Common Weakness Enumeration

CWE-347

Allowed

Improper Verification of Cryptographic Signature

Abstraction: Base · Status: Draft

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

1127 vulnerabilities reference this CWE, most recent first.

GHSA-99G5-79VP-5JV9

Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22
VLAI
Details

HP LaserJet Enterprise printers, HP PageWide Enterprise printers, HP LaserJet Managed printers, HP Officejet Enterprise printers have an insufficient solution bundle signature validation that potentially allows execution of arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-11T15:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "HP LaserJet Enterprise printers, HP PageWide Enterprise printers, HP LaserJet Managed printers, HP Officejet Enterprise printers have an insufficient solution bundle signature validation that potentially allows execution of arbitrary code.",
  "id": "GHSA-99g5-79vp-5jv9",
  "modified": "2022-05-13T01:22:45Z",
  "published": "2022-05-13T01:22:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6318"
    },
    {
      "type": "WEB",
      "url": "https://support.hp.com/us-en/document/c06265454"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FMW-XP57-PHR3

Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-05 12:00
VLAI
Details

A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-04T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "A CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that allows adversaries with local user privileges to load a malicious DLL which could lead to execution of malicious code. Affected Products: EcoStruxure Operator Terminal Expert(V3.3 Hotfix 1 or prior), Pro-face BLUE(V3.3 Hotfix1 or prior).",
  "id": "GHSA-9fmw-xp57-phr3",
  "modified": "2022-11-05T12:00:20Z",
  "published": "2022-11-04T12:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41666"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2022-284-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9G9Q-P8C3-CHFQ

Vulnerability from github – Published: 2025-11-04 03:30 – Updated: 2025-12-17 21:30
VLAI
Details

A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.2. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-04T02:15:45Z",
    "severity": "MODERATE"
  },
  "details": "A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.7.2. An app may be able to access user-sensitive data.",
  "id": "GHSA-9g9q-p8c3-chfq",
  "modified": "2025-12-17T21:30:33Z",
  "published": "2025-11-04T03:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43390"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125634"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/125635"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GFF-JCRQ-H3HW

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-12-06 21:30
VLAI
Details

In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-24T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In OASIS Digital Signature Services (DSS) 1.0, an attacker can control the validation outcome (i.e., trigger either a valid or invalid outcome for a valid or invalid signature) via a crafted XML signature, when the InlineXML option is used. This defeats the expectation of non-repudiation.",
  "id": "GHSA-9gff-jcrq-h3hw",
  "modified": "2022-12-06T21:30:45Z",
  "published": "2022-05-24T17:26:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13101"
    },
    {
      "type": "WEB",
      "url": "https://www.oasis-open.org/apps/org/workgroup/dss-x"
    },
    {
      "type": "WEB",
      "url": "https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss-x"
    },
    {
      "type": "WEB",
      "url": "https://www.oasis-open.org/standards#dssv1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GXV-X7RP-R2HC

Vulnerability from github – Published: 2024-05-15 21:47 – Updated: 2026-07-16 18:46
VLAI
Summary
gree/jose - "None" Algorithm treated as valid in tokens
Details

Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "gree/jose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:47:39Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512).",
  "id": "GHSA-9gxv-x7rp-r2hc",
  "modified": "2026-07-16T18:46:45Z",
  "published": "2024-05-15T21:47:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries"
    },
    {
      "type": "WEB",
      "url": "https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/gree/jose/2016-08-30.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nov/jose-php"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nov/jose-php/compare/2.2.0...2.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "gree/jose - \"None\" Algorithm treated as valid in tokens"
}

GHSA-9H7X-WV5P-55Q4

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

Application Protections Bypass vulnerability in Microsoft Windows in McAfee Data Loss Prevention (DLP) Endpoint before 10.0.500 and DLP Endpoint before 11.0.400 allows authenticated users to bypass the product block action via a command-line utility.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-25T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Application Protections Bypass vulnerability in Microsoft Windows in McAfee Data Loss Prevention (DLP) Endpoint before 10.0.500 and DLP Endpoint before 11.0.400 allows authenticated users to bypass the product block action via a command-line utility.",
  "id": "GHSA-9h7x-wv5p-55q4",
  "modified": "2022-05-13T01:31:58Z",
  "published": "2022-05-13T01:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6664"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10233"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10237"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104299"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040895"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9HRW-RG2R-V3PR

Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48
VLAI
Details

An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-05T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on Diqee Diqee360 devices. A firmware update process, integrated into the firmware, starts at boot and tries to find the update folder on the microSD card. It executes code, without a digital signature, as root from the /mnt/sdcard/$PRO_NAME/upgrade.sh or /sdcard/upgrage_360/upgrade.sh pathname.",
  "id": "GHSA-9hrw-rg2r-v3pr",
  "modified": "2022-05-13T01:48:59Z",
  "published": "2022-05-13T01:48:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10988"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/neolead/a1fadac07373835507705a7d61e638ae#file-cve-2018-10988-txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9J74-VWR9-QF7F

Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-06 00:00
VLAI
Details

The tested version of Dominion Voting Systems ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1739"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "The tested version of Dominion Voting Systems ImageCast X does not validate application signatures to a trusted root certificate. Use of a trusted root certificate ensures software installed on a device is traceable to, or verifiable against, a cryptographic key provided by the manufacturer to detect tampering. An attacker could leverage this vulnerability to install malicious code, which could also be spread to other vulnerable ImageCast X devices via removable media.",
  "id": "GHSA-9j74-vwr9-qf7f",
  "modified": "2022-07-06T00:00:29Z",
  "published": "2022-06-25T00:00:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1739"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MCV-R5RJ-7F62

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

An issue was discovered in Hitachi ID Bravura Security Fabric 11.0.0 through 11.1.3, 12.0.0 through 12.0.2, and 12.1.0. When using federated identity management (authenticating via SAML through a third-party identity provider), an attacker can inject additional data into a signed SAML response being transmitted to the service provider (ID Bravura Security Fabric). The application successfully validates the signed values but uses the unsigned malicious values. An attacker with lower-privilege access to the application can inject the username of a high-privilege user to impersonate that user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Hitachi ID Bravura Security Fabric 11.0.0 through 11.1.3, 12.0.0 through 12.0.2, and 12.1.0. When using federated identity management (authenticating via SAML through a third-party identity provider), an attacker can inject additional data into a signed SAML response being transmitted to the service provider (ID Bravura Security Fabric). The application successfully validates the signed values but uses the unsigned malicious values. An attacker with lower-privilege access to the application can inject the username of a high-privilege user to impersonate that user.",
  "id": "GHSA-9mcv-r5rj-7f62",
  "modified": "2022-05-24T19:04:33Z",
  "published": "2022-05-24T19:04:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3196"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi-id.com/cve-2021-3196-attackers-can-impersonate-another-user"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/hirt/hitachi-sec/2021/601.html"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/hirt/security/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9MV3-2CWR-P262

Vulnerability from github – Published: 2026-04-23 14:55 – Updated: 2026-04-24 19:59
VLAI
Summary
Microsoft Security Advisory CVE-2026-40372 – ASP.NET Core Elevation of Privilege
Details

Executive Summary:

A bug in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages can give an attacker the opportunity to execute an Elevation of Privilege attack by forging authentication cookies, and also allows some protected payloads to be decrypted.

If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.

This is comparable in capability to MS10-070, which exploited a similar padding-oracle condition in ASP.NET's legacy encryption infrastructure.

Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/395

CVSS Details

  • Version: 3.1
  • Severity: Important
  • Score: 9.1
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Weakness: CWE-347: Improper Verification of Cryptographic Signature

Affected Platforms

  • Platforms: All
  • Architectures: All

Affected Packages

The vulnerability affects some Microsoft .NET projects if they use any of affected package versions listed below

ASP.NET Core 10

Package name Affected version Patched version
Microsoft.AspNetCore.DataProtection >=10.0.0, <=10.0.6 10.0.7

Advisory FAQ

How do I know if I am affected?

Primary affected configuration (10.0.6 on net10.0)

You are affected if ALL of the following are true:

  • Your application referenced Microsoft.AspNetCore.DataProtection version 10.0.6 from NuGet (directly or transitively via, e.g., Microsoft.AspNetCore.DataProtection.StackExchangeRedis, .EntityFrameworkCore, .AzureKeyVault, .AzureStorage, .Redis), AND The affected 10.0.6 NuGet binary was actually loaded at runtime. This happens when either the application does NOT target the Microsoft.NET.Sdk.Web NOR has a Microsoft.AspNetCore.App framework reference either directly or transitively UNLESS you opt out of PrunePackageReference which is enabled by default in .NET 10.
  • The application ran on Linux, macOS, or any non-Windows operating system.

Secondary affected configuration (10.0.x on net462 / netstandard2.0)

You are also affected if:

  • Your application or library referenced Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 from NuGet, AND
  • The build consumed the net462 or netstandard2.0 target framework asset of that package. This occurs when your application does not target net10.0 and consumes the package (e.g. net8.0, net9.0, net481 for mono, etc.). This combination is unusual because 10.0 NuGet packages are generally intended for use with .NET 10.

This secondary population is much smaller and is expected to primarily consist of: - Desktop or server applications on .NET Framework that happen to use the ASP.NET Core DataProtection NuGet package. - Libraries that target netstandard2.0 and reference the 10.0 DataProtection package.

These configurations use the same managed authenticated encryptor code path on all operating systems (the CNG path is only available on the net10.0 asset), so the Windows exception below does not apply to them.

Not affected

  • Your application runs on Windows
  • Your application runs framework-dependent on net10.0 and your installed ASP.NET Core shared framework version is your PackageReference version of Microsoft.AspNetCore.DataProtection. In this case the (correct) shared framework copy is loaded and the NuGet copy is not used. For example, shared framework 10.0.6 + PackageReference 10.0.6 is safe; shared framework 10.0.5 + PackageReference 10.0.6 is not.
  • Your application uses Microsoft.AspNetCore.DataProtection 8.0.x or 9.0.x from NuGet, on any target framework, any operating system, any shared framework version. The defective code path was introduced during 10.0 development and was never backported to the 8.0 or 9.0 servicing branches.
  • Your application never referenced any affected version of the package.

How do I fix the issue?

  1. Upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 or later and redeploy. This fixes the validation routine. Any forged payloads produced during the vulnerable window (which necessarily carried all-zero HMAC bytes) will be rejected by the corrected code.

  2. Rotate the DataProtection key ring if your application was affected and served internet-exposed endpoints during the vulnerable window. This invalidates any legitimately-signed tokens the application may have issued to attackers during that period.

Example using the built-in key manager:

```csharp // Run once, from an application with access to the same key ring. // Replace the cutoff with a timestamp just before you deployed 10.0.6. var services = new ServiceCollection() .AddDataProtection() // ... your existing repository / protection configuration ... .Services .BuildServiceProvider();

var keyManager = services.GetRequiredService(); keyManager.RevokeAllKeys( revocationDate: DateTimeOffset.UtcNow, // revoke all keys currently in the ring reason: "CVE-TBD: DataProtection 10.0.6 validation bypass"); ```

RevokeAllKeys marks every existing key as revoked; a new key is auto-generated on the next protect operation. All users will need to sign in again, all antiforgery tokens will be reissued, etc.

If you can be more surgical — for instance, you know no key older than T was used by an affected process — use RevokeKey(Guid keyId, string reason) instead to revoke only the keys that were active during the vulnerable window.

  1. Audit application-level long-lived artifacts that were created during the vulnerable window and carry identity or capability. These survive key rotation and must be rotated at the application layer:
  2. API keys, refresh tokens, or access tokens stored in your database and issued via a protected endpoint.
  3. Password reset links or email-confirmation tokens that were emitted during the window and have not yet expired.
  4. Any other persistent capability that an authenticated request could have caused your application to issue.

If your application does not issue such long-lived artifacts via authenticated endpoints, key rotation alone is sufficient.

Recommended

  1. Audit plaintext stored inside protected payloads. If your application stores long-lived secrets (database connection strings, third-party API keys, etc.) inside IDataProtector.Protect output, treat those secrets as potentially disclosed and rotate them at their respective sources.

  2. Review web server logs for anomalous request volume against endpoints that accept protected payloads (auth cookies, antiforgery tokens, state parameters). The padding-oracle attack requires many requests per byte recovered — orders of magnitude more than normal traffic for that endpoint. Sustained high-volume traffic with varying cookie/query-parameter values against a single authenticated endpoint during the vulnerable window is a strong indicator.

Other Information

Reporting Security Issues

If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the MSRC Researcher Portal. Further information can be found in the MSRC Report an Issue FAQ.

Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main ASP.NET Core repo is located at https://github.com/dotnet/aspnetcore. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

External Links

CVE-2026-40372

Revisions

V1.0 (April 21, 2026): Advisory published.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.6"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Microsoft.AspNetCore.DataProtection"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-23T14:55:41Z",
    "nvd_published_at": "2026-04-21T20:16:59Z",
    "severity": "CRITICAL"
  },
  "details": "## Executive Summary: \n\nA bug in `Microsoft.AspNetCore.DataProtection` 10.0.0-10.0.6 NuGet packages can give an attacker the opportunity to execute an Elevation of Privilege attack by forging authentication cookies, and also allows some protected payloads to be decrypted.\n\nIf an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue **legitimately-signed** tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.\n\nThis is comparable in capability to [MS10-070](https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070), which exploited a similar padding-oracle condition in ASP.NET\u0027s legacy encryption infrastructure.\n\n## Announcement\n\nAnnouncement for this issue can be found at https://github.com/dotnet/announcements/issues/395\n\n## CVSS Details\n\n- **Version:** 3.1\n- **Severity:** Important\n- **Score:** 9.1\n- **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\n- **Weakness:** CWE-347: Improper Verification of Cryptographic Signature\n\n## Affected Platforms\n\n- **Platforms:** All\n- **Architectures:** All\n\n## \u003ca name=\"affected-packages\"\u003e\u003c/a\u003eAffected Packages\nThe vulnerability affects some Microsoft .NET projects if they use any of affected package versions listed below\n\n### \u003ca name=\"ASP.NET Core 10\"\u003e\u003c/a\u003eASP.NET Core 10\nPackage name | Affected version | Patched version\n------------ | ---------------- | -------------------------\n[Microsoft.AspNetCore.DataProtection](https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection)               | \u003e=10.0.0, \u003c=10.0.6 | 10.0.7\n\n## Advisory FAQ\n\n### \u003ca name=\"how-affected\"\u003e\u003c/a\u003eHow do I know if I am affected?\n \n#### Primary affected configuration (10.0.6 on `net10.0`)\n \nYou are **affected** if ALL of the following are true:\n \n- Your application referenced `Microsoft.AspNetCore.DataProtection` version 10.0.6 from NuGet (directly or transitively via, e.g., `Microsoft.AspNetCore.DataProtection.StackExchangeRedis`, `.EntityFrameworkCore`, `.AzureKeyVault`, `.AzureStorage`, `.Redis`), AND\nThe affected 10.0.6 NuGet binary was actually loaded at runtime. This happens when either the application does NOT target the Microsoft.NET.Sdk.Web NOR has a Microsoft.AspNetCore.App framework reference either directly or transitively UNLESS you opt out of PrunePackageReference which is enabled by default in .NET 10. \n- The application ran on Linux, macOS, or any non-Windows operating system.\n \n#### Secondary affected configuration (10.0.x on `net462` / `netstandard2.0`)\n\nYou are also affected if:\n \n- Your application or library referenced `Microsoft.AspNetCore.DataProtection` versions 10.0.0 through 10.0.6 from NuGet, AND\n- The build consumed the `net462` or `netstandard2.0` target framework asset of that package. This occurs when your application does not target `net10.0` and consumes the package (e.g. `net8.0`, `net9.0`, `net481` for mono, etc.). This combination is unusual because 10.0 NuGet packages are generally intended for use with .NET 10.\n \nThis secondary population is much smaller and is expected to primarily consist of:\n- Desktop or server applications on .NET Framework that happen to use the ASP.NET Core DataProtection NuGet package.\n- Libraries that target `netstandard2.0` and reference the 10.0 DataProtection package.\n \nThese configurations use the same managed authenticated encryptor code path on all operating systems (the CNG path is only available on the `net10.0` asset), so the Windows exception below does not apply to them.\n \n#### Not affected\n \n- Your application runs on **Windows** \n- Your application runs **framework-dependent** on `net10.0` and your installed ASP.NET Core shared framework version is **\u2265** your PackageReference version of `Microsoft.AspNetCore.DataProtection`. In this case the (correct) shared framework copy is loaded and the NuGet copy is not used. For example, shared framework 10.0.6 + PackageReference 10.0.6 is safe; shared framework 10.0.5 + PackageReference 10.0.6 is not.\n- Your application uses `Microsoft.AspNetCore.DataProtection` **8.0.x or 9.0.x** from NuGet, on any target framework, any operating system, any shared framework version. The defective code path was introduced during 10.0 development and was never backported to the 8.0 or 9.0 servicing branches.\n- Your application never referenced any affected version of the package.\n\n### \u003ca name=\"how-fix\"\u003e\u003c/a\u003eHow do I fix the issue?\n\n1. **Upgrade `Microsoft.AspNetCore.DataProtection` to 10.0.7 or later** and redeploy. This fixes the validation routine. Any forged payloads produced during the vulnerable window (which necessarily carried all-zero HMAC bytes) will be rejected by the corrected code.\n \n2. **Rotate the DataProtection key ring** if your application was affected and served internet-exposed endpoints during the vulnerable window. This invalidates any legitimately-signed tokens the application may have issued to attackers during that period.\n \n   Example using the built-in key manager:\n \n   ```csharp\n   // Run once, from an application with access to the same key ring.\n   // Replace the cutoff with a timestamp just before you deployed 10.0.6.\n   var services = new ServiceCollection()\n       .AddDataProtection()\n       // ... your existing repository / protection configuration ...\n       .Services\n       .BuildServiceProvider();\n \n   var keyManager = services.GetRequiredService\u003cIKeyManager\u003e();\n   keyManager.RevokeAllKeys(\n       revocationDate: DateTimeOffset.UtcNow,      // revoke all keys currently in the ring\n       reason: \"CVE-TBD: DataProtection 10.0.6 validation bypass\");\n   ```\n \n   `RevokeAllKeys` marks every existing key as revoked; a new key is auto-generated on the next protect operation. All users will need to sign in again, all antiforgery tokens will be reissued, etc.\n \n   If you can be more surgical \u2014 for instance, you know no key older than `T` was used by an affected process \u2014 use `RevokeKey(Guid keyId, string reason)` instead to revoke only the keys that were active during the vulnerable window.\n \n3. **Audit application-level long-lived artifacts** that were created during the vulnerable window and carry identity or capability. These survive key rotation and must be rotated at the application layer:\n   - API keys, refresh tokens, or access tokens stored in your database and issued via a protected endpoint.\n   - Password reset links or email-confirmation tokens that were emitted during the window and have not yet expired.\n   - Any other persistent capability that an authenticated request could have caused your application to issue.\n \n   If your application does not issue such long-lived artifacts via authenticated endpoints, key rotation alone is sufficient.\n \n### Recommended\n \n4. **Audit plaintext stored inside protected payloads.** If your application stores long-lived secrets (database connection strings, third-party API keys, etc.) inside `IDataProtector.Protect` output, treat those secrets as potentially disclosed and rotate them at their respective sources.\n \n5. **Review web server logs** for anomalous request volume against endpoints that accept protected payloads (auth cookies, antiforgery tokens, state parameters). The padding-oracle attack requires many requests per byte recovered \u2014 orders of magnitude more than normal traffic for that endpoint. Sustained high-volume traffic with varying cookie/query-parameter values against a single authenticated endpoint during the vulnerable window is a strong indicator.\n\n## Other Information\n\n### Reporting Security Issues\n\nIf you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue).\n\nSecurity reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.\n\n### Support\n\nYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main ASP.NET Core repo is located at https://github.com/dotnet/aspnetcore. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.\n\n### Disclaimer\n\nThe information provided in this advisory is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\n\n### External Links\n\n[CVE-2026-40372]( https://www.cve.org/CVERecord?id=CVE-2026-40372)\n\n### Revisions\n\nV1.0 (April 21, 2026): Advisory published.",
  "id": "GHSA-9mv3-2cwr-p262",
  "modified": "2026-04-24T19:59:43Z",
  "published": "2026-04-23T14:55:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/aspnetcore/security/advisories/GHSA-9mv3-2cwr-p262"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40372"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/announcements/issues/395"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dotnet/aspnetcore"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microsoft Security Advisory CVE-2026-40372 \u2013 ASP.NET Core Elevation of Privilege"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-475: Signature Spoofing by Improper Validation

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.