Improper Verification of Cryptographic Signature |
Weakness ID: 347 (Weakness Base) | Status: Draft |
Description Summary
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Example 1
In the following Java snippet, a JarFile object (representing a JAR file that was potentially downloaded from an untrusted source) is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead.
(Bad Code)
Example Language: Java
File f = new File(downloadedFilePath);
JarFile jf = new JarFile(f);
Reference | Description |
---|---|
CVE-2002-1796 | Does not properly verify signatures for "trusted" entities. |
CVE-2005-2181 | Insufficient verification allows spoofing. |
CVE-2005-2182 | Insufficient verification allows spoofing. |
CVE-2002-1706 | Accepts a configuration file without a Message Integrity Check (MIC) signature. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 345 | Insufficient Verification of Data Authenticity | Development Concepts (primary)699 Research Concepts (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Relationships, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Description, Name | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2009-05-27 | Improperly Verified Signature | |||