Total
368 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-29451 | 1 Manydesigns | 1 Portofino | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release. | |||||
CVE-2021-33054 | 2 Debian, Inverse | 2 Debian Linux, Sogo | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.) | |||||
CVE-2021-35039 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2023-12-10 | 6.9 MEDIUM | 7.8 HIGH |
kernel/module.c in the Linux kernel before 5.12.14 mishandles Signature Verification, aka CID-0c18f29aae7c. Without CONFIG_MODULE_SIG, verification that a kernel module is signed, for loading via init_module, does not occur for a module.sig_enforce=1 command-line argument. | |||||
CVE-2021-28091 | 3 Debian, Entrouvert, Fedoraproject | 3 Debian Linux, Lasso, Fedora | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Lasso all versions prior to 2.7.0 has improper verification of a cryptographic signature. | |||||
CVE-2021-30130 | 2 Debian, Phpseclib | 2 Debian Linux, Phpseclib | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1.5 signature verification. | |||||
CVE-2021-3445 | 3 Fedoraproject, Redhat, Rpm | 3 Fedora, Enterprise Linux, Libdnf | 2023-12-10 | 5.1 MEDIUM | 7.5 HIGH |
A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. | |||||
CVE-2021-3421 | 3 Fedoraproject, Redhat, Rpm | 3 Fedora, Enterprise Linux, Rpm | 2023-12-10 | 4.3 MEDIUM | 5.5 MEDIUM |
A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha. | |||||
CVE-2020-36284 | 1 Unionpayintl | 1 Union Pay | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | |||||
CVE-2021-22735 | 1 Schneider-electric | 4 Homelynk, Homelynk Firmware, Spacelynk and 1 more | 2023-12-10 | 6.5 MEDIUM | 7.2 HIGH |
Improper Verification of Cryptographic Signature vulnerability exists inhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could allow remote code execution when unauthorized code is copied to the device. | |||||
CVE-2021-30246 | 1 Jsrsasign Project | 1 Jsrsasign | 2023-12-10 | 6.4 MEDIUM | 9.1 CRITICAL |
In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack. | |||||
CVE-2021-37160 | 1 Swisslog-healthcare | 2 Hmi-3 Control Panel, Hmi-3 Control Panel Firmware | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
A firmware validation issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. There is no firmware validation (e.g., cryptographic signature validation) during a File Upload for a firmware update. | |||||
CVE-2021-3196 | 1 Hitachi | 1 Id Bravura Security Fabric | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Hitachi ID Bravura Security Fabric 11.0.0 through 11.1.3, 12.0.0 through 12.0.2, and 12.1.0. When using federated identity management (authenticating via SAML through a third-party identity provider), an attacker can inject additional data into a signed SAML response being transmitted to the service provider (ID Bravura Security Fabric). The application successfully validates the signed values but uses the unsigned malicious values. An attacker with lower-privilege access to the application can inject the username of a high-privilege user to impersonate that user. | |||||
CVE-2021-36277 | 1 Dell | 3 Alienware Command Center Application, Command \| Update, Update\/alienware Update | 2023-12-10 | 7.2 HIGH | 7.8 HIGH |
Dell Command | Update, Dell Update, and Alienware Update versions before 4.3 contains an Improper Verification of Cryptographic Signature Vulnerability. A local authenticated malicious user may exploit this vulnerability by executing arbitrary code on the system. | |||||
CVE-2021-29455 | 1 Grassroot | 1 Grassroot Platform | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
Grassroot Platform is an application to make it faster, cheaper and easier to persistently organize and mobilize people in low-income communities. Grassroot Platform before master deployment as of 2021-04-16 did not properly verify the signature of JSON Web Tokens when refreshing an existing JWT. This allows to forge a valid JWT. The problem has been patched in version 1.3.1 by deprecating the JWT refresh function, which was an overdue deprecation regardless (the "refresh" flow is no longer used). | |||||
CVE-2021-3680 | 1 Showdoc | 1 Showdoc | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
showdoc is vulnerable to Missing Cryptographic Step | |||||
CVE-2021-21405 | 1 Filecoin | 1 Lotus | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 unique byte arrays. Lotus block validation functions perform a uniqueness check on provided blocks. Two blocks are considered distinct if the CIDs of their blockheader do not match. The CID method for blockheader includes the BlockSig of the block. The result of these issues is that it would be possible to punish miners for valid blocks, as there are two different valid block CIDs available for each block, even though this must be unique. By switching from the go based `blst` bindings over to the bindings in `filecoin-ffi`, the code paths now ensure that all signatures are compressed by size and the way they are deserialized. This happened in https://github.com/filecoin-project/lotus/pull/5393. | |||||
CVE-2021-23993 | 1 Mozilla | 1 Thunderbird | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
An attacker may perform a DoS attack to prevent a user from sending encrypted email to a correspondent. If an attacker creates a crafted OpenPGP key with a subkey that has an invalid self signature, and the Thunderbird user imports the crafted key, then Thunderbird may try to use the invalid subkey, but the RNP library rejects it from being used, causing encryption to fail. This vulnerability affects Thunderbird < 78.9.1. | |||||
CVE-2021-32685 | 1 Togatech | 1 Tenvoy | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`. | |||||
CVE-2020-23533 | 1 Unionpayintl | 1 Union Pay | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | |||||
CVE-2021-34433 | 1 Eclipse | 1 Californium | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange. |