CWE-347— Improper Verification of Cryptographic Signature
626 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-347page 4 of 13
- CVE-2020-16156HIGHCVSS 7.8EG 7.82021-12-13
CPAN 2.28 allows Signature Verification Bypass.
- CVE-2020-16922MEDIUMCVSS 5.3EG 5.32020-10-16
<p>A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.</p> <p>In an attack scenario,…
- CVE-2020-2021CRITICALCVSS 10.0EG 10.0⚠ KEV2020-06-29
When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthen…
- CVE-2020-2146HIGHCVSS 7.4EG 7.42020-03-09
Jenkins Mac Plugin 1.1.0 and earlier does not validate SSH host keys when connecting agents created by the plugin, enabling man-in-the-middle attacks.
- CVE-2020-22653CRITICALCVSS 9.8EG 9.82023-01-20
In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) befo…
- CVE-2020-22659HIGHCVSS 7.5EG 7.52023-01-20
In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) befo…
- CVE-2020-23533HIGHCVSS 7.5EG 7.52021-04-06
Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (…
- CVE-2020-23967HIGHCVSS 7.8EG 7.82021-03-08
Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate.
- CVE-2020-24429HIGHCVSS 7.7EG 7.72020-11-05
Acrobat Reader DC versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) for macOS are affected by a signature verification bypass that could result in local privilege escalation. Exploitation …
- CVE-2020-24439LOWCVSS 2.8EG 2.82020-11-05
Acrobat Reader DC for macOS versions 2020.012.20048 (and earlier), 2020.001.30005 (and earlier) and 2017.011.30175 (and earlier) are affected by a security feature bypass. While the practical security impact is minimal, a defense-in-depth …
- CVE-2020-25166HIGHCVSS 7.6EG 7.12022-04-14
An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware…
- CVE-2020-25490HIGHCVSS 7.3EG 7.32020-09-17
Lack of cryptographic signature verification in the Sqreen PHP agent daemon before 1.16.0 makes it easier for remote attackers to inject rules for execution inside the virtual machine.
- CVE-2020-26122HIGHCVSS 7.2EG 7.22020-12-07
Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signatur…
- CVE-2020-26244MEDIUMCVSS 6.8EG 6.82020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algori…
- CVE-2020-26290CRITICALCVSS 9.3EG 9.32020-12-28
Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due…
- CVE-2020-26540HIGHCVSS 7.5EG 7.52020-10-02
An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Because the Hardened Runtime protection mechanism is not applied to code signing, code injection (or an information leak) can occur.
- CVE-2020-27540CRITICALCVSS 9.8EG 9.82021-01-26
Bash injection vulnerability and bypass of signature verification in Rostelecom CS-C2SHW 5.0.082.1. The camera reads firmware update configuration from SD card file vc\version.json. fw-sign parameter and from this configuration is directly…
- CVE-2020-28042MEDIUMCVSS 5.3EG 5.32020-11-02
ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature.
- CVE-2020-28045HIGHCVSS 7.8EG 7.82020-11-02
An unsigned-library issue was discovered in ProlinOS through 2.4.161.8859R. This OS requires installed applications and all system binaries to be signed either by the manufacturer or by the Point Of Sale application developer and distribut…
- CVE-2020-28086HIGHCVSS 7.5EG 7.52020-12-09
pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the c…
- CVE-2020-29438MEDIUMCVSS 6.5EG 6.52020-11-30
Tesla Model X vehicles before 2020-11-23 have key fobs that accept firmware updates without signature verification. This allows attackers to construct firmware that retrieves an unlock code from a secure enclave chip.
- CVE-2020-3138MEDIUMCVSS 6.7EG 6.72020-02-19
A vulnerability in the upgrade component of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an authenticated, local attacker to install a malicious file when upgrading. The vulnerability is due to insufficient signature va…
- CVE-2020-3209MEDIUMCVSS 6.8EG 6.82020-06-03
A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability …
- CVE-2020-3308MEDIUMCVSS 4.9EG 4.92020-05-06
A vulnerability in the Image Signature Verification feature of Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker with administrator-level credentials to install a malicious software patch on an aff…
- CVE-2020-35169CRITICALCVSS 9.1EG 9.82022-07-11
Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Improper Input Validation Vulnerability.
- CVE-2020-36284HIGHCVSS 7.5EG 7.52021-04-06
Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) …
- CVE-2020-36285HIGHCVSS 7.5EG 7.52021-04-06
Union Pay up to 3.3.12, for iOS mobile apps, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (M…
- CVE-2020-36563MEDIUMCVSS 5.3EG 5.32022-12-28
XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.
- CVE-2020-36843MEDIUMCVSS 4.3EG 4.32025-03-13
The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to…
- CVE-2020-5390HIGHCVSS 7.5EG 7.52020-01-13
PySAML2 before 5.0.0 does not check that the signature in a SAML document is enveloped and thus signature wrapping is effective, i.e., it is affected by XML Signature Wrapping (XSW). The signature information and the node/object that is si…
- CVE-2020-5407HIGHCVSS 8.8EG 8.82020-05-13
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefu…
- CVE-2020-6174CRITICALCVSS 9.8EG 9.82020-02-05
TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature.
- CVE-2020-7906HIGHCVSS 7.5EG 7.52020-01-30
In JetBrains Rider versions 2019.3 EAP2 through 2019.3 EAP7, there were unsigned binaries provided by the Windows installer. This issue was fixed in release version 2019.3.
- CVE-2020-8133MEDIUMCVSS 5.3EG 5.32020-11-09
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
- CVE-2020-8324MEDIUMCVSS 5.0EG 5.02020-04-14
A vulnerability was reported in LenovoAppScenarioPluginSystem for Lenovo System Interface Foundation prior to version 1.2.184.31 that could allow unsigned DLL files to be executed.
- CVE-2020-9047MEDIUMCVSS 6.8EG 6.82020-06-26
A vulnerability exists that could allow the execution of unauthorized code or operating system commands on systems running exacqVision Web Service versions 20.06.3.0 and prior and exacqVision Enterprise Manager versions 20.06.4.0 and prior…
- CVE-2020-9226MEDIUMCVSS 5.5EG 5.52020-07-06
HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability. The system does not improper check signature of specific software package, an attacker may exploit this vulnerability to …
- CVE-2020-9283HIGHCVSS 7.5EG 7.52020-02-20
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack…
- CVE-2020-9753CRITICALCVSS 9.1EG 9.12020-05-20
Whale Browser Installer before 1.2.0.5 versions don't support signature verification for Flash installer.
- CVE-2021-0152MEDIUMCVSS 5.5EG 5.52021-11-17
Improper verification of cryptographic signature in the installer for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products in Windows 10 may allow an authenticated user to potentially enable denial of service via local …
- CVE-2021-1136MEDIUMCVSS 6.7EG 6.72021-02-04
Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local …
- CVE-2021-1244MEDIUMCVSS 6.7EG 6.72021-02-04
Multiple vulnerabilities in Cisco Network Convergence System (NCS) 540 Series Routers, only when running Cisco IOS XR NCS540L software images, and Cisco IOS XR Software for the Cisco 8000 Series Routers could allow an authenticated, local …
- CVE-2021-1366HIGHCVSS 7.8EG 7.82021-02-17
A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device if the VPN Posture …
- CVE-2021-1375MEDIUMCVSS 6.7EG 6.72021-03-24
Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbit…
- CVE-2021-1376MEDIUMCVSS 6.7EG 6.72021-03-24
Multiple vulnerabilities in the fast reload feature of Cisco IOS XE Software running on Cisco Catalyst 3850, Cisco Catalyst 9300, and Cisco Catalyst 9300L Series Switches could allow an authenticated, local attacker to either execute arbit…
- CVE-2021-1453MEDIUMCVSS 6.8EG 6.82021-03-24
A vulnerability in the software image verification functionality of Cisco IOS XE Software for the Cisco Catalyst 9000 Family of switches could allow an unauthenticated, physical attacker to execute unsigned code at system boot time. The vu…
- CVE-2021-1461MEDIUMCVSS 4.9EG 4.92024-11-18
A vulnerability in the Image Signature Verification feature of Cisco SD-WAN Software could allow an authenticated, remote attacker with Administrator-level credentials to install a malicious software patch on an affected device. The …
- CVE-2021-1849HIGHCVSS 7.5EG 7.52021-09-08
An issue in code signature validation was addressed with improved checks. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. A malicious application may be able to bypass Privacy preferences.
- CVE-2021-20156MEDIUMCVSS 6.5EG 6.52021-12-30
Trendnet AC2600 TEW-827DRU version 2.08B01 contains an improper access control configuration that could allow for a malicious firmware update. It is possible to manually install firmware that may be malicious in nature as there does not ap…
- CVE-2021-20319HIGHCVSS 7.8EG 7.82022-03-04
An improper signature verification vulnerability was found in coreos-installer. A specially crafted gzip installation image can bypass the image signature verification and as a consequence can lead to the installation of unsigned content. …
Map vulnerabilities like CWE-347 to your infrastructure
EchelonGraph correlates every CVE — across CWE-347 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →