CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807 CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807 CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another...

CVE-2024-38807

CVE-2024-38807 describes a signature forgery vulnerability in VMware Spring Boot/loader components where signature verification of nested JARs can be bypassed, enabling content signed by one signer to appear signed by another. The NVD summary matches this description. Connected advisories identif...

VMware Spring Boot 安全漏洞

VMware Spring Boot is a set of open source frameworks from VMware. A security vulnerability exists in VMware Spring Boot that stems from vulnerability to signature forgery attacks. The following products and versions are affected: Versions 2.7.0 through 2.7.21, 3.0.0 through 3.0.16, 3.1.0 through...

PT-2024-28229

Name of the Vulnerable Software and Affected Versions Spring Boot versions 2.7.0 through 2.7.21 Spring Boot versions 3.0.0 through 3.0.16 Spring Boot versions 3.1.0 through 3.1.12 Spring Boot versions 3.2.0 through 3.2.8 Spring Boot versions 3.3.0 through 3.3.2 Description Applications that use...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to signature forgery attack due to browserify-sign ( CVE-2023-46234 )

Summary Package browserify-sign is used by IBM Cloud Pak for Data. CVE-2023-46234. Vulnerability Details CVEID:CVE-2023-46234 DESCRIPTION: browserify browserify-sign could allow a remote attacker to bypass security restrictions, caused by an upper bound check issue in the dsaVerify function. By...

USN-6800-1: browserify-sign vulnerability

It was discovered that browserify-sign incorrectly handled an upper bound check in signature verification. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to perform a signature forgery attack...

Ubuntu: Security Advisory (USN-6800-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

kernel: Marvin vulnerability side-channel leakage in the RSA decryption operation

A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key...

RHEL 6 : browserify-sign (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - browserify-sign: upper bound check issue in dsaVerify leads to a signature forgery attack CVE-2023-46234 Note that...

nodejs: vulnerable to timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding (Marvin)

A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...

ROS-20240418-08

A vulnerability in the Browserify-sign cryptographic functionality duplication package is related to the upper bound check in the dsaVerify function. Exploitation of the vulnerability could allow an attacker, acting remotely, to create signatures that can be successfully verified by any public ke...

The vulnerability of the SSL/TLS SSLwolf library, related to information disclosure due to incompatibilities, allows attackers to decrypt encrypted texts and forge signatures.

The vulnerability of the SSL/TLS SSL/TLS library wolfSSL is related to the disclosure of information due to incompatibility. Exploiting this vulnerability allows a malicious actor to decrypt encrypted texts except for the server’s secret key and forge signatures...

CentOS 9 : gnupg2-2.3.3-2.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the gnupg2-2.3.3-2.el9 build changelog. - GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints e.g...

Unspecified vulnerability in wolfSSL (CNVD-2024-37453)

wolfSSL CyaSSL is the United States wolfSSL company for embedded systems developers to use a small, portable embedded SSL programming library. WolfSSL has a security vulnerability that can be exploited by attackers to decrypt ciphertexts and forge signatures after extensive test observations...

Fedora 39 : yarnpkg (2024-28fc0c2ef4)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-28fc0c2ef4 advisory. Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234. Tenable has extracted the preceding description block directly from...

Fedora 38 : yarnpkg (2024-5ecc250449)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5ecc250449 advisory. Update to 1.22.21, add fixes for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234. Tenable has extracted the preceding description block directly from...

Node.js Security Vulnerabilities

Node.js is an open source, cross-platform JavaScript runtime environment. A security vulnerability exists in Node.js that stems from a timing difference between the decryption of valid and invalid ciphers, which could allow a remote attacker to decrypt captured RSA ciphers or forge signatures...