Name | Signature Spoofing by Mixing Signed and Unsigned Content |
Summary | An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data. |
Prerequisites | Signer and recipient are using complex data storage structures that allow for a mix between signed and unsigned data Recipient is using signature verification software that does not maintain separation between signed and unsigned data once the signature has been verified. |
Solutions | Ensure the application is fully patched and does not allow the processing of unsigned data as if it is signed data. |
Related Weaknesses |
CWE ID | Description |
CWE-311 | Missing Encryption of Sensitive Data |
CWE-319 | Cleartext Transmission of Sensitive Information |
CWE-693 | Protection Mechanism Failure |
|