Vulnerabilities (CVE)

Filtered by CWE-347
Total 393 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-33959 1 Notaryproject 1 Notation-go 2024-04-01 N/A 8.8 HIGH
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
CVE-2023-46234 2 Browserify, Debian 2 Browserify-sign, Debian Linux 2024-02-28 N/A 7.5 HIGH
browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.
CVE-2023-42811 2 Aes-gcm Project, Fedoraproject 2 Aes-gcm, Fedora 2024-02-16 N/A 5.5 MEDIUM
aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate's `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.
CVE-2024-1149 4 Apple, Linux, Microsoft and 1 more 4 Macos, Linux Kernel, Windows and 1 more 2024-02-15 N/A 5.5 MEDIUM
Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on MacOS, Snow Software Inventory Agent on Windows, Snow Software Inventory Agent on Linux allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 6.12.0; Inventory Agent: through 6.14.5; Inventory Agent: through 6.7.2.
CVE-2024-1150 2 Opengroup, Snowsoftware 2 Unix, Snow Inventory Agent 2024-02-15 N/A 5.5 MEDIUM
Improper Verification of Cryptographic Signature vulnerability in Snow Software Inventory Agent on Unix allows File Manipulation through Snow Update Packages.This issue affects Inventory Agent: through 7.3.1.
CVE-2018-0501 2 Canonical, Debian 2 Ubuntu Linux, Advanced Package Tool 2024-02-14 4.3 MEDIUM 5.9 MEDIUM
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
CVE-2023-44077 2 Apple, Studionetworksolutions 2 Macos, Sharebrowser 2024-02-08 N/A 9.8 CRITICAL
Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.
CVE-2023-20567 2 Amd, Intel 123 Radeon Pro Vega 56, Radeon Pro Vega 56 Firmware, Radeon Pro Vega 64 and 120 more 2024-02-05 N/A 6.7 MEDIUM
Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch AMDSoftwareInstaller.exe without validating the file signature potentially leading to arbitrary code execution.
CVE-2023-23436 1 Hihonor 1 Magic Os 2024-02-05 N/A 7.1 HIGH
Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file
CVE-2023-23433 1 Hihonor 2 Nth-an00, Nth-an00 Firmware 2024-02-05 N/A 7.1 HIGH
Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.
CVE-2023-5347 1 Korenix 84 Jetnet 4508, Jetnet 4508-w, Jetnet 4508-w Firmware and 81 more 2024-02-05 N/A 9.1 CRITICAL
An Improper Verification of Cryptographic Signature vulnerability in the update process of Korenix JetNet Series allows replacing the whole operating system including Trusted Executables. This issue affects JetNet devices older than firmware version 2024/01.
CVE-2023-23431 1 Hihonor 2 Nth-an00, Nth-an00 Firmware 2024-02-05 N/A 7.1 HIGH
Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.
CVE-2023-23432 1 Hihonor 2 Nth-an00, Nth-an00 Firmware 2024-02-05 N/A 7.1 HIGH
Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.
CVE-2023-41337 1 Dena 1 H2o 2024-02-05 N/A 6.7 MEDIUM
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
CVE-2016-20021 1 Gentoo 1 Portage 2024-02-05 N/A 9.8 CRITICAL
In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.
CVE-2024-21669 1 Hyperledger 1 Aries Cloud Agent 2024-02-05 N/A 8.8 HIGH
Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentation `document.proof` was not factored into the final `verified` value (`true`/`false`) on the presentation record. The flaw enables holders of W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDPs) to present incorrectly constructed proofs, and allows malicious verifiers to save and replay a presentation from such holders as their own. This vulnerability has been present since version 0.7.0 and fixed in version 0.10.5.
CVE-2023-23435 1 Hihonor 1 Magic Os 2024-02-05 N/A 7.1 HIGH
Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file
CVE-2023-20568 2 Amd, Intel 123 Radeon Pro Vega 56, Radeon Pro Vega 56 Firmware, Radeon Pro Vega 64 and 120 more 2024-02-05 N/A 6.7 MEDIUM
Improper signature verification of RadeonTM RX Vega M Graphics driver for Windows may allow an attacker with admin privileges to launch RadeonInstaller.exe without validating the file signature potentially leading to arbitrary code execution.
CVE-2023-49079 1 Misskey 1 Misskey 2024-02-05 N/A 7.5 HIGH
Misskey is an open source, decentralized social media platform. Misskey's missing signature validation allows arbitrary users to impersonate any remote user. This issue has been patched in version 2023.11.1-beta.1.
CVE-2023-39393 1 Huawei 2 Emui, Harmonyos 2024-02-05 N/A 7.5 HIGH
Vulnerability of insecure signatures in the ServiceWifiResources module. Successful exploitation of this vulnerability may cause ServiceWifiResources to be maliciously modified and overwritten.