Total
468 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-28045 | 1 Pax | 1 Prolinos | 2024-08-04 | 7.8 High |
| An unsigned-library issue was discovered in ProlinOS through 2.4.161.8859R. This OS requires installed applications and all system binaries to be signed either by the manufacturer or by the Point Of Sale application developer and distributor. The signature is a 2048-byte RSA signature verified in the kernel prior to ELF execution. Shared libraries, however, do not need to be signed, and they are not verified. An attacker may execute a custom binary by compiling it as a shared object and loading it via LD_PRELOAD. | ||||
| CVE-2020-28042 | 1 Servicestack | 1 Servicestack | 2024-08-04 | 5.3 Medium |
| ServiceStack before 5.9.2 mishandles JWT signature verification unless an application has a custom ValidateToken function that establishes a valid minimum length for a signature. | ||||
| CVE-2020-27540 | 1 Company | 2 Cs-c2shw, Cs-c2shw Firmware | 2024-08-04 | 9.8 Critical |
| Bash injection vulnerability and bypass of signature verification in Rostelecom CS-C2SHW 5.0.082.1. The camera reads firmware update configuration from SD card file vc\version.json. fw-sign parameter and from this configuration is directly inserted into a bash command. Firmware update is run automatically if there is special file on the inserted SD card. | ||||
| CVE-2020-26541 | 2 Linux, Redhat | 4 Linux Kernel, Enterprise Linux, Rhel Eus and 1 more | 2024-08-04 | 6.5 Medium |
| The Linux kernel through 5.8.13 does not properly enforce the Secure Boot Forbidden Signature Database (aka dbx) protection mechanism. This affects certs/blacklist.c and certs/system_keyring.c. | ||||
| CVE-2020-26540 | 2 Apple, Foxitsoftware | 3 Macos, Foxit Reader, Phantompdf | 2024-08-04 | 7.5 High |
| An issue was discovered in Foxit Reader and PhantomPDF before 4.1 on macOS. Because the Hardened Runtime protection mechanism is not applied to code signing, code injection (or an information leak) can occur. | ||||
| CVE-2020-26290 | 1 Linuxfoundation | 1 Dex | 2024-08-04 | 9.3 Critical |
| Dex is a federated OpenID Connect provider written in Go. In Dex before version 2.27.0 there is a critical set of vulnerabilities which impacts users leveraging the SAML connector. The vulnerabilities enables potential signature bypass due to issues with XML encoding in the underlying Go library. The vulnerabilities have been addressed in version 2.27.0 by using the xml-roundtrip-validator from Mattermost (see related references). | ||||
| CVE-2020-26244 | 1 Python Openid Connect Project | 1 Python Openid Connect | 2024-08-04 | 6.8 Medium |
| Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. 4) iat claim was not checked for sanity (i.e. it could be in the future). These issues are patched in version 1.2.1. | ||||
| CVE-2020-26122 | 1 Inspur | 30 Nf5180m5, Nf5180m5 Firmware, Nf5260m5 and 27 more | 2024-08-04 | 7.2 High |
| Inspur NF5266M5 through 3.21.2 and other server M5 devices allow remote code execution via administrator privileges. The Baseboard Management Controller (BMC) program of INSPUR server is weak in checking the firmware and lacks the signature verification mechanism, the attacker who obtains the administrator's rights can control the BMC by inserting malicious code into the firmware program and bypassing the current verification mechanism to upgrade the BMC. | ||||
| CVE-2020-25490 | 1 Sqreen | 1 Php Microagent | 2024-08-04 | 7.3 High |
| Lack of cryptographic signature verification in the Sqreen PHP agent daemon before 1.16.0 makes it easier for remote attackers to inject rules for execution inside the virtual machine. | ||||
| CVE-2020-25166 | 1 Bbraun | 2 Datamodule Compactplus, Spacecom | 2024-08-04 | 7.6 High |
| An improper verification of the cryptographic signature of firmware updates of the B. Braun Melsungen AG SpaceCom Version L81/U61 and earlier, and the Data module compactplus Versions A10 and A11 allows attackers to generate valid firmware updates with arbitrary content that can be used to tamper with devices. | ||||
| CVE-2020-23967 | 1 Drweb | 1 Security Space | 2024-08-04 | 7.8 High |
| Dr.Web Security Space versions 11 and 12 allow elevation of privilege for local users without administrative privileges to NT AUTHORITY\SYSTEM due to insufficient control during autoupdate. | ||||
| CVE-2020-23533 | 1 Unionpayintl | 1 Union Pay | 2024-08-04 | 7.5 High |
| Union Pay up to 1.2.0, for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps, via a crafted authentication code (MAC) which is generated based on a secret key which is NULL. | ||||
| CVE-2020-16922 | 1 Microsoft | 19 Windows 10, Windows 10 1507, Windows 10 1607 and 16 more | 2024-08-04 | 5.3 Medium |
| <p>A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files.</p> <p>In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded.</p> <p>The update addresses the vulnerability by correcting how Windows validates file signatures.</p> | ||||
| CVE-2020-16156 | 2 Fedoraproject, Perl | 2 Fedora, Comprehensive Perl Archive Network | 2024-08-04 | 7.8 High |
| CPAN 2.28 allows Signature Verification Bypass. | ||||
| CVE-2020-16154 | 2 App\, Fedoraproject | 2 \, Fedora | 2024-08-04 | 7.8 High |
| The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass. | ||||
| CVE-2020-15957 | 1 Dp3t-backend-software Development Kit Project | 1 Dp3t-backend-software Development Kit | 2024-08-04 | 7.5 High |
| An issue was discovered in DP3T-Backend-SDK before 1.1.1 for Decentralised Privacy-Preserving Proximity Tracing (DP3T). When it is configured to check JWT before uploading/publishing keys, it is possible to skip the signature check by providing a JWT token with alg=none. | ||||
| CVE-2020-15827 | 1 Jetbrains | 1 Toolbox | 2024-08-04 | 7.5 High |
| In JetBrains ToolBox version 1.17 before 1.17.6856, the set of signature verifications omitted the jetbrains-toolbox.exe file. | ||||
| CVE-2020-15302 | 1 Argent | 1 Recoverymanager | 2024-08-04 | 7.5 High |
| In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A03970E192, the executeRecovery function does not require any signatures in the zero-guardian case, which allows attackers to cause a denial of service (locking) or a takeover. | ||||
| CVE-2020-15240 | 1 Auth0 | 1 Omniauth-auth0 | 2024-08-04 | 7.4 High |
| omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1. | ||||
| CVE-2020-15216 | 2 Fedoraproject, Goxmldsig Project | 2 Fedora, Goxmldsig | 2024-08-04 | 5.3 Medium |
| In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revision f6188febf0c29d7ffe26a0436212b19cb9615e64 or version 1.1.0 | ||||