Total
364 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-12607 | 1 Fastecdsa Project | 1 Fastecdsa | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail. | |||||
CVE-2020-9226 | 1 Huawei | 2 P30, P30 Firmware | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an improper signature verification vulnerability. The system does not improper check signature of specific software package, an attacker may exploit this vulnerability to load a crafted software package to the device. | |||||
CVE-2020-10759 | 1 Redhat | 1 Enterprise Linux | 2023-12-10 | 3.3 LOW | 6.0 MEDIUM |
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity. | |||||
CVE-2020-14199 | 1 Satoshilabs | 4 Trezor Model T, Trezor Model T Firmware, Trezor One and 1 more | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
BIP-143 in the Bitcoin protocol specification mishandles the signing of a Segwit transaction, which allows attackers to trick a user into making two signatures in certain cases, potentially leading to a huge transaction fee. NOTE: this affects all hardware wallets. It was fixed in 1.9.1 for the Trezor One and 2.3.1 for the Trezor Model T. | |||||
CVE-2020-3209 | 1 Cisco | 1 Ios Xe | 2023-12-10 | 7.2 HIGH | 6.8 MEDIUM |
A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability is due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device. | |||||
CVE-2020-10126 | 1 Ncr | 2 Aptra Xfs, Selfserv Atm | 2023-12-10 | 7.2 HIGH | 7.6 HIGH |
NCR SelfServ ATMs running APTRA XFS 05.01.00 do not properly validate softare updates for the bunch note acceptor (BNA), enabling an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges because while booting, the update process looks for CAB archives on removable media and executes a specific file without first validating the signature of the CAB archive. | |||||
CVE-2020-13895 | 1 P5-crypt-perl Project | 1 P5-crypt-perl | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes to use public r and s values when guessing whether signature verification will fail. | |||||
CVE-2020-25490 | 1 Sqreen | 1 Php Microagent | 2023-12-10 | 7.5 HIGH | 7.3 HIGH |
Lack of cryptographic signature verification in the Sqreen PHP agent daemon before 1.16.0 makes it easier for remote attackers to inject rules for execution inside the virtual machine. | |||||
CVE-2019-17561 | 2 Apache, Oracle | 2 Netbeans, Graalvm | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. | |||||
CVE-2020-12244 | 4 Debian, Fedoraproject, Opensuse and 1 more | 5 Debian Linux, Fedora, Backports Sle and 2 more | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation. | |||||
CVE-2016-11044 | 1 Google | 1 Android | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
An issue was discovered on Samsung mobile devices with L(5.0/5.1) and M(6.0) (with Fingerprint support) software. The check of an application's signature can be bypassed during installation. The Samsung ID is SVE-2016-5923 (June 2016). | |||||
CVE-2019-20834 | 1 Foxitsoftware | 1 Phantompdf | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Foxit PhantomPDF before 8.3.10. It allows signature validation bypass via a modified file or a file with non-standard signatures. | |||||
CVE-2020-15705 | 7 Canonical, Debian, Gnu and 4 more | 14 Ubuntu Linux, Debian Linux, Grub2 and 11 more | 2023-12-10 | 4.4 MEDIUM | 6.4 MEDIUM |
GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions. | |||||
CVE-2020-5407 | 1 Pivotal Software | 1 Spring Security | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid. | |||||
CVE-2020-13101 | 1 Oasis-open | 1 Oasis Digital Signature Services | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation. | |||||
CVE-2020-13803 | 1 Foxitsoftware | 2 Phantompdf, Reader | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Foxit PhantomPDF Mac and Foxit Reader for Mac before 4.0. It allows signature validation bypass via a modified file or a file with non-standard signatures. | |||||
CVE-2020-12692 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-12-10 | 5.5 MEDIUM | 5.4 MEDIUM |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | |||||
CVE-2020-12046 | 1 Opto22 | 1 Softpac Project | 2023-12-10 | 3.5 LOW | 5.7 MEDIUM |
Opto 22 SoftPAC Project Version 9.6 and prior. SoftPAC’s firmware files’ signatures are not verified upon firmware update. This allows an attacker to replace legitimate firmware files with malicious files. | |||||
CVE-2019-20837 | 1 Foxitsoftware | 2 Phantompdf, Reader | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Foxit Reader and PhantomPDF before 9.5. It allows signature validation bypass via a modified file or a file with non-standard signatures. | |||||
CVE-2020-15091 | 1 Tendermint | 1 Tendermint | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
TenderMint from version 0.33.0 and before version 0.33.6 allows block proposers to include signatures for the wrong block. This may happen naturally if you start a network, have it run for some time and restart it (**without changing chainID**). A malicious block proposer (even with a minimal amount of stake) can use this vulnerability to completely halt the network. This issue is fixed in Tendermint 0.33.6 which checks all the signatures are for the block with 2/3+ majority before creating a commit. |