CWE-347: Improper Verification of Cryptographic Signature

Description

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

In the following code, a JarFile object is created from a downloaded file.


File f = new File(downloadedFilePath);JarFile jf = new JarFile(f);

The JAR file that was potentially downloaded from an untrusted source is created without verifying the signature (if present). An alternate constructor that accepts a boolean verify parameter should be used instead.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-345: Insufficient Verification of Data Authenticity

Go to

Visit http://cwe.mitre.org/ for more details.