Total
349 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-13177 | 1 Django-rest-registration Project | 1 Django-rest-registration | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for signatures (i.e., the Django Signing API is misused), which allows remote attackers to spoof the verification process. This occurs because incorrect code refactoring led to calling a security-critical function with an incorrect argument. | |||||
CVE-2019-11841 | 2 Debian, Golang | 2 Debian Linux, Crypto | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" Armor Headers. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. However, the Go clearsign package ignores the value of this header, which allows an attacker to spoof it. Consequently, an attacker can lead a victim to believe the signature was generated using a different message digest algorithm than what was actually used. Moreover, since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. | |||||
CVE-2019-12269 | 1 Enigmail | 1 Enigmail | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PGP message, an attacker can cause the product to display a "correctly signed" message indication, but display different unauthenticated text. | |||||
CVE-2018-12556 | 1 Yarnpkg | 1 Website | 2024-02-04 | 4.3 MEDIUM | 5.9 MEDIUM |
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn release packages with their own key. | |||||
CVE-2019-2278 | 1 Qualcomm | 30 Mdm9607, Mdm9607 Firmware, Mdm9640 and 27 more | 2024-02-04 | 7.2 HIGH | 7.8 HIGH |
User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660 | |||||
CVE-2019-5299 | 1 Huawei | 2 Hima-al00b, Hima-al00b Firmware | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
Huawei mobile phones Hima-AL00Bhave with Versions earlier than HMA-AL00C00B175 have a signature verification bypass vulnerability. Attackers can induce users to install malicious applications. Due to a defect in the signature verification logic, the malicious applications can invoke specific interface to execute malicious code. A successful exploit may result in the execution of arbitrary code. | |||||
CVE-2019-10136 | 1 Redhat | 2 Satellite, Spacewalk | 2024-02-04 | 4.0 MEDIUM | 4.3 MEDIUM |
It was found that Spacewalk, all versions through 2.9, did not safely compute client token checksums. An attacker with a valid, but expired, authenticated set of headers could move some digits around, artificially extending the session validity without modifying the checksum. | |||||
CVE-2019-1010263 | 1 Perl Crypt\ | 1 \ | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c. | |||||
CVE-2019-15545 | 1 Libp2p | 1 Libp2p | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the libp2p-core crate before 0.8.1 for Rust. Attackers can spoof ed25519 signatures. | |||||
CVE-2019-1811 | 1 Cisco | 66 9432pq, 9536pq, 9636pq and 63 more | 2024-02-04 | 7.2 HIGH | 6.7 MEDIUM |
A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. | |||||
CVE-2019-6318 | 1 Hp | 286 Color Laserjet Cm4540 Mfp, Color Laserjet Cm4540 Mfp Firmware, Color Laserjet Enterprise Cp5525 and 283 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
HP LaserJet Enterprise printers, HP PageWide Enterprise printers, HP LaserJet Managed printers, HP Officejet Enterprise printers have an insufficient solution bundle signature validation that potentially allows execution of arbitrary code. | |||||
CVE-2017-18407 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 5.8 MEDIUM | 4.8 MEDIUM |
cPanel before 67.9999.103 does not enforce SSL hostname verification for the support-agreement download (SEC-279). | |||||
CVE-2019-1813 | 1 Cisco | 66 9432pq, 9536pq, 9636pq and 63 more | 2024-02-04 | 7.2 HIGH | 6.7 MEDIUM |
A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software image on an affected device. The vulnerability exists because software digital signatures are not properly verified during CLI command execution. An attacker could exploit this vulnerability to install an unsigned software image on an affected device. | |||||
CVE-2019-9153 | 1 Openpgpjs | 1 Openpgpjs | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to forge signed messages by replacing its signatures with a "standalone" or "timestamp" signature. | |||||
CVE-2019-5300 | 1 Huawei | 53 Ar1200-s Firmware, Ar1200 Firmware, Ar1200e and 50 more | 2024-02-04 | 4.6 MEDIUM | 6.7 MEDIUM |
There is a digital signature verification bypass vulnerability in AR1200, AR1200-S, AR150, AR160, AR200, AR2200, AR2200-S, AR3200, SRG1300, SRG2300 and SRG3300 Huawei routers. The vulnerability is due to the affected software improperly verifying digital signatures for the software image in the affected device. A local attacker with high privilege may exploit the vulnerability to bypass integrity checks for software images and install a malicious software image on the affected device. | |||||
CVE-2019-9154 | 1 Openpgpjs | 1 Openpgpjs | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Improper Verification of a Cryptographic Signature in OpenPGP.js <=4.1.2 allows an attacker to pass off unsigned data as signed. | |||||
CVE-2018-5923 | 1 Hp | 276 Color Laserjet Cm4540 Mfp, Color Laserjet Cm4540 Mfp Firmware, Color Laserjet Cp5525 and 273 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In HP LaserJet Enterprise, HP PageWide Enterprise, HP LaserJet Managed, and HP OfficeJet Enterprise Printers, solution application signature checking may allow potential execution of arbitrary code. | |||||
CVE-2019-10201 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | |||||
CVE-2019-1808 | 1 Cisco | 32 7000 10-slot, 7000 18-slot, 7000 4-slot and 29 more | 2024-02-04 | 2.1 LOW | 4.4 MEDIUM |
A vulnerability in the Image Signature Verification feature of Cisco NX-OS Software could allow an authenticated, local attacker with administrator-level credentials to install a malicious software patch on an affected device. The vulnerability is due to improper verification of digital signatures for patch images. An attacker could exploit this vulnerability by loading an unsigned software patch on an affected device. A successful exploit could allow the attacker to boot a malicious software patch image. | |||||
CVE-2018-18509 | 1 Mozilla | 1 Thunderbird | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1. |