CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1120 vulnerabilities reference this CWE, most recent first.
GHSA-XCWW-QXQ8-PG8C
Vulnerability from github – Published: 2025-07-08 12:31 – Updated: 2025-07-08 12:31A vulnerability has been identified in TIA Administrator (All versions < V3.0.6). The affected application improperly validates code signing certificates. This could allow an attacker to bypass the check and exceute arbitrary code during installations.
{
"affected": [],
"aliases": [
"CVE-2025-23364"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T11:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in TIA Administrator (All versions \u003c V3.0.6). The affected application improperly validates code signing certificates.\nThis could allow an attacker to bypass the check and exceute arbitrary code during installations.",
"id": "GHSA-xcww-qxq8-pg8c",
"modified": "2025-07-08T12:31:02Z",
"published": "2025-07-08T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23364"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-573669.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XGFV-XPX8-QHCR
Vulnerability from github – Published: 2024-10-14 20:54 – Updated: 2024-12-20 17:48A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 22.0.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-saml-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 24.0.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-saml-core"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "24.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0.5"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-saml-core"
},
"ranges": [
{
"events": [
{
"introduced": "25.0.0"
},
{
"fixed": "25.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8698"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-14T20:54:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.",
"id": "GHSA-xgfv-xpx8-qhcr",
"modified": "2024-12-20T17:48:35Z",
"published": "2024-10-14T20:54:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/releases/tag/25.0.6"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-8698"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8826"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8824"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:8823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6890"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6889"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6888"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6887"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6886"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6882"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6880"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6879"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:6878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak"
}
GHSA-XGMM-8J9V-C9WX
Vulnerability from github – Published: 2026-06-15 19:28 – Updated: 2026-06-15 19:28[!NOTE] Exploitation requires a verifier configured with both symmetric and asymmetric algorithms in
algorithms=[…]and a raw-JSON JWK as thekey=argument, both contrary to documented usage, hence the High attack-complexity rating.
Summary
When the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm.
Details
In JWT algorithm confusion attack, the verifier is mistakenly use of public key to be used as the shared secret in symmetric algorithms. In pyjwt case, when the verifier is supporting both HMAC with other asymmetric algorithm and mistakenly using the public key of the issuer to verify the token as demonstrated in the following example:
jws.decode(token, key=rsa_jwk_json, algorithms=["HS256","RS256"]))
An attacker who specifies in the token header to use HMAC, will cause the verifier to accept the JWK as the secret key in HMAC algorithm. The attacker will be able to forge JWT signed with the public key of the issuer to impersonate any user.
If we look on current protections implemented in the library, at class HMACAlgorithm:
def prepare_key(self, key: str | bytes) -> bytes:
key_bytes = force_bytes(key)
if is_pem_format(key_bytes) or is_ssh_key(key_bytes):
raise InvalidKeyError(
"The specified key is an asymmetric key or x509 certificate and"
" should not be used as an HMAC secret."
)
return key_bytes
We can observe that there is a protection against this type of attacks but only when the verifier is using PEM format or SSH key to verify the token. JSON Web Keys, on the other hand will pass the validation.
In The following example:
jws.decode(token, key=rsa_jwk_json, algorithms=["HS256","RS256"]))
There is indeed a wrong implementation of the verifier, but a stronger protection in the library side will prevent and protect against those type of misconfiugrations.
The bypass happens only if the verifier: (a) allows HS* and an asymmetric algorithm in the same call and (b) passes a public-key value as key.
PoC
Please run the code and observe the payload printed in clear text({"sub":"alice","admin":true}')
from jwt.api_jws import PyJWS
import json, base64, hmac, hashlib
def b64u(b): return base64.urlsafe_b64encode(b).rstrip(b"=")
# Public RSA JWK (public by design)
rsa_jwk_json = json.dumps({"kty":"RSA","n":"AQAB","e":"AQAB"})
# Attacker-crafted token: flip to HS256 and choose claims
header = b64u(b'{"alg":"HS256","typ":"JWT"}')
payload = b64u(b'{"sub":"alice","admin":true}')
signing = header + b"." + payload
# Sign with HMAC using the PUBLIC JWK JSON TEXT as the “secret”
sig = hmac.new(rsa_jwk_json.encode(), signing, hashlib.sha256).digest()
token = (signing + b"." + b64u(sig)).decode()
# Vulnerable verifier: mixed families + JWK JSON string as key
jws = PyJWS()
print(jws.decode(token, key=rsa_jwk_json, algorithms=["HS256","RS256"]))
# -> b'{"sub":"alice","admin":true}'
Impact
Unauthenticated token forgery → full identity/role impersonation at the resource server (authorization bypass).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyjwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48526"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T19:28:06Z",
"nvd_published_at": "2026-05-28T16:16:29Z",
"severity": "HIGH"
},
"details": "\u003e [!NOTE]\n\u003e Exploitation requires a verifier configured with both symmetric and asymmetric algorithms in `algorithms=[\u2026]` and a raw-JSON JWK as the `key=` argument, both contrary to documented usage, hence the High attack-complexity rating.\n\n### Summary\nWhen the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. \n\n### Details\nIn JWT algorithm confusion attack, the verifier is mistakenly use of public key to be used as the shared secret in symmetric algorithms.\nIn pyjwt case, when the verifier is supporting both HMAC with other asymmetric algorithm and mistakenly using the public key of the issuer to verify the token as demonstrated in the following example:\n \n`jws.decode(token, key=rsa_jwk_json, algorithms=[\"HS256\",\"RS256\"])) `\n\nAn attacker who specifies in the token header to use HMAC, will cause the verifier to accept the JWK as the secret key in HMAC algorithm. \nThe attacker will be able to forge JWT signed with the public key of the issuer to impersonate any user. \n\nIf we look on current protections implemented in the library, at class HMACAlgorithm:\n\n```\n def prepare_key(self, key: str | bytes) -\u003e bytes:\n key_bytes = force_bytes(key)\n\n if is_pem_format(key_bytes) or is_ssh_key(key_bytes):\n raise InvalidKeyError(\n \"The specified key is an asymmetric key or x509 certificate and\"\n \" should not be used as an HMAC secret.\"\n )\n\n return key_bytes\n```\nWe can observe that there is a protection against this type of attacks but only when the verifier is using PEM format or SSH key to verify the token. JSON Web Keys, on the other hand will pass the validation.\n\nIn The following example:\n`jws.decode(token, key=rsa_jwk_json, algorithms=[\"HS256\",\"RS256\"])) `\nThere is indeed a wrong implementation of the verifier, but a stronger protection in the library side will prevent and protect against those type of misconfiugrations. \n\nThe bypass happens only if the verifier:\n (a) allows HS* and an asymmetric algorithm in the same call and (b) passes a public-key value as key.\n\n### PoC\nPlease run the code and observe the payload printed in clear text({\"sub\":\"alice\",\"admin\":true}\u0027)\n\n```\nfrom jwt.api_jws import PyJWS\nimport json, base64, hmac, hashlib\n\ndef b64u(b): return base64.urlsafe_b64encode(b).rstrip(b\"=\")\n\n# Public RSA JWK (public by design)\nrsa_jwk_json = json.dumps({\"kty\":\"RSA\",\"n\":\"AQAB\",\"e\":\"AQAB\"})\n\n# Attacker-crafted token: flip to HS256 and choose claims\nheader = b64u(b\u0027{\"alg\":\"HS256\",\"typ\":\"JWT\"}\u0027)\npayload = b64u(b\u0027{\"sub\":\"alice\",\"admin\":true}\u0027)\nsigning = header + b\".\" + payload\n\n# Sign with HMAC using the PUBLIC JWK JSON TEXT as the \u201csecret\u201d\nsig = hmac.new(rsa_jwk_json.encode(), signing, hashlib.sha256).digest()\ntoken = (signing + b\".\" + b64u(sig)).decode()\n\n# Vulnerable verifier: mixed families + JWK JSON string as key\njws = PyJWS()\nprint(jws.decode(token, key=rsa_jwk_json, algorithms=[\"HS256\",\"RS256\"]))\n# -\u003e b\u0027{\"sub\":\"alice\",\"admin\":true}\u0027\n```\n\n\n### Impact\nUnauthenticated token forgery \u2192 full identity/role impersonation at the resource server (authorization bypass).",
"id": "GHSA-xgmm-8j9v-c9wx",
"modified": "2026-06-15T19:28:06Z",
"published": "2026-06-15T19:28:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526"
},
{
"type": "PACKAGE",
"url": "https://github.com/jpadilla/pyjwt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-179.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed"
}
GHSA-XH97-72WW-2W58
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2024-04-09 15:11Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw42-3568-wj87. This link is maintained to preserve external references.
Summary
The vulnerability impacts only users of the IdTokenVerifier class. The verify method in IdTokenVerifier does not validate the signature before verifying the claims (e.g., iss, aud, etc.). Signature verification makes sure that the token's payload comes from valid provider, not from someone else.
An attacker can provide a compromised token with modified payload like email or phone number. The token will pass the validation by the library. Once verified, modified payload can be used by the application.
If the application sends verified IdToken to other service as is like for auth - the risk is low, because the backend of the service is expected to check the signature and fail the request.
Reporter: Tamjid al Rahat, contributor
Patches
The issue was fixed in the 1.33.3 version of the library
Proof of Concept
To reproduce, one needs to call the verify function with an IdToken instance that contains a malformed signature to successfully bypass the checks inside the verify function.
/** A default http transport factory for testing */
static class DefaultHttpTransportFactory implements HttpTransportFactory {
public HttpTransport create() {
return new NetHttpTransport();
}
}
// The below token has some modified bits in the signature
private static final String SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE =
"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlZjc3YjM4YTFiMDM3MDQ4NzA0MzkxNmFjYmYyN2Q3NG" +
"VkZDA4YjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL2F1ZGllbm" +
"NlIiwiZXhwIjoxNTg3NjMwNTQzLCJpYXQiOjE1ODc2MjY5NDMsImlzcyI6InNvbWUgaXNzdWVy" +
"Iiwic3ViIjoic29tZSBzdWJqZWN0In0.gGOQW0qQgs4jGUmCsgRV83RqsJLaEy89-ZOG6p1u0Y26" +
"FyY06b6Odgd7xXLsSTiiSnch62dl0Lfi9D0x2ByxvsGOCbovmBl2ZZ0zHr1wpc4N0XS9lMUq5RJ" +
"QbonDibxXG4nC2zroDfvD0h7i-L8KMXeJb9pYwW7LkmrM_YwYfJnWnZ4bpcsDjojmPeUBlACg7tjjOgBFby" +
"QZvUtaERJwSRlaWibvNjof7eCVfZChE0PwBpZc_cGqSqKXv544L4ttqdCnm0NjqrTATXwC4gYx" +
"ruevkjHfYI5ojcQmXoWDJJ0-_jzfyPE4MFFdCFgzLgnfIOwe5ve0MtquKuv2O0pgvg";
IdTokenVerifier tokenVerifier =
new IdTokenVerifier.Builder()
.setClock(clock)
.setCertificatesLocation("https://www.googleapis.com/robot/v1/metadata/x509/integration-tests%40chingor-test.iam.gserviceaccount.com")
.setHttpTransportFactory(new DefaultHttpTransportFactory())
.build();
// verification will return true despite modified signature for versions <1.33.3
tokenVerifier.verify(IdToken.parse(GsonFactory.getDefaultInstance(), SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE));
Remediation and Mitigation
Update to the version 1.33.3 or higher
If the library used indirectly or cannot be updated for any reason you can use similar IdToken verifiers provided by Google that already has signature verification. For example: google-auth-library-java google-api-java-client
Timeline
Date reported: 12 Dec 2021 Date fixed: 13 Apr 2022 Date disclosed: 2 May 2022
For more information
If you have any questions or comments about this advisory: * Open an issue in the google-oauth-java-client repo
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.google.oauth-client:google-oauth-client"
},
"ranges": [
{
"events": [
{
"introduced": "1.16.0-rc"
},
{
"fixed": "1.33.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-09T23:51:47Z",
"nvd_published_at": "2022-05-03T16:15:00Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hw42-3568-wj87. This link is maintained to preserve external references.\n\n### Summary\nThe vulnerability impacts only users of the IdTokenVerifier class. The verify method in IdTokenVerifier does not validate the signature before verifying the claims (e.g., iss, aud, etc.). Signature verification makes sure that the token\u0027s payload comes from valid provider, not from someone else.\n\nAn attacker can provide a compromised token with modified payload like email or phone number. The token will pass the validation by the library. Once verified, modified payload can be used by the application. \n\nIf the application sends verified IdToken to other service as is like for auth - the risk is low, because the backend of the service is expected to check the signature and fail the request. \n\nReporter: [Tamjid al Rahat](https://github.com/tamjidrahat), contributor\n\n### Patches\nThe issue was fixed in the 1.33.3 version of the library\n\n### Proof of Concept\nTo reproduce, one needs to call the verify function with an IdToken instance that contains a malformed signature to successfully bypass the checks inside the verify function.\n\n```\n /** A default http transport factory for testing */\n static class DefaultHttpTransportFactory implements HttpTransportFactory {\n public HttpTransport create() {\n return new NetHttpTransport();\n }\n }\n\n// The below token has some modified bits in the signature\n private static final String SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE = \n\"eyJhbGciOiJSUzI1NiIsImtpZCI6IjJlZjc3YjM4YTFiMDM3MDQ4NzA0MzkxNmFjYmYyN2Q3NG\" +\n\"VkZDA4YjEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2V4YW1wbGUuY29tL2F1ZGllbm\" +\n\"NlIiwiZXhwIjoxNTg3NjMwNTQzLCJpYXQiOjE1ODc2MjY5NDMsImlzcyI6InNvbWUgaXNzdWVy\" +\n\"Iiwic3ViIjoic29tZSBzdWJqZWN0In0.gGOQW0qQgs4jGUmCsgRV83RqsJLaEy89-ZOG6p1u0Y26\" +\n\"FyY06b6Odgd7xXLsSTiiSnch62dl0Lfi9D0x2ByxvsGOCbovmBl2ZZ0zHr1wpc4N0XS9lMUq5RJ\" + \n\"QbonDibxXG4nC2zroDfvD0h7i-L8KMXeJb9pYwW7LkmrM_YwYfJnWnZ4bpcsDjojmPeUBlACg7tjjOgBFby\" +\n\"QZvUtaERJwSRlaWibvNjof7eCVfZChE0PwBpZc_cGqSqKXv544L4ttqdCnm0NjqrTATXwC4gYx\" + \n\"ruevkjHfYI5ojcQmXoWDJJ0-_jzfyPE4MFFdCFgzLgnfIOwe5ve0MtquKuv2O0pgvg\";\n\nIdTokenVerifier tokenVerifier =\n new IdTokenVerifier.Builder()\n .setClock(clock)\n .setCertificatesLocation(\"https://www.googleapis.com/robot/v1/metadata/x509/integration-tests%40chingor-test.iam.gserviceaccount.com\")\n .setHttpTransportFactory(new DefaultHttpTransportFactory())\n .build();\n\n// verification will return true despite modified signature for versions \u003c1.33.3\ntokenVerifier.verify(IdToken.parse(GsonFactory.getDefaultInstance(), SERVICE_ACCOUNT_RS256_TOKEN_BAD_SIGNATURE));\n\n```\n\n### Remediation and Mitigation\nUpdate to the version 1.33.3 or higher \n\nIf the library used indirectly or cannot be updated for any reason you can use similar IdToken verifiers provided by Google that already has signature verification. For example: \n[google-auth-library-java](https://github.com/googleapis/google-auth-library-java/blob/main/oauth2_http/java/com/google/auth/oauth2/TokenVerifier.java)\n[google-api-java-client](https://github.com/googleapis/google-api-java-client/blob/main/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.java)\n\n###Timeline\nDate reported: 12 Dec 2021\nDate fixed: 13 Apr 2022\nDate disclosed: 2 May 2022\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [google-oauth-java-client](https://github.com/googleapis/google-oauth-java-client) repo",
"id": "GHSA-xh97-72ww-2w58",
"modified": "2024-04-09T15:11:14Z",
"published": "2022-05-04T00:00:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/googleapis/google-oauth-java-client/security/advisories/GHSA-hw42-3568-wj87"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22573"
},
{
"type": "WEB",
"url": "https://github.com/googleapis/google-oauth-java-client/pull/872"
},
{
"type": "PACKAGE",
"url": "https://github.com/googleapis/google-oauth-java-client"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Improper Verification of Cryptographic Signature in google-oauth-java-client",
"withdrawn": "2024-04-09T15:11:14Z"
}
GHSA-XHG5-42RF-296R
Vulnerability from github – Published: 2023-06-06 16:45 – Updated: 2023-06-16 17:53Impact
An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries.
Credits
The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/notaryproject/notation-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-rc.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33959"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T16:45:29Z",
"nvd_published_at": "2023-06-06T19:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\nAn attacker who controls or compromises a registry can lead a user to verify the wrong artifact.\n\n### Patches\nThe problem has been fixed in the release [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6). Users should upgrade their notation-go library to [v1.0.0-rc.6](https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6) or above.\n\n### Workarounds\nUser should use secure and trusted container registries.\n\n### Credits\nThe `notation` project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.\n",
"id": "GHSA-xhg5-42rf-296r",
"modified": "2023-06-16T17:53:30Z",
"published": "2023-06-06T16:45:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33959"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/notaryproject/notation-go"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "notation-go\u0027s verification bypass can cause users to verify the wrong artifact"
}
GHSA-XHHH-442H-J6WM
Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 00:31Cryptographic validation of upgrade images could be circumventing by dropping a specifically crafted file into the upgrade ISO
{
"affected": [],
"aliases": [
"CVE-2025-54549"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-29T23:16:19Z",
"severity": "MODERATE"
},
"details": "Cryptographic validation of upgrade images could be circumventing by dropping a specifically crafted file into the upgrade ISO",
"id": "GHSA-xhhh-442h-j6wm",
"modified": "2025-10-30T00:31:02Z",
"published": "2025-10-30T00:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54549"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/22538-security-advisory-0124"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHW6-HJC9-679M
Vulnerability from github – Published: 2022-01-08 00:36 – Updated: 2023-09-26 17:27If an OpenID Connect provider supports the “none” algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the “idtoken” response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.pac4j:pac4j-oidc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.pac4j:pac4j-oidc"
},
"ranges": [
{
"events": [
{
"introduced": "5.0"
},
{
"fixed": "5.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-44878"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-07T22:41:34Z",
"nvd_published_at": "2022-01-06T13:15:00Z",
"severity": "HIGH"
},
"details": "If an OpenID Connect provider supports the \u201cnone\u201d algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the \u201cidtoken\u201d response type which is not secure and violates the OpenID Core Specification. The \"none\" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using \"none\" as the value of \"alg\" key in the header with an empty signature value.",
"id": "GHSA-xhw6-hjc9-679m",
"modified": "2023-09-26T17:27:45Z",
"published": "2022-01-08T00:36:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44878"
},
{
"type": "WEB",
"url": "https://github.com/pac4j/pac4j/commit/09684e0de1c4753d22c53b8135d4ef61cfda76f7"
},
{
"type": "WEB",
"url": "https://github.com/pac4j/pac4j/commit/22b82ffd702a132d9f09da60362fc6264fc281ae"
},
{
"type": "WEB",
"url": "https://github.com/pac4j/pac4j/commit/9c87bbc536ed5d05f940ae015403120df2935589"
},
{
"type": "PACKAGE",
"url": "https://github.com/pac4j/pac4j"
},
{
"type": "WEB",
"url": "https://openid.net/specs/openid-connect-core-1_0.html#IDToken"
},
{
"type": "WEB",
"url": "https://www.pac4j.org/4.5.x/docs/release-notes.html"
},
{
"type": "WEB",
"url": "https://www.pac4j.org/blog/cve_2021_44878_is_this_serious.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Pac4j token validation bypass if OpenID Connect provider supports none algorithm"
}
GHSA-XJMF-XR2J-GFX7
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy image format. To trigger this vulnerability, a local attacker needs to be able to supply the image to boot.
{
"affected": [],
"aliases": [
"CVE-2018-3968"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T17:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot\u0027s verified boot and execute an unsigned kernel, embedded in a legacy image format. To trigger this vulnerability, a local attacker needs to be able to supply the image to boot.",
"id": "GHSA-xjmf-xr2j-gfx7",
"modified": "2022-05-13T01:01:50Z",
"published": "2022-05-13T01:01:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3968"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0633"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJR9-GG9Q-JX3V
Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47Impact
Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.
Preconditions
Relying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true). Attacker can reach the service over the network and knows the trusted STS’s public certificate (public certs are by design discoverable).
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Primitives"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "CoreWCF.Primitives"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.0"
},
{
"fixed": "1.9.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54782"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:47:11Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nFull impersonation of any principal the trusted STS could have issued an assertion for \u2014 including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.\n\n#### Preconditions\nRelying-party service is hosted with WSFederationHttpBinding or WS2007FederationHttpBinding (or any binding that triggers FederatedSecurityTokenManager for issued-token validation), and IdentityConfiguration is wired (UseIdentityConfiguration = true).\nAttacker can reach the service over the network and knows the trusted STS\u2019s public certificate (public certs are by design discoverable).\n\n### Patches\nFixed in CoreWCF v1.8.1 and v1.9.1\n\n### Workarounds\nNone",
"id": "GHSA-xjr9-gg9q-jx3v",
"modified": "2026-06-19T20:47:11Z",
"published": "2026-06-19T20:47:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CoreWCF/CoreWCF/security/advisories/GHSA-xjr9-gg9q-jx3v"
},
{
"type": "PACKAGE",
"url": "https://github.com/CoreWCF/CoreWCF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation"
}
GHSA-XMVF-WM3Q-GH2F
Vulnerability from github – Published: 2024-06-17 09:31 – Updated: 2024-07-03 18:45Improper verification of cryptographic signature issue exists in "FreeFrom - the nostr client" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures.
{
"affected": [],
"aliases": [
"CVE-2024-36277"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T08:15:48Z",
"severity": "CRITICAL"
},
"details": "Improper verification of cryptographic signature issue exists in \"FreeFrom - the nostr client\" App versions prior to 1.3.5 for Android and iOS. The affected app cannot detect event data with invalid signatures.",
"id": "GHSA-xmvf-wm3q-gh2f",
"modified": "2024-07-03T18:45:35Z",
"published": "2024-06-17T09:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36277"
},
{
"type": "WEB",
"url": "https://apps.apple.com/us/app/freefrom-the-nostr-client/id6446819930"
},
{
"type": "WEB",
"url": "https://freefrom.space"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN55045256"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.freefrom"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.