CWE-347
AllowedImproper Verification of Cryptographic Signature
Abstraction: Base · Status: Draft
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
1120 vulnerabilities reference this CWE, most recent first.
GHSA-M974-647V-WHV7
Vulnerability from github – Published: 2022-10-12 22:05 – Updated: 2022-10-18 03:11Impact
A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.
Patches
Users should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of node-saml before v4.0.0-beta.5.
Workarounds
Disable SAML authentication.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: * Open a discussion in the node-saml repo
Credits
- Felix Wilhelm of Google Project Zero
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "passport-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "node-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-beta.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@node-saml/node-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-beta.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@node-saml/passport-saml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-beta.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39299"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-12T22:05:41Z",
"nvd_published_at": "2022-10-12T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered.\n\n### Patches\n\nUsers should upgrade to passport-saml 3.2.2 or newer. The issue was also present in the beta releases of `node-saml` before v4.0.0-beta.5.\n\n### Workarounds\n\nDisable SAML authentication.\n\n### References\n_Are there any links users can visit to find out more?_\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in the [node-saml repo](https://github.com/node-saml/node-saml/discussions)\n\n### Credits\n\n* Felix Wilhelm of Google Project Zero\n",
"id": "GHSA-m974-647v-whv7",
"modified": "2022-10-18T03:11:22Z",
"published": "2022-10-12T22:05:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/node-saml/passport-saml/security/advisories/GHSA-m974-647v-whv7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39299"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/passport-saml/commit/8b7e3f5a91c8e5ac7e890a0c90bc7491ce33155e"
},
{
"type": "PACKAGE",
"url": "https://github.com/node-saml/passport-saml"
},
{
"type": "WEB",
"url": "https://github.com/node-saml/passport-saml/releases/tag/v3.2.2"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/169826/Node-saml-Root-Element-Signature-Bypass.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Signature bypass via multiple root elements"
}
GHSA-M9HP-7R99-94H5
Vulnerability from github – Published: 2021-12-20 17:53 – Updated: 2021-05-21 20:49Impact
The following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:
Signature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
encoding/xml instabilities:
- Element namespace prefix instability (CVE-2020-29511)
- Attribute namespace prefix instability (CVE-2020-29509)
- Directive comment instability (CVE-2020-29510)
Patches
Immediately update to Dex v2.27.0.
Workarounds
There are no known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dexidp/dex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.27.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/russellhaering/goxmldsig"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26290"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T20:49:36Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe following vulnerabilities have been disclosed, which impact users leveraging the SAML connector:\n\nSignature Validation Bypass (CVE-2020-15216): https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7\n\n`encoding/xml` instabilities:\n - [Element namespace prefix instability (CVE-2020-29511)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md)\n - [Attribute namespace prefix instability (CVE-2020-29509)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md)\n - [Directive comment instability (CVE-2020-29510)](https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md)\n\n### Patches\n\nImmediately update to [Dex v2.27.0](https://github.com/dexidp/dex/releases/tag/v2.27.0).\n\n### Workarounds\n\nThere are no known workarounds.",
"id": "GHSA-m9hp-7r99-94h5",
"modified": "2021-05-21T20:49:36Z",
"published": "2021-12-20T17:53:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26290"
},
{
"type": "WEB",
"url": "https://github.com/dexidp/dex/commit/324b1c886b407594196113a3dbddebe38eecd4e8"
},
{
"type": "WEB",
"url": "https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64"
},
{
"type": "WEB",
"url": "https://github.com/dexidp/dex/releases/tag/v2.27.0"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md"
},
{
"type": "WEB",
"url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0050"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Critical security issues in XML encoding in github.com/dexidp/dex"
}
GHSA-MC6J-H948-V2P6
Vulnerability from github – Published: 2022-05-14 01:01 – Updated: 2023-03-08 19:49RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rubygems-update"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby-stdlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.1.16.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000076"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-08T19:49:18Z",
"nvd_published_at": "2018-03-13T15:29:00Z",
"severity": "CRITICAL"
},
"details": "RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic Signature vulnerability in package.rb. This can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. This vulnerability has been fixed in 2.7.6.",
"id": "GHSA-mc6j-h948-v2p6",
"modified": "2023-03-08T19:49:18Z",
"published": "2022-05-14T01:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000076"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7"
},
{
"type": "WEB",
"url": "https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4259"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4219"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3621-1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/rubygems/rubygems"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0663"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0591"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:0542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3731"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3730"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:3729"
},
{
"type": "WEB",
"url": "http://blog.rubygems.org/2018/02/15/2.7.6-released.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RubyGems Improper Verification of Cryptographic Signature vulnerability"
}
GHSA-MC7W-JQ93-55QG
Vulnerability from github – Published: 2024-01-26 03:30 – Updated: 2024-01-26 03:30Microsoft Edge (Chromium-based) Spoofing Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21383"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T01:15:10Z",
"severity": "LOW"
},
"details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
"id": "GHSA-mc7w-jq93-55qg",
"modified": "2024-01-26T03:30:19Z",
"published": "2024-01-26T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21383"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MCGX-2GCR-P3HP
Vulnerability from github – Published: 2025-02-25 17:48 – Updated: 2026-06-05 17:54Impact
Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are influenced.
LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.
Patches
None.
Workarounds
None.
References
- This code segment didn't validate a JWT signature.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "jupyterhub-ltiauthenticator"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0"
]
}
],
"aliases": [
"CVE-2023-25574"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-25T17:48:34Z",
"nvd_published_at": "2025-02-25T15:15:16Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nOnly users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are influenced.\n\nLTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn\u0027t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.\n\n### Patches\n\nNone.\n\n### Workarounds\n\nNone.\n\n### References\n\n- [This code segment](https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164) didn\u0027t validate a JWT signature.",
"id": "GHSA-mcgx-2gcr-p3hp",
"modified": "2026-06-05T17:54:05Z",
"published": "2025-02-25T17:48:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25574"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyterhub/ltiauthenticator"
},
{
"type": "WEB",
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164"
},
{
"type": "WEB",
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub-ltiauthenticator/PYSEC-2025-120.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "LTI JupyterHub Authenticator does not properly validate JWT Signature"
}
GHSA-MCX8-9RRJ-7QXM
Vulnerability from github – Published: 2024-01-16 15:30 – Updated: 2024-07-08 18:31A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2024-0567"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-16T14:15:48Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.",
"id": "GHSA-mcx8-9rrj-7qxm",
"modified": "2024-07-08T18:31:15Z",
"published": "2024-01-16T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0533"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1082"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1383"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0567"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258544"
},
{
"type": "WEB",
"url": "https://gitlab.com/gnutls/gnutls/-/issues/1521"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2"
},
{
"type": "WEB",
"url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240202-0011"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF6W-XPM7-Q832
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03Improper Verification of Cryptographic Signature vulnerability exists inhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could allow remote code execution when unauthorized code is copied to the device.
{
"affected": [],
"aliases": [
"CVE-2021-22735"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T20:15:00Z",
"severity": "HIGH"
},
"details": "Improper Verification of Cryptographic Signature vulnerability exists inhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior which could allow remote code execution when unauthorized code is copied to the device.",
"id": "GHSA-mf6w-xpm7-q832",
"modified": "2022-05-24T19:03:17Z",
"published": "2022-05-24T19:03:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22735"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-130-04"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MF9C-7798-47GF
Vulnerability from github – Published: 2022-05-14 01:38 – Updated: 2022-05-14 01:38The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing the filename while leaving the file's digital signature unchanged.
{
"affected": [],
"aliases": [
"CVE-2018-8955"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-24T22:29:00Z",
"severity": "CRITICAL"
},
"details": "The installer for BitDefender GravityZone relies on an encoded string in a filename to determine the URL for installation metadata, which allows remote attackers to execute arbitrary code by changing the filename while leaving the file\u0027s digital signature unchanged.",
"id": "GHSA-mf9c-7798-47gf",
"modified": "2022-05-14T01:38:50Z",
"published": "2022-05-14T01:38:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8955"
},
{
"type": "WEB",
"url": "https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbitrary-code-execution"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/149900/Bitdefender-GravityZone-Installer-Signature-Bypass-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2018/Oct/44"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041940"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFGP-FVPM-HX5V
Vulnerability from github – Published: 2024-01-17 21:30 – Updated: 2024-02-08 03:32Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.
{
"affected": [],
"aliases": [
"CVE-2023-44077"
],
"database_specific": {
"cwe_ids": [
"CWE-347"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-17T20:15:50Z",
"severity": "CRITICAL"
},
"details": "Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.",
"id": "GHSA-mfgp-fvpm-hx5v",
"modified": "2024-02-08T03:32:45Z",
"published": "2024-01-17T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44077"
},
{
"type": "WEB",
"url": "https://khronokernel.com/macos/2024/01/18/CVE-2023-44077.html"
},
{
"type": "WEB",
"url": "https://support.studionetworksolutions.com/hc/en-us/articles/22494658980244-ShareBrowser-v-7-0-Released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MHC4-QQ83-FMRR
Vulnerability from github – Published: 2026-05-06 23:15 – Updated: 2026-05-06 23:15Summary
The AxonFlow SDK's WebhookSubscription (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook deliveries. Affected callers had two unsatisfactory options:
- Skip signature verification entirely — accepting any payload from any source that knew the webhook URL.
- Hand-parse the raw HTTP JSON response to extract the secret, bypassing the type-safe SDK surface.
This advisory is filed across all four AxonFlow SDKs (Go, Python, TypeScript, Java) because the same defect and the same fix landed in each.
Affected versions
Versions 5.6.1 and below.
Impact
A webhook receiver using the SDK's typed API to handle inbound deliveries had no path to authenticate the source of incoming payloads. An attacker who learned the webhook URL — through misconfiguration, log leakage, observable network traffic during setup, or any other discovery channel — could forge webhook deliveries indistinguishable from legitimate ones, causing the receiving application to act on fabricated events (e.g. simulated approval-granted callbacks, simulated policy-decision callbacks, simulated step-completion callbacks).
Remediation
Upgrade to the patched version listed in Vulnerabilities below. The signing key is now exposed on the WebhookSubscription response type returned by CreateWebhook. Implementations should:
- Persist the secret returned by
CreateWebhooksecurely (it is only returned once, at create time). - On each incoming webhook delivery, compute
HMAC-SHA256(secret, raw_body)and compare it in constant time against theX-AxonFlow-Signatureheader. - Reject any delivery whose signature does not match.
Credit
Identified by AxonFlow internal security review during the April 2026 quality-freeze epic.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/getaxonflow/axonflow-sdk-go/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T23:15:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe AxonFlow SDK\u0027s `WebhookSubscription` (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform\u0027s `CreateWebhook` endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the `X-AxonFlow-Signature` header on incoming webhook deliveries. Affected callers had two unsatisfactory options:\n\n1. Skip signature verification entirely \u2014 accepting any payload from any source that knew the webhook URL.\n2. Hand-parse the raw HTTP JSON response to extract the secret, bypassing the type-safe SDK surface.\n\nThis advisory is filed across all four AxonFlow SDKs (Go, Python, TypeScript, Java) because the same defect and the same fix landed in each.\n\n## Affected versions\n\nVersions 5.6.1 and below.\n\n## Impact\n\nA webhook receiver using the SDK\u0027s typed API to handle inbound deliveries had no path to authenticate the source of incoming payloads. An attacker who learned the webhook URL \u2014 through misconfiguration, log leakage, observable network traffic during setup, or any other discovery channel \u2014 could forge webhook deliveries indistinguishable from legitimate ones, causing the receiving application to act on fabricated events (e.g. simulated approval-granted callbacks, simulated policy-decision callbacks, simulated step-completion callbacks).\n\n## Remediation\n\nUpgrade to the patched version listed in Vulnerabilities below. The signing key is now exposed on the `WebhookSubscription` response type returned by `CreateWebhook`. Implementations should:\n\n1. Persist the secret returned by `CreateWebhook` securely (it is only returned once, at create time).\n2. On each incoming webhook delivery, compute `HMAC-SHA256(secret, raw_body)` and compare it in constant time against the `X-AxonFlow-Signature` header.\n3. Reject any delivery whose signature does not match.\n\n## Credit\n\nIdentified by AxonFlow internal security review during the April 2026 quality-freeze epic.",
"id": "GHSA-mhc4-qq83-fmrr",
"modified": "2026-05-06T23:15:38Z",
"published": "2026-05-06T23:15:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getaxonflow/axonflow-sdk-go/security/advisories/GHSA-mhc4-qq83-fmrr"
},
{
"type": "PACKAGE",
"url": "https://github.com/getaxonflow/axonflow-sdk-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.