Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1123 vulnerabilities reference this CWE, most recent first.

GHSA-M3FQ-VVXH-C7RF

Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-19 00:37
VLAI
Details

A library injection vulnerability exists in Microsoft PowerPoint 16.83 for macOS. A specially crafted library can leverage PowerPoint's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "A library injection vulnerability exists in Microsoft PowerPoint 16.83 for macOS. A specially crafted library can leverage PowerPoint\u0027s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application\u0027s permissions.",
  "id": "GHSA-m3fq-vvxh-c7rf",
  "modified": "2024-12-19T00:37:35Z",
  "published": "2024-12-19T00:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39804"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1974"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1974"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3PM-RPGG-5WJ6

Vulnerability from github – Published: 2025-02-18 19:25 – Updated: 2025-02-18 22:51
VLAI
Summary
Home Assistant does not correctly validate SSL for outgoing requests in core and used libs
Details

Summary

Problem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.

Details

In the past, aiohttp-session/request had the parameter verify_ssl to control SSL certificate verification. This was a boolean value. In aiohttp 3.0, this parameter was deprecated in favor of the ssl parameter. Only when ssl is set to None or provided with a correct configured SSL context the standard SSL certificate verification will happen.

When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the verify_ssl parameter value was just moved to the new ssl parameter. This resulted in these integrations and 3rd party libraries using request.ssl = True, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.

Example: https://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84

When you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.

The general handling in Home Assistant looks good, as homeassistant.helpers.aoihttp_client._async_get_connector handles it correctly.

PoC

  1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.
  2. Add the integration adguard with the setting host=expired.badssl.com, port=443, use-ssl=true, verify-ssl=true.
  3. Check the logs - you get a HTTP 403 response.

Expected behavior: 1. The integration log shows an ssl.SSLCertVerificationError.

The following code shows the problem with ssl=True. No exception is raised when ssl=True (Python 3.11.6).

import asyncio
from ssl import SSLCertVerificationError

import aiohttp

BAD_URL = "https://expired.badssl.com/"


async def run_request(verify_ssl, result_placeholder: str):
    async with aiohttp.ClientSession() as session:
        exception_fired: bool = False
        try:
            await session.request("OPTIONS", BAD_URL, ssl=verify_ssl)
        except SSLCertVerificationError:
            exception_fired = True
        except Exception as error:
            print(error)
        else:
            exception_fired = False
        print(result_placeholder.format(exception_result=exception_fired))


# Case 1: ssl=False --> expected result: No exception
asyncio.run(run_request(False, "Test case 1: expected result: False - result: {exception_result}"))

# Case 2: ssl=None --> expected result: Exception
asyncio.run(run_request(None, "Test case 2: expected result: True - result: {exception_result}"))

# Case 3: ssl=True --> expected result: No Exception
asyncio.run(run_request(True, "Test case 3: expected result: False - result: {exception_result}"))

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "homeassistant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2024.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-940"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-18T19:25:24Z",
    "nvd_published_at": "2025-02-18T19:15:29Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nProblem: Potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries.\n\n## Details\n\nIn the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen.\n\nWhen migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector.\n\nExample:\nhttps://github.com/home-assistant/core/blob/c4411914c2e906105b765c00af5740bd0880e946/homeassistant/components/discord/notify.py#L84\n\nWhen you scan the libraries used by the integrations in Home Assistant, you will find more issues like this.\n\nThe general handling in Home Assistant looks good, as `homeassistant.helpers.aoihttp_client._async_get_connector` handles it correctly.\n\n## PoC\n\n1. Check that expired.badssl.com:443 gives an SSL error in when connecting with curl or browser.\n2. Add the integration adguard with the setting `host=expired.badssl.com`, `port=443`, `use-ssl=true`, `verify-ssl=true`.\n3. Check the logs - you get a HTTP 403 response.\n\nExpected behavior:\n1. The integration log shows an `ssl.SSLCertVerificationError`.\n\nThe following code shows the problem with `ssl=True`. No exception is raised when `ssl=True` (Python 3.11.6).\n\n```\nimport asyncio\nfrom ssl import SSLCertVerificationError\n\nimport aiohttp\n\nBAD_URL = \"https://expired.badssl.com/\"\n\n\nasync def run_request(verify_ssl, result_placeholder: str):\n    async with aiohttp.ClientSession() as session:\n        exception_fired: bool = False\n        try:\n            await session.request(\"OPTIONS\", BAD_URL, ssl=verify_ssl)\n        except SSLCertVerificationError:\n            exception_fired = True\n        except Exception as error:\n            print(error)\n        else:\n            exception_fired = False\n        print(result_placeholder.format(exception_result=exception_fired))\n\n\n# Case 1: ssl=False --\u003e expected result: No exception\nasyncio.run(run_request(False, \"Test case 1: expected result: False - result: {exception_result}\"))\n\n# Case 2: ssl=None --\u003e expected result: Exception\nasyncio.run(run_request(None, \"Test case 2: expected result: True - result: {exception_result}\"))\n\n# Case 3: ssl=True --\u003e expected result: No Exception\nasyncio.run(run_request(True, \"Test case 3: expected result: False - result: {exception_result}\"))\n\n```",
  "id": "GHSA-m3pm-rpgg-5wj6",
  "modified": "2025-02-18T22:51:42Z",
  "published": "2025-02-18T19:25:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/security/advisories/GHSA-m3pm-rpgg-5wj6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/home-assistant/core/commit/8c6547f1b64f4a3d9f10090b97383353c9367892"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/home-assistant/core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Home Assistant does not correctly validate SSL for outgoing requests in core and used libs"
}

GHSA-M3WG-2CH3-59M2

Vulnerability from github – Published: 2026-05-27 09:31 – Updated: 2026-05-27 09:31
VLAI
Details

The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T08:16:39Z",
    "severity": "HIGH"
  },
  "details": "The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control.",
  "id": "GHSA-m3wg-2ch3-59m2",
  "modified": "2026-05-27T09:31:14Z",
  "published": "2026-05-27T09:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41669"
    },
    {
      "type": "WEB",
      "url": "https://www.certvde.com/en/advisories/VDE-2026-050"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M429-FHMV-C6Q2

Vulnerability from github – Published: 2021-04-20 16:44 – Updated: 2024-11-18 16:26
VLAI
Summary
Improper Verification of Cryptographic Signature in ansible
Details

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-02T22:49:57Z",
    "nvd_published_at": "2020-09-23T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when `disable_gpg_check` is set to `False`, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.",
  "id": "GHSA-m429-fhmv-c6q2",
  "modified": "2024-11-18T16:26:11Z",
  "published": "2021-04-20T16:44:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/1d043e082b3b1f3ad35c803137f5d3bcbae92275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/1fa2d5fd6b768120b76a77929e27302b06accc0c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/9bea33ffa3be3d64827f59882d95b817cfab9b7e"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-m429-fhmv-c6q2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-209.yaml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Verification of Cryptographic Signature in ansible"
}

GHSA-M48H-73H7-3CHF

Vulnerability from github – Published: 2025-04-30 18:31 – Updated: 2025-04-30 18:31
VLAI
Details

Improper verification of cryptographic signature in Microsoft Azure Functions allows an authorized attacker to execute code over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-30T18:15:47Z",
    "severity": "HIGH"
  },
  "details": "Improper verification of cryptographic signature in Microsoft Azure Functions allows an authorized attacker to execute code over a network.",
  "id": "GHSA-m48h-73h7-3chf",
  "modified": "2025-04-30T18:31:55Z",
  "published": "2025-04-30T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33074"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33074"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5HR-8XHP-QGX7

Vulnerability from github – Published: 2024-09-28 09:30 – Updated: 2024-09-28 09:30
VLAI
Details

Alpine Halo9 Improper Verification of Cryptographic Signature Vulnerability. This vulnerability allows physically present attackers to bypass signature validation mechanism on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the firmware metadata signature validation mechanism. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.

Was ZDI-CAN-23102

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-28T07:15:03Z",
    "severity": "MODERATE"
  },
  "details": "Alpine Halo9 Improper Verification of Cryptographic Signature Vulnerability. This vulnerability allows physically present attackers to bypass signature validation mechanism on affected installations of Alpine Halo9 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the firmware metadata signature validation mechanism. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.\n\nWas ZDI-CAN-23102",
  "id": "GHSA-m5hr-8xhp-qgx7",
  "modified": "2024-09-28T09:30:44Z",
  "published": "2024-09-28T09:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23960"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M5M3-46GJ-WCH8

Vulnerability from github – Published: 2022-10-06 19:54 – Updated: 2023-01-10 16:09
VLAI
Summary
SIF's Digital Signature Hash Algorithms Not Validated
Details

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/sif/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T19:54:55Z",
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.\n\n### Patches\n\nA patch is available in version \u003e= v2.8.1 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa\n\n### Workarounds\n\nUsers may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.\n\n### References\n\n* [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761)\n* [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)",
  "id": "GHSA-m5m3-46gj-wch8",
  "modified": "2023-01-10T16:09:12Z",
  "published": "2022-10-06T19:54:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/sif"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/sif/releases/tag/v2.8.1"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/cve-2004-2761"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/cve-2005-4900"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1045"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202210-19"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SIF\u0027s Digital Signature Hash Algorithms Not Validated"
}

GHSA-M82C-5HPW-48F7

Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17
VLAI
Details

A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347",
      "CWE-924"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T15:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Samba\u0027s SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured \"server signing = required\" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.",
  "id": "GHSA-m82c-5hpw-48f7",
  "modified": "2024-04-04T06:17:50Z",
  "published": "2023-07-20T18:33:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3347"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:4325"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2023:4328"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-3347"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222792"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT74M42E6C36W7PQVY3OS4ZM7DVYB64Z"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230731-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5477"
    },
    {
      "type": "WEB",
      "url": "https://www.samba.org/samba/security/CVE-2023-3347.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M837-G268-MMV7

Vulnerability from github – Published: 2025-07-25 14:08 – Updated: 2025-07-25 14:08
VLAI
Summary
Node-SAML SAML Authentication Bypass
Details

Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature.

This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.

To conduct the attack an attacker would need a validly signed document from the identity provider (IdP).

In fixing this we upgraded xml-crypto to v6.1.2 and made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@node-saml/node-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-347",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T14:08:50Z",
    "nvd_published_at": "2025-07-24T23:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. \n\nThis allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username.\n\nTo conduct the attack an attacker would need a validly signed document from the identity provider (IdP).\n\nIn fixing this we upgraded xml-crypto to v6.1.2 and made sure to process the SAML assertions from only verified/authenticated contents. This will prevent future variants from coming up.",
  "id": "GHSA-m837-g268-mmv7",
  "modified": "2025-07-25T14:08:50Z",
  "published": "2025-07-25T14:08:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/security/advisories/GHSA-m837-g268-mmv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/commit/31ead9411ebc3e2385086fa9149b6c17732bca10"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-saml/node-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-saml/node-saml/releases/tag/v5.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Node-SAML SAML Authentication Bypass"
}

GHSA-M92X-373G-XC36

Vulnerability from github – Published: 2022-02-10 00:01 – Updated: 2022-02-10 00:01
VLAI
Details

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-16154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-13T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.",
  "id": "GHSA-m92x-373g-xc36",
  "modified": "2022-02-10T00:01:23Z",
  "published": "2022-02-10T00:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16154"
    },
    {
      "type": "WEB",
      "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/pod/App::cpanminus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.