Total
530 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-44878 | 1 Pac4j | 1 Pac4j | 2024-11-21 | 7.5 High |
| If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value. | ||||
| CVE-2021-43572 | 1 Starkbank | 1 Ecdsa-python | 2024-11-21 | 9.8 Critical |
| The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. | ||||
| CVE-2021-43571 | 1 Starkbank | 1 Ecdsa-node | 2024-11-21 | 9.8 Critical |
| The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. | ||||
| CVE-2021-43570 | 1 Starkbank | 1 Ecdsa-java | 2024-11-21 | 9.8 Critical |
| The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. | ||||
| CVE-2021-43569 | 1 Starkbank | 1 Ecdsa-dotnet | 2024-11-21 | 9.8 Critical |
| The verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) 1.3.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. | ||||
| CVE-2021-43568 | 1 Starkbank | 1 Elixir Ecdsa | 2024-11-21 | 9.8 Critical |
| The verify function in the Stark Bank Elixir ECDSA library (ecdsa-elixir) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. | ||||
| CVE-2021-43393 | 1 St | 4 J-safe3, J-safe3 Firmware, Stsafe-j and 1 more | 2024-11-21 | 6.2 Medium |
| STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform. | ||||
| CVE-2021-43392 | 1 St | 4 J-safe3, J-safe3 Firmware, Stsafe-j and 1 more | 2024-11-21 | 6.2 Medium |
| STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to obtain information on cryptographic secrets. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API. It is exploitable for STSAFE-J in closed configuration and J-SIGN (when signature verification is activated) but not for J-SAFE3 EPASS BAC and EAC products. It might also impact other products based on the J-SAFE-3 Java Card platform. | ||||
| CVE-2021-43171 | 1 E.foundation | 1 App Lounge | 2024-11-21 | 6.5 Medium |
| Improper verification of applications' cryptographic signatures in the /e/OS app store client App Lounge before 0.19q allows attackers in control of the application server to install malicious applications on user's systems by altering the server's API response. | ||||
| CVE-2021-43074 | 1 Fortinet | 4 Fortios, Fortiproxy, Fortiswitch and 1 more | 2024-11-21 | 4.1 Medium |
| An improper verification of cryptographic signature vulnerability [CWE-347] in FortiWeb 6.4 all versions, 6.3.16 and below, 6.2 all versions, 6.1 all versions, 6.0 all versions; FortiOS 7.0.3 and below, 6.4.8 and below, 6.2 all versions, 6.0 all versions; FortiSwitch 7.0.3 and below, 6.4.10 and below, 6.2 all versions, 6.0 all versions; FortiProxy 7.0.1 and below, 2.0.7 and below, 1.2 all versions, 1.1 all versions, 1.0 all versions may allow an attacker to decrypt portions of the administrative session management cookie if able to intercept the latter. | ||||
| CVE-2021-41832 | 1 Apache | 1 Openoffice | 2024-11-21 | 7.5 High |
| It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory. | ||||
| CVE-2021-41831 | 1 Apache | 1 Openoffice | 2024-11-21 | 5.3 Medium |
| It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory. | ||||
| CVE-2021-41830 | 1 Apache | 1 Openoffice | 2024-11-21 | 7.5 High |
| It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory. | ||||
| CVE-2021-40326 | 2 Foxit, Microsoft | 4 Pdf Editor, Pdf Reader, Phantompdf and 1 more | 2024-11-21 | 5.5 Medium |
| Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPDF before 10.1.6, mishandle hidden and incremental data in signed documents. An attacker can write to an arbitrary file, and display controlled contents, during signature verification. | ||||
| CVE-2021-40045 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-11-21 | 5.5 Medium |
| There is a vulnerability of signature verification mechanism failure in system upgrade through recovery mode.Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2021-3680 | 1 Showdoc | 1 Showdoc | 2024-11-21 | 4.9 Medium |
| showdoc is vulnerable to Missing Cryptographic Step | ||||
| CVE-2021-3633 | 1 Lenovo | 1 Drivers Management | 2024-11-21 | 7.3 High |
| A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation. | ||||
| CVE-2021-3521 | 2 Redhat, Rpm | 3 Enterprise Linux, Rhel Eus, Rpm | 2024-11-21 | 4.7 Medium |
| There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. | ||||
| CVE-2021-3445 | 3 Fedoraproject, Redhat, Rpm | 3 Fedora, Enterprise Linux, Libdnf | 2024-11-21 | 7.5 High |
| A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2021-3421 | 3 Fedoraproject, Redhat, Rpm | 4 Fedora, Enterprise Linux, Rhel Eus and 1 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha. | ||||