CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1120 vulnerabilities reference this CWE, most recent first.
GHSA-XPXF-P5MX-CQ4F
Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-04-03 23:05It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
{
"affected": [],
"aliases": [
"CVE-2011-3374"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-26T00:15:00Z",
"severity": "MODERATE"
},
"details": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.",
"id": "GHSA-xpxf-p5mx-cq4f",
"modified": "2024-04-03T23:05:29Z",
"published": "2022-04-22T00:24:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3374"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"type": "WEB",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"type": "WEB",
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQ4H-WQM2-668W
Vulnerability from github – Published: 2025-11-24 23:34 – Updated: 2025-11-27 08:42Summary
The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the spec.
Impact
Non-compliant BIP-322 signatures in proof of possessions can be accepted by the chain.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-24T23:34:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the [spec](https://bips.dev/322/).\n\n### Impact\n\nNon-compliant BIP-322 signatures in proof of possessions can be accepted by the chain.",
"id": "GHSA-xq4h-wqm2-668w",
"modified": "2025-11-27T08:42:15Z",
"published": "2025-11-24T23:34:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-xq4h-wqm2-668w"
},
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/commit/6e8bdd328a47343fcd7ad98d1b0c7267860b019a"
},
{
"type": "WEB",
"url": "https://bips.dev/322"
},
{
"type": "PACKAGE",
"url": "https://github.com/babylonlabs-io/babylon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Babylon\u0027s BIP322 signature implementation is not fully compliant to the spec"
}
GHSA-XQ6H-HM2M-HW55
Vulnerability from github – Published: 2025-03-05 18:32 – Updated: 2025-03-05 18:32A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client.
This vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.
{
"affected": [],
"aliases": [
"CVE-2025-20206"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T17:15:14Z",
"severity": "HIGH"
},
"details": "A vulnerability in the interprocess communication (IPC) channel of Cisco Secure Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the Secure Firewall Posture Engine, formerly HostScan, is installed on Cisco Secure Client.\n\nThis vulnerability is due to insufficient validation of resources that are loaded by the application at run time. An attacker could exploit this vulnerability by sending a crafted IPC message to a specific Cisco Secure Client process. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid user credentials on the Windows system.",
"id": "GHSA-xq6h-hm2m-hw55",
"modified": "2025-03-05T18:32:09Z",
"published": "2025-03-05T18:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20206"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQGQ-4WPF-XFR8
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-04-04 07:06Improper verification of applications' cryptographic signatures in the /e/OS app store client App Lounge before 0.19q allows attackers in control of the application server to install malicious applications on user's systems by altering the server's API response.
{
"affected": [],
"aliases": [
"CVE-2021-43171"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:21Z",
"severity": "MODERATE"
},
"details": "Improper verification of applications\u0027 cryptographic signatures in the /e/OS app store client App Lounge before 0.19q allows attackers in control of the application server to install malicious applications on user\u0027s systems by altering the server\u0027s API response.",
"id": "GHSA-xqgq-4wpf-xfr8",
"modified": "2024-04-04T07:06:47Z",
"published": "2023-08-22T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43171"
},
{
"type": "WEB",
"url": "https://gitlab.e.foundation/e/os/releases/-/releases/v0.19-q#sparkles-we-embedded-other-improvements"
},
{
"type": "WEB",
"url": "https://nervuri.net/e/apps"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQQC-C5GW-C5R5
Vulnerability from github – Published: 2022-12-14 21:35 – Updated: 2022-12-14 21:35Impact
Anyone using the tendermint-light-client and related packages to perform light client verification (e.g. IBC-rs, Hermes).
At present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client.
The attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks.
Patches
Users of the light client-related crates can currently upgrade to v0.28.0.
Workarounds
None
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.27.0"
},
"package": {
"ecosystem": "crates.io",
"name": "tendermint-light-client-verifier"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.27.0"
},
"package": {
"ecosystem": "crates.io",
"name": "tendermint-light-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.27.0"
},
"package": {
"ecosystem": "crates.io",
"name": "tendermint-light-client-js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.28.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23507"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-14T21:35:24Z",
"nvd_published_at": "2022-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nAnyone using the `tendermint-light-client` and related packages to perform light client verification (e.g. IBC-rs, Hermes).\n\nAt present, the light client does not check that the chain IDs of the trusted and untrusted headers match, resulting in a possible attack vector where someone who finds a header from an untrusted chain that satisfies all other verification conditions (e.g. enough overlapping validator signatures) could fool a light client.\n\nThe attack vector is currently theoretical, and no proof-of-concept exists yet to exploit it on live networks.\n\n### Patches\n\nUsers of the light client-related crates can currently upgrade to `v0.28.0`.\n\n### Workarounds\n\nNone\n\n### References\n\n- [Light Client specification](https://github.com/tendermint/tendermint/tree/main/spec/light-client)",
"id": "GHSA-xqqc-c5gw-c5r5",
"modified": "2022-12-14T21:35:24Z",
"published": "2022-12-14T21:35:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/informalsystems/tendermint-rs/security/advisories/GHSA-xqqc-c5gw-c5r5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23507"
},
{
"type": "WEB",
"url": "https://github.com/informalsystems/tendermint-rs/commit/5c32f31b97ac3172775699fe0d4ba6003ca4fb18"
},
{
"type": "PACKAGE",
"url": "https://github.com/informalsystems/tendermint-rs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tendermint light client verification not taking into account chain ID"
}
GHSA-XRR5-3HRR-35JX
Vulnerability from github – Published: 2023-01-20 21:30 – Updated: 2023-02-03 15:31CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector.
{
"affected": [],
"aliases": [
"CVE-2023-24025"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T21:15:00Z",
"severity": "HIGH"
},
"details": "CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2022) in PQClean d03da30 may allow universal forgeries of digital signatures via a template side-channel attack because of intermediate data leakage of one vector.",
"id": "GHSA-xrr5-3hrr-35jx",
"modified": "2023-02-03T15:31:16Z",
"published": "2023-01-20T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24025"
},
{
"type": "WEB",
"url": "https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022"
},
{
"type": "WEB",
"url": "https://eprint.iacr.org/2023/050"
},
{
"type": "WEB",
"url": "https://github.com/PQClean/PQClean/tree/d03da3053491e767ef842deaef43fc5bdb6bc911"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVRC-2WVH-49VC
Vulnerability from github – Published: 2023-11-14 20:31 – Updated: 2023-11-14 20:31Impact
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures.
There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unlikely to be affected.
Patches
This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399
Workarounds
n/a
References
Are there any links users can visit to find out more?
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/sigstore/gitsign"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-47122"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-14T20:31:23Z",
"nvd_published_at": "2023-11-10T22:15:14Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nIn certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures.\n\nThere is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unlikely to be affected.\n\n### Patches\n\nThis was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399\n\n### Workarounds\n\nn/a\n\n### References\n_Are there any links users can visit to find out more?_\n\nhttps://docs.sigstore.dev/about/threat-model/#sigstore-threat-model",
"id": "GHSA-xvrc-2wvh-49vc",
"modified": "2023-11-14T20:31:23Z",
"published": "2023-11-14T20:31:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47122"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/gitsign/pull/399"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236"
},
{
"type": "WEB",
"url": "https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model"
},
{
"type": "PACKAGE",
"url": "https://github.com/sigstore/gitsign"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gitsign\u0027s Rekor public keys fetched from upstream API instead of local TUF client."
}
GHSA-XW5R-2555-JWFV
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14Multiple vulnerabilities in image verification checks of Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for Cisco 8000 Series Routers could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-34708"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-09T05:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in image verification checks of Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for Cisco 8000 Series Routers could allow an authenticated, local attacker to execute arbitrary code on the underlying operating system. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-xw5r-2555-jwfv",
"modified": "2022-05-24T19:14:07Z",
"published": "2022-05-24T19:14:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34708"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-lnt-QN9mCzwn"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XX36-6RV4-GJ8R
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2023-09-27 21:49Summary
Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to be used to integrate with the Stark Bank ecosystem, but are also accessible on popular package manager platforms in order to be used by other projects. The node package manager reports around 16k weekly downloads for the ecdsa-node implementation while the Python implementation boasts over 7.3M downloads in the last 90 days on PyPI. A number of these libraries suffer from a vulnerability in the signature verification functions, allowing attackers to forge signatures for arbitrary messages which successfully verify with any public key.
Impact
An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.
Details
The (slightly simplified) ECDSA verification of a signature (r, s) on a hashed message z with public key Q and curve order n works as follows:
The (slightly simplified) ECDSA verification of a signature (r, s) on a hashed message z with public key Q and curve order n works as follows:
- Check that r and s are integers in the [1, n-1] range, return Invalid if not.
- Compute u1 = zs-1 mod n and u2 = rs-1 mod n.
- Compute the elliptic curve point (x, y) = u1G + u2Q, return Invalid if (x, y) is the point at infinity.
- Return Valid if r ≡ x mod n, Invalid otherwise.
The ECDSA signature verification functions in the libraries listed above fail to perform the first check, ensuring that the r and s components of the signatures are in the correct range. Specifically, the libraries are not checking that the components of the signature are non-zero, which is an important check mandated by the standard, see X9.62:2005, Section 7.4.1/a:
- If r’ is not an integer in the interval [1, n-1], then reject the signature.
- If s’ is not an integer in the interval [1, n-1], then reject the signature.
For example, consider the following excerpt of the verify function from the ecdsa-python implementation.
def verify(cls, message, signature, publicKey, hashfunc=sha256):
byteMessage = hashfunc(toBytes(message)).digest()
numberMessage = numberFromByteString(byteMessage)
curve = publicKey.curve
r = signature.r
s = signature.s
inv = Math.inv(s, curve.N)
u1 = Math.multiply(curve.G, n=(numberMessage * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)
u2 = Math.multiply(publicKey.point, n=(r * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)
add = Math.add(u1, u2, A=curve.A, P=curve.P)
modX = add.x % curve.N
return r == modX
In that code snippet, the values r and s are extracted from the signature without any range check. An attacker supplying a signature equal to (r, s) = (0, 0) will not see their signature rejected. Proceeding with the verification, this function computes the inverse of the s component. Note that the Math.inv() function returns zero when supplied with a zero input (even though 0 does not admit an inverse). The code then computes the values u1 = inv * numberMessage * G and u2 = inv * r * Q, but since inv is zero, u1 and u2 will both be zero, i.e., the point at infinity, regardless of the value of numberMessage (the message hash, which we called z above) and Q (the public key). Subsequently, the implementation computes the intermediary curve point add by adding up the two previously computed points, which again results in the point at infinity. The final line checks that the r-component of the signature is equal to the x-coordinate of the curve point, essentially checking that 0 == 0 for all any message and any public key. Therefore, a signature (r, s) = (0, 0) is deemed valid by the code for any message, and under any public key.
Recommendation
Users of the different Stark Bank ECDSA libraries should update to the latest versions. Specifically, versions larger or at least equal to the following should be used.
- ecdsa-python: v2.0.1
- ecdsa-java: v1.0.1
- ecdsa-dotnet: v1.3.2
- ecdsa-elixir v1.0.1
- ecdsa-node v1.1.3
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "ecdsa-elixir"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0"
]
}
],
"aliases": [
"CVE-2021-43568"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-01T17:15:25Z",
"nvd_published_at": "2021-11-09T22:15:00Z",
"severity": "CRITICAL"
},
"details": "### Summary\nStark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to be used to integrate with the Stark Bank ecosystem, but are also accessible on popular package manager platforms in order to be used by other projects. The node package manager reports around 16k weekly downloads for the [ecdsa-node](https://www.npmjs.com/package/starkbank-ecdsa ) implementation while the Python implementation boasts over [7.3M downloads in the last 90 days on PyPI](https://package.wiki/starkbank-ecdsa). A number of these libraries suffer from a vulnerability in the signature verification functions, allowing attackers to forge signatures for arbitrary messages which successfully verify with any public key.\n\n### Impact\nAn attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.\n\n### Details\nThe (slightly simplified) ECDSA verification of a signature _**(r, s)**_ on a hashed message _**z**_ with public key _**Q**_ and curve order _**n**_ works as follows:\n\nThe (slightly simplified) ECDSA verification of a signature _**(r, s)**_ on a hashed message _**z**_ with public key _**Q**_ and curve order _**n**_ works as follows:\n\n- Check that _**r**_ and _**s**_ are integers in the _**[1, n-1]**_ range, return Invalid if not.\n- Compute _**u\u003csub\u003e1\u003c/sub\u003e = zs\u003csup\u003e-1\u003c/sup\u003e mod n**_ and _**u\u003csub\u003e2\u003c/sub\u003e = rs\u003csup\u003e-1\u003c/sup\u003e mod n**_.\n- Compute the elliptic curve point _**(x, y) = u\u003csub\u003e1\u003c/sub\u003eG + u\u003csub\u003e2\u003c/sub\u003eQ**_, return Invalid if _**(x, y)**_ is the point at infinity.\n- Return Valid if _**r \u2261 x mod n**_, Invalid otherwise.\n\nThe ECDSA signature verification functions in the libraries listed above fail to perform the first check, ensuring that the r and s components of the signatures are in the correct range. Specifically, the libraries are not checking that the components of the signature are non-zero, which is an important check mandated by the standard, see X9.62:2005, Section 7.4.1/a:\n\n\u003e 1. If _**r\u2019**_ is not an integer in the interval _**[1, n-1]**_, then reject the signature.\n\u003e 2. If _**s\u2019**_ is not an integer in the interval _**[1, n-1]**_, then reject the signature.\n\nFor example, consider the following excerpt of the verify function from the [ecdsa-python implementation](https://github.com/starkbank/ecdsa-python/blob/v2.0.0/ellipticcurve/ecdsa.py#L34-L41).\n\n```python\ndef verify(cls, message, signature, publicKey, hashfunc=sha256):\n byteMessage = hashfunc(toBytes(message)).digest()\n numberMessage = numberFromByteString(byteMessage)\n curve = publicKey.curve\n r = signature.r\n s = signature.s\n inv = Math.inv(s, curve.N)\n u1 = Math.multiply(curve.G, n=(numberMessage * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)\n u2 = Math.multiply(publicKey.point, n=(r * inv) % curve.N, N=curve.N, A=curve.A, P=curve.P)\n add = Math.add(u1, u2, A=curve.A, P=curve.P)\n modX = add.x % curve.N\n return r == modX\n```\n\nIn that code snippet, the values `r` and `s` are extracted from the signature without any range check. An attacker supplying a signature equal to `(r, s) = (0, 0)` will not see their signature rejected. Proceeding with the verification, this function computes the inverse of the `s` component. Note that the `Math.inv()` function returns zero when supplied with a zero input (even though 0 does not admit an inverse). The code then computes the values `u1 = inv * numberMessage * G` and `u2 = inv * r * Q`, but since `inv` is zero, `u1` and `u2` will both be zero, i.e., the point at infinity, regardless of the value of numberMessage (the message hash, which we called _**z**_ above) and _**Q**_ (the public key). Subsequently, the implementation computes the intermediary curve point add by adding up the two previously computed points, which again results in the point at infinity. The final line checks that the r-component of the signature is equal to the x-coordinate of the curve point, essentially checking that `0 == 0` for all any message and any public key. Therefore, a signature `(r, s) = (0, 0)` is deemed valid by the code for any message, and under any public key.\n\n### Recommendation\nUsers of the different Stark Bank ECDSA libraries should update to the latest versions. Specifically, versions larger or at least equal to the following should be used.\n\n- ecdsa-python: v2.0.1\n- ecdsa-java: v1.0.1\n- ecdsa-dotnet: v1.3.2\n- ecdsa-elixir v1.0.1\n- ecdsa-node v1.1.3",
"id": "GHSA-xx36-6rv4-gj8r",
"modified": "2023-09-27T21:49:47Z",
"published": "2022-05-24T19:20:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43568"
},
{
"type": "WEB",
"url": "https://github.com/starkbank/ecdsa-elixir/commit/4b960e26768bb698f449eb7686b5664936b70b61"
},
{
"type": "WEB",
"url": "https://github.com/starkbank/ecdsa-elixir/commit/a5168f6d9cfbe0a0a62d92e2e9b1a97235d90343"
},
{
"type": "PACKAGE",
"url": "https://github.com/starkbank/ecdsa-elixir"
},
{
"type": "WEB",
"url": "https://github.com/starkbank/ecdsa-elixir/releases/tag/v1.0.1"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "ecdsa-elixir fails to check signatures, vulnerable to message forging"
}
GHSA-XXX4-CX36-38R5
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances
{
"affected": [],
"aliases": [
"CVE-2021-39909"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-05T00:15:00Z",
"severity": "MODERATE"
},
"details": "Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances",
"id": "GHSA-xxx4-cx36-38r5",
"modified": "2022-05-24T19:19:53Z",
"published": "2022-05-24T19:19:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39909"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1237750"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39909.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/335191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.