Improper Verification of Cryptographic SignatureID: 347 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The software does not verify, or incorrectly verifies, the
cryptographic signature for data.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_ControlIntegrityConfidentiality | Gain privileges / assume
identityModify application
dataExecute unauthorized code or
commands | An attacker could gain access to sensitive data and possibly execute
unauthorized code. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-347 ChildOf CWE-903 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following Java snippet, a JarFile object (representing a JAR
file that was potentially downloaded from an untrusted source) is created
without verifying the signature (if present). An alternate constructor that
accepts a boolean verify parameter should be used instead.
Observed Examples
- CVE-2002-1796 : Does not properly verify signatures for "trusted" entities.
- CVE-2005-2181 : Insufficient verification allows spoofing.
- CVE-2005-2182 : Insufficient verification allows spoofing.
- CVE-2002-1706 : Accepts a configuration file without a Message Integrity Check (MIC) signature.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Improperly Verified Signature | |
CERT Java Secure Coding | SEC06-J | Do not rely on the default automatic signature verification
provided by URLClassLoader and java.util.jar | |
References:None