CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1123 vulnerabilities reference this CWE, most recent first.
CVE-2025-2763 (GCVE-0-2025-2763)
Vulnerability from cvelistv5 – Published: 2025-04-23 16:48 – Updated: 2025-04-23 18:14- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| CarlinKit | CPC200-CCPA |
Affected:
2024.01.19.1541
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T18:13:57.976343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:14:09.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "CPC200-CCPA",
"vendor": "CarlinKit",
"versions": [
{
"status": "affected",
"version": "2024.01.19.1541"
}
]
}
],
"dateAssigned": "2025-03-24T19:42:39.975Z",
"datePublic": "2025-03-25T23:22:10.234Z",
"descriptions": [
{
"lang": "en",
"value": "CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of update packages on USB drives. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24356."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:48:00.717Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-179",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-179/"
}
],
"source": {
"lang": "en",
"value": "(VicOne Inc) Aaron Luo, Spencer Hsieh"
},
"title": "CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-2763",
"datePublished": "2025-04-23T16:48:00.717Z",
"dateReserved": "2025-03-24T19:42:39.949Z",
"dateUpdated": "2025-04-23T18:14:09.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2233 (GCVE-0-2025-2233)
Vulnerability from cvelistv5 – Published: 2025-03-11 22:30 – Updated: 2026-02-26 19:09- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Samsung | SmartThings |
Affected:
000.054.00013
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-13T03:55:19.492225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T19:09:35.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SmartThings",
"vendor": "Samsung",
"versions": [
{
"status": "affected",
"version": "000.054.00013"
}
]
}
],
"dateAssigned": "2025-03-11T22:30:02.614Z",
"datePublic": "2025-03-11T22:30:34.143Z",
"descriptions": [
{
"lang": "en",
"value": "Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T22:30:44.003Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-25-127",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-127/"
}
],
"source": {
"lang": "en",
"value": "NiNi (@terrynini38514) from DEVCORE Research Team"
},
"title": "Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2025-2233",
"datePublished": "2025-03-11T22:30:44.003Z",
"dateReserved": "2025-03-11T22:30:02.709Z",
"dateUpdated": "2026-02-26T19:09:35.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-0824 (GCVE-0-2025-0824)
Vulnerability from cvelistv5 – Published: 2026-06-29 05:34 – Updated: 2026-06-29 12:38- CWE-347 - Improper verification of cryptographic signature
| URL | Tags |
|---|---|
| https://www.hitachi.com/products/it/storage-solut… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi | Hitachi Virtual Storage Platform One Block 23, 24, 26, 28 |
Affected:
0 , < DKCMAIN A3-04-21-40/00, ESM A3-04-21/00
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0824",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T12:38:22.989556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:38:48.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hitachi Virtual Storage Platform One Block 23, 24, 26, 28",
"vendor": "Hitachi",
"versions": [
{
"changes": [
{
"at": "DKCMAIN A3-04-21-40/00, ESM A3-04-21/00",
"status": "unaffected"
}
],
"lessThan": "DKCMAIN A3-04-21-40/00, ESM A3-04-21/00",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of validation for firmware update\u0026nbsp;in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.\u003cp\u003eThis issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00.\u003c/p\u003e"
}
],
"value": "Lack of validation for firmware update\u00a0in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28.\n\nThis issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00."
}
],
"impacts": [
{
"capecId": "CAPEC-473",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-473 Signature Spoof"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper verification of cryptographic signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T05:34:34.668Z",
"orgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"shortName": "Hitachi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_308.html"
}
],
"source": {
"advisory": "hitachi-sec-2026-308",
"discovery": "UNKNOWN"
},
"title": "lack of validation for firmware update in Hitachi Virtual Storage",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "50d0f415-c707-4733-9afc-8f6c0e9b3f82",
"assignerShortName": "Hitachi",
"cveId": "CVE-2025-0824",
"datePublished": "2026-06-29T05:34:34.668Z",
"dateReserved": "2025-01-29T07:25:51.664Z",
"dateUpdated": "2026-06-29T12:38:48.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56161 (GCVE-0-2024-56161)
Vulnerability from cvelistv5 – Published: 2025-02-03 17:24 – Updated: 2025-04-02 22:03- CWE-347 - Improper Verification of Cryptographic Signature
| Vendor | Product | Version | |
|---|---|---|---|
| AMD | AMD EPYC™ 7001 Series |
Unaffected:
NaplesPI 1.0.0.P
|
|
| AMD | AMD EPYC™ 7002 Series |
Unaffected:
RomePI 1.0.0.L
|
|
| AMD | AMD EPYC™ 7003 Series |
Unaffected:
MilanPI 1.0.0.F
|
|
| AMD | AMD EPYC™ 9004 Series |
Unaffected:
Genoa 1.0.0.E
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-02T22:03:14.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/02/04/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/06/2"
},
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00024.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T17:43:59.636370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:23.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "NaplesPI 1.0.0.P",
"product": "AMD EPYC\u2122 7001 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "NaplesPI 1.0.0.P"
}
]
},
{
"defaultStatus": "affected",
"packageName": "RomePI 1.0.0.L",
"product": "AMD EPYC\u2122 7002 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "RomePI 1.0.0.L"
}
]
},
{
"defaultStatus": "affected",
"packageName": "MilanPI 1.0.0.F",
"product": "AMD EPYC\u2122 7003 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "MilanPI 1.0.0.F"
}
]
},
{
"defaultStatus": "affected",
"product": "AMD EPYC\u2122 9004 Series",
"vendor": "AMD",
"versions": [
{
"status": "unaffected",
"version": "Genoa 1.0.0.E"
}
]
}
],
"datePublic": "2025-02-03T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.\u003cbr\u003e"
}
],
"value": "Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T17:24:01.185Z",
"orgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"shortName": "AMD"
},
"references": [
{
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648",
"assignerShortName": "AMD",
"cveId": "CVE-2024-56161",
"datePublished": "2025-02-03T17:24:01.185Z",
"dateReserved": "2024-12-17T21:34:57.677Z",
"dateUpdated": "2025-04-02T22:03:14.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54150 (GCVE-0-2024-54150)
Vulnerability from cvelistv5 – Published: 2024-12-19 18:22 – Updated: 2024-12-20 17:34- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://github.com/xmidt-org/cjwt/security/adviso… | x_refsource_CONFIRM |
| https://github.com/xmidt-org/cjwt/commit/096ab3e3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T17:33:33.498328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:34:34.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cjwt",
"vendor": "xmidt-org",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between signing methods. If the system doesn\u0027t differentiate between an HMAC signed token and an RS/EC/PS signed token during verification, it becomes vulnerable to this kind of attack. For instance, an attacker could craft a token with the alg field set to \"HS256\" while the server expects an asymmetric algorithm like \"RS256\". The server might mistakenly use the wrong verification method, such as using a public key as the HMAC secret, leading to unauthorised access. For RSA, the key can be computed from a few signatures. For Elliptic Curve (EC), two potential keys can be recovered from one signature. This can be used to bypass the signature mechanism if an application relies on asymmetrically signed tokens. This issue has been addressed in version 2.3.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T18:22:33.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xmidt-org/cjwt/security/advisories/GHSA-9h24-7qp5-gp82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xmidt-org/cjwt/security/advisories/GHSA-9h24-7qp5-gp82"
},
{
"name": "https://github.com/xmidt-org/cjwt/commit/096ab3e37f73c914b716e7259589179f363265fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xmidt-org/cjwt/commit/096ab3e37f73c914b716e7259589179f363265fd"
}
],
"source": {
"advisory": "GHSA-9h24-7qp5-gp82",
"discovery": "UNKNOWN"
},
"title": "Algorithm Confusion Vulnerability in cjwt"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-54150",
"datePublished": "2024-12-19T18:22:33.901Z",
"dateReserved": "2024-11-29T18:02:16.756Z",
"dateUpdated": "2024-12-20T17:34:34.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54126 (GCVE-0-2024-54126)
Vulnerability from cvelistv5 – Published: 2024-12-05 12:14 – Updated: 2024-12-05 16:37| URL | Tags |
|---|---|
| https://www.cert-in.org.in/s2cMainServlet?pageid=… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| TP-Link | Archer C50 Wireless Router |
Affected:
<Archer C50(EU)_V4_ 240917
|
|
| tp-link | archer_c50_firmware |
Affected:
c50\(eu\)_v4_240917
cpe:2.3:o:tp-link:archer_c50_firmware:c50\(eu\)_v4_240917:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:tp-link:archer_c50_firmware:c50\\(eu\\)_v4_240917:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "archer_c50_firmware",
"vendor": "tp-link",
"versions": [
{
"status": "affected",
"version": "c50\\(eu\\)_v4_240917"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T15:56:14.433573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:37:56.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Archer C50 Wireless Router",
"vendor": "TP-Link",
"versions": [
{
"status": "affected",
"version": "\u003cArcher C50(EU)_V4_ 240917"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability is reported is reported by Khalid Markar, Amey Chavekar, Sushant Mane \u0026 Dr. Faruk Kazi from CoE-CNDS Lab, VJTI, Mumbai"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. An attacker with administrative privileges within the router\u2019s Wi-Fi range could exploit this vulnerability by uploading and executing malicious firmware which could lead to complete compromise of the targeted device."
}
],
"value": "This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. An attacker with administrative privileges within the router\u2019s Wi-Fi range could exploit this vulnerability by uploading and executing malicious firmware which could lead to complete compromise of the targeted device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T12:14:41.814Z",
"orgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"shortName": "CERT-In"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0354"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to Archer C50(EU)_V4_ 240917\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://static.tp-link.com/upload/firmware/2024/202411/20241125/Archer%20C50(EU)_V4_240917.zip\"\u003ehttps://static.tp-link.com/upload/firmware/2024/202411/20241125/Archer%20C50(EU)_V4_240917.zip\u003c/a\u003e \u003cbr\u003e"
}
],
"value": "Upgrade to Archer C50(EU)_V4_ 240917\n\n https://static.tp-link.com/upload/firmware/2024/202411/20241125/Archer%20C50(EU)_V4_240917.zip"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insufficient Integrity Verification Vulnerability in TP-Link Archer C50",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "66834db9-ab24-42b4-be80-296b2e40335c",
"assignerShortName": "CERT-In",
"cveId": "CVE-2024-54126",
"datePublished": "2024-12-05T12:14:41.814Z",
"dateReserved": "2024-11-29T11:09:33.863Z",
"dateUpdated": "2024-12-05T16:37:56.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53267 (GCVE-0-2024-53267)
Vulnerability from cvelistv5 – Published: 2024-11-26 18:41 – Updated: 2024-11-26 19:46- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://github.com/sigstore/sigstore-java/securit… | x_refsource_CONFIRM |
| https://github.com/sigstore/sigstore-conformance/… | x_refsource_MISC |
| https://github.com/sigstore/sigstore-java/pull/856 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| sigstore | sigstore-java |
Affected:
>= 1.0.0, < 1.1.0
|
|
| sigstore | sigstore-java |
Affected:
1.0.0 , < 1.1.0
(custom)
cpe:2.3:a:sigstore:sigstore-java:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sigstore:sigstore-java:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sigstore-java",
"vendor": "sigstore",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53267",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:21:47.363473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:46:41.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sigstore-java",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but \"mismatched\" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \"verifying\" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor\u0027s log monitors. The signer\u0027s identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T18:41:29.240Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w"
},
{
"name": "https://github.com/sigstore/sigstore-conformance/pull/166",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/sigstore-conformance/pull/166"
},
{
"name": "https://github.com/sigstore/sigstore-java/pull/856",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/sigstore-java/pull/856"
}
],
"source": {
"advisory": "GHSA-q4xm-6fjc-5f6w",
"discovery": "UNKNOWN"
},
"title": "Vulnerability with bundle verification in sigstore-java"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53267",
"datePublished": "2024-11-26T18:41:29.240Z",
"dateReserved": "2024-11-19T20:08:14.481Z",
"dateUpdated": "2024-11-26T19:46:41.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52958 (GCVE-0-2024-52958)
Vulnerability from cvelistv5 – Published: 2024-11-27 05:22 – Updated: 2024-11-27 14:46- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://zuso.ai/advisory/za-2024-11 | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Galaxy Software Services Corporation | iota C.ai Conversational Platform |
Affected:
1.0.0 , ≤ 2.1.3
(custom)
|
|
| galaxy_software_services_corporation | iota_c.ai_conversational_platform |
Affected:
1.0.0 , ≤ 2.1.3
(custom)
cpe:2.3:a:galaxy_software_services_corporation:iota_c.ai_conversational_platform:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:galaxy_software_services_corporation:iota_c.ai_conversational_platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "iota_c.ai_conversational_platform",
"vendor": "galaxy_software_services_corporation",
"versions": [
{
"lessThanOrEqual": "2.1.3",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T14:45:10.138270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T14:46:28.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "iota C.ai Conversational Platform",
"vendor": "Galaxy Software Services Corporation",
"versions": [
{
"lessThanOrEqual": "2.1.3",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-11-27T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function."
}
],
"value": "A improper verification of cryptographic signature vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to load a malicious DLL via upload plugin function."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T05:22:47.950Z",
"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
"shortName": "ZUSO ART"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://zuso.ai/advisory/za-2024-11"
}
],
"source": {
"defect": [
"ZA-2024-11"
],
"discovery": "UNKNOWN"
},
"title": "iota C.ai Conversational Platform - Improper Verification of Cryptographic Signature",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88",
"assignerShortName": "ZUSO ART",
"cveId": "CVE-2024-52958",
"datePublished": "2024-11-27T05:22:47.950Z",
"dateReserved": "2024-11-18T08:24:35.610Z",
"dateUpdated": "2024-11-27T14:46:28.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51526 (GCVE-0-2024-51526)
Vulnerability from cvelistv5 – Published: 2024-11-05 09:23 – Updated: 2024-11-05 15:35- CWE-347 - Improper Verification of Cryptographic Signature
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T15:35:41.013633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T15:35:52.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HarmonyOS",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "5.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Permission control vulnerability in the hidebug module\u003cbr\u003eImpact: Successful exploitation of this vulnerability may affect service confidentiality."
}
],
"value": "Permission control vulnerability in the hidebug module\nImpact: Successful exploitation of this vulnerability may affect service confidentiality."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T09:23:37.762Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://consumer.huawei.com/en/support/bulletin/2024/11/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2024-51526",
"datePublished": "2024-11-05T09:23:37.762Z",
"dateReserved": "2024-10-29T01:43:54.526Z",
"dateUpdated": "2024-11-05T15:35:52.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50347 (GCVE-0-2024-50347)
Vulnerability from cvelistv5 – Published: 2024-10-31 17:56 – Updated: 2024-10-31 19:46- CWE-347 - Improper Verification of Cryptographic Signature
| URL | Tags |
|---|---|
| https://github.com/laravel/reverb/security/adviso… | x_refsource_CONFIRM |
| https://github.com/laravel/reverb/pull/252 | x_refsource_MISC |
| https://github.com/laravel/reverb/commit/73cc140d… | x_refsource_MISC |
| https://github.com/laravel/reverb/releases/tag/v1.4.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-31T19:46:23.788835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T19:46:33.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "reverb",
"vendor": "laravel",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb\u0027s Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections themselves. In order to exploit this vulnerability, the application ID which, should never be exposed, would need to be known by an attacker. This vulnerability is fixed in 1.4.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-31T17:56:41.503Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laravel/reverb/security/advisories/GHSA-pfrr-xvrf-pxjx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laravel/reverb/security/advisories/GHSA-pfrr-xvrf-pxjx"
},
{
"name": "https://github.com/laravel/reverb/pull/252",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laravel/reverb/pull/252"
},
{
"name": "https://github.com/laravel/reverb/commit/73cc140d76e803b151fc2dd2e4eb3eb784a82ee2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laravel/reverb/commit/73cc140d76e803b151fc2dd2e4eb3eb784a82ee2"
},
{
"name": "https://github.com/laravel/reverb/releases/tag/v1.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laravel/reverb/releases/tag/v1.4.0"
}
],
"source": {
"advisory": "GHSA-pfrr-xvrf-pxjx",
"discovery": "UNKNOWN"
},
"title": "Laravel Reverb has Missing API Signature Verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-50347",
"datePublished": "2024-10-31T17:56:41.503Z",
"dateReserved": "2024-10-22T17:54:40.956Z",
"dateUpdated": "2024-10-31T19:46:33.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.