Total
347 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-0567 | 4 Debian, Fedoraproject, Gnu and 1 more | 4 Debian Linux, Fedora, Gnutls and 1 more | 2024-06-27 | N/A | 7.5 HIGH |
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack. | |||||
CVE-2022-23540 | 1 Auth0 | 1 Jsonwebtoken | 2024-06-21 | N/A | 7.6 HIGH |
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the `jwt.verify()` function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the `jwt.verify()` method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the `none` algorithm. If you need 'none' algorithm, you have to explicitly specify that in `jwt.verify()` options. | |||||
CVE-2024-37532 | 2024-06-20 | N/A | 8.8 HIGH | ||
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to identity spoofing by an authenticated user due to improper signature validation. IBM X-Force ID: 294721. | |||||
CVE-2024-37568 | 1 Authlib | 1 Authlib | 2024-06-20 | N/A | 7.5 HIGH |
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) | |||||
CVE-2024-37886 | 2024-06-17 | N/A | 5.4 MEDIUM | ||
user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0. | |||||
CVE-2024-21383 | 1 Microsoft | 1 Edge Chromium | 2024-06-11 | N/A | 3.3 LOW |
Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
CVE-2023-25718 | 1 Connectwise | 1 Control | 2024-06-04 | N/A | 9.8 CRITICAL |
** DISPUTED ** In ConnectWise Control through 22.9.10032 (formerly known as ScreenConnect), after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a (different) attacker-controlled executable file. It is plausible that the end user may allow the download and execution of this file to proceed. There are ConnectWise Control configuration options that add mitigations. NOTE: this may overlap CVE-2023-25719. NOTE: the vendor's position is that this purported vulnerability represents a "fundamental lack of understanding of Authenticode code signing behavior." | |||||
CVE-2023-41764 | 1 Microsoft | 3 365 Apps, Office, Office Long Term Servicing Channel | 2024-05-29 | N/A | 5.5 MEDIUM |
Microsoft Office Spoofing Vulnerability | |||||
CVE-2023-35373 | 1 Microsoft | 1 Mono | 2024-05-29 | N/A | 5.3 MEDIUM |
Mono Authenticode Validation Spoofing Vulnerability | |||||
CVE-2023-28228 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-05-29 | N/A | 5.5 MEDIUM |
Windows Spoofing Vulnerability | |||||
CVE-2023-28226 | 1 Microsoft | 8 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 5 more | 2024-05-29 | N/A | 5.3 MEDIUM |
Windows Enroll Engine Security Feature Bypass Vulnerability | |||||
CVE-2024-2451 | 2024-05-28 | N/A | 6.4 MEDIUM | ||
Improper fingerprint validation in the TeamViewer Client (Full & Host) prior Version 15.54 for Windows and macOS allows an attacker with administrative user rights to further elevate privileges via executable sideloading. | |||||
CVE-2024-2307 | 2024-05-22 | N/A | 6.1 MEDIUM | ||
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. | |||||
CVE-2024-1721 | 2024-05-21 | N/A | N/A | ||
Improper Verification of Cryptographic Signature vulnerability in HYPR Passwordless on Windows allows Malicious Software Update.This issue affects HYPR Passwordless: before 9.1. | |||||
CVE-2024-34358 | 2024-05-14 | N/A | 5.3 MEDIUM | ||
TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the `ShowImageController` (`_eID tx_cms_showpic_`) lacks a cryptographic HMAC-signature on the `frame` HTTP query parameter (e.g. `/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`). This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side. TYPO3 versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, 13.1.1 fix the problem described. | |||||
CVE-2023-50228 | 2024-05-03 | N/A | 7.8 HIGH | ||
Parallels Desktop Updater Improper Verification of Cryptographic Signature Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-21817. | |||||
CVE-2024-32962 | 2024-05-02 | N/A | 10.0 CRITICAL | ||
xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional validation steps, the default configuration allows a malicious actor to re-sign an XML document, place the certificate in a `<KeyInfo />` element, and pass `xml-crypto` default validation checks. As a result `xml-crypto` trusts by default any certificate provided via digitally signed XML document's `<KeyInfo />`. `xml-crypto` prefers to use any certificate provided via digitally signed XML document's `<KeyInfo />` even if library was configured to use specific certificate (`publicCert`) for signature verification purposes. An attacker can spoof signature verification by modifying XML document and replacing existing signature with signature generated with malicious private key (created by attacker) and by attaching that private key's certificate to `<KeyInfo />` element. This vulnerability is combination of changes introduced to `4.0.0` on pull request 301 / commit `c2b83f98` and has been addressed in version 6.0.0 with pull request 445 / commit `21201723d`. Users are advised to upgrade. Users unable to upgrade may either check the certificate extracted via `getCertFromKeyInfo` against trusted certificates before accepting the results of the validation or set `xml-crypto's getCertFromKeyInfo` to `() => undefined` forcing `xml-crypto` to use an explicitly configured `publicCert` or `privateKey` for signature verification. | |||||
CVE-2024-23480 | 2024-05-01 | N/A | 7.5 HIGH | ||
A fallback mechanism in code sign checking on macOS may allow arbitrary code execution. This issue affects Zscaler Client Connector on MacOS prior to 4.2. | |||||
CVE-2024-26194 | 2024-04-10 | N/A | 7.4 HIGH | ||
Secure Boot Security Feature Bypass Vulnerability | |||||
CVE-2023-33959 | 1 Notaryproject | 1 Notation-go | 2024-04-01 | N/A | 8.8 HIGH |
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries. |