CWE-347: Improper Verification of Cryptographic Signature

CVE-2013-3900

CISA KEV

WinVerifyTrust Signature Validation Vulnerability

CWE-347: Improper Verification of Cryptographic Signature

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following code, a JarFile object is created from a downloaded file.

Vulnerable example

java

File f = new File(downloadedFilePath);

The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead.

CWE-347: Improper Verification of Cryptographic Signature

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-347?

What CVEs are caused by CWE-347?

How is CWE-347 detected?

What are the consequences of CWE-347?

Is CWE-347 actively exploited?

References

Stay ahead of CWE-347

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-347?

What CVEs are caused by CWE-347?

How is CWE-347 detected?

What are the consequences of CWE-347?

Is CWE-347 actively exploited?

References

Stay ahead of CWE-347