability from github – Published: 2021-04-07 20:56 – Updated: 2021-04-23 00:22
VLAI
Summary
Improper Certificate Validation in phpseclib
Details

phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpseclib/phpseclib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpseclib/phpseclib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-30130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-07T17:29:49Z",
    "nvd_published_at": "2021-04-06T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification.",
  "id": "GHSA-vf4w-fg7r-5v94",
  "modified": "2021-04-23T00:22:49Z",
  "published": "2021-04-07T20:56:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30130"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpseclib/phpseclib/pull/1635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2021-30130.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpseclib/phpseclib/releases/tag/2.0.31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phpseclib/phpseclib/releases/tag/3.0.7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Certificate Validation in phpseclib"
}

GHSA-VGH8-J259-M77W

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-23967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\\SYSTEM due to insufficient control during autoupdate.",
  "id": "GHSA-vgh8-j259-m77w",
  "modified": "2022-05-24T17:43:49Z",
  "published": "2022-05-24T17:43:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23967"
    },
    {
      "type": "WEB",
      "url": "https://amonitoring.ru/article/drweb"
    },
    {
      "type": "WEB",
      "url": "https://habr.com/ru/company/pm/blog/509592"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=q7Kqi7kE59U"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VGQ2-GXQP-V52X

Vulnerability from github – Published: 2022-04-23 00:40 – Updated: 2024-04-03 23:52
VLAI
Details

A Security Bypass vulnerability exists in Ubuntu Cobbler before 2,2,2 in the cobbler-ubuntu-import script due to an error when verifying the GPG signature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-06T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A Security Bypass vulnerability exists in Ubuntu Cobbler before 2,2,2 in the cobbler-ubuntu-import script due to an error when verifying the GPG signature.",
  "id": "GHSA-vgq2-gxqp-v52x",
  "modified": "2024-04-03T23:52:47Z",
  "published": "2022-04-23T00:40:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2092"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74789"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2012-2092"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/04/10/14"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/52971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VGR7-MV6H-5GWQ

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2023-02-02 15:30
VLAI
Details

redhat-upgrade-tool: Does not check GPG signatures when upgrading versions

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-3585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-22T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "redhat-upgrade-tool: Does not check GPG signatures when upgrading versions",
  "id": "GHSA-vgr7-mv6h-5gwq",
  "modified": "2023-02-02T15:30:30Z",
  "published": "2022-05-17T19:57:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3585"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2014:1396"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2015:2395"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2014-3585"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1126002"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3585"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJ5W-XW66-QJQ5

Vulnerability from github – Published: 2025-08-21 21:32 – Updated: 2025-08-21 21:32
VLAI
Details

Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-21T20:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network.",
  "id": "GHSA-vj5w-xw66-qjq5",
  "modified": "2025-08-21T21:32:07Z",
  "published": "2025-08-21T21:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55229"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJQW-W5JR-G9W5

Vulnerability from github – Published: 2026-03-29 15:30 – Updated: 2026-04-06 22:32
VLAI
Summary
Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-g353-mgv3-8pcj. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.11"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-06T22:32:19Z",
    "nvd_published_at": "2026-03-29T13:17:01Z",
    "severity": "HIGH"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g353-mgv3-8pcj. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.",
  "id": "GHSA-vjqw-w5jr-g9w5",
  "modified": "2026-04-06T22:32:19Z",
  "published": "2026-03-29T15:30:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32974"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured",
  "withdrawn": "2026-04-06T22:32:19Z"
}

GHSA-VJRP-J935-MWH9

Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to obtain information on cryptographic secrets. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-04T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to obtain information on cryptographic secrets. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform.",
  "id": "GHSA-vjrp-j935-mwh9",
  "modified": "2022-03-17T00:03:34Z",
  "published": "2022-03-05T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43392"
    },
    {
      "type": "WEB",
      "url": "https://community.st.com/s/toparticles"
    },
    {
      "type": "WEB",
      "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2022-AVI-169"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJXV-45G9-9296

Vulnerability from github – Published: 2022-08-10 18:40 – Updated: 2022-08-10 18:40
VLAI
Summary
cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists
Details

cosign verify-attestation used with the --type flag will report a false positive verification when:

  • There is at least one attestation with a valid signature
  • There are NO attestations of the type being verified (--type defaults to "custom")

This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sigstore/cosign"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-35929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-10T18:40:38Z",
    "nvd_published_at": "2022-08-04T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "`cosign verify-attestation` used with the `--type` flag will report a false positive verification when:\n\n- There is at least one attestation with a valid signature\n- There are NO attestations of the type being verified (--type defaults to \"custom\")\n\nThis can happen when signing with a standard keypair and with \"keyless\" signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.",
  "id": "GHSA-vjxv-45g9-9296",
  "modified": "2022-08-10T18:40:38Z",
  "published": "2022-08-10T18:40:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/cosign"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "cosign\u0027s `cosign verify-attestaton  --type` can report a false positive if any attestation exists"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.