34 matches found
CVE-2026-7511 PKCS7_verify signer confusion allows forged signatures to be accepted
PKCS7verify signer confusion allows forged signatures, where the signer associated with a signature is not correctly bound, permitting a forged signature to be accepted...
Timing Attack
Overview mojic is an Obfuscate C source code into encrypted, password-seeded emoji streams. Affected versions of this package are vulnerable to Timing Attack in the getDecryptStream process. An attacker can bypass file integrity checks by exploiting timing discrepancies in the HMAC verification,...
EUVD-2026-14375
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow in src/dsa-2.0.js. An attacker can forge DSA signatures or X.509...
Cryptanalysis of Four Arbitrated Quantum Signature Schemes
Arbitrated quantum signature AQS schemes aim at ensuring the authenticity of a message with the help of an arbitrator. Moreover, they aim at preventing repudiation, both from a sender that denies the origin of a message, and from a receiver who disavows its reception. Such protocols use quantum...
CVE-2026-1368
The CVE-2026-1368 issue affects the Video Conferencing with Zoom WordPress plugin prior to 4.6.6. A broken authentication flaw in a broken AJAX handler with nonce verification disabled allows unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and to retrieve the si...
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves
Vulnerability Summary The publickeyfromnumbers or EllipticCurvePublicNumbers.publickey, EllipticCurvePublicNumbers.publickey, loadderpublickey and loadpempublickey functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an...
EulerOS 2.0 SP12 : ruby (EulerOS-SA-2025-1439)
According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously...
EulerOS 2.0 SP13 : ruby (EulerOS-SA-2025-1326)
According to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously...
PT-2025-2366 · Apache · Apache Hive
Name of the Vulnerable Software and Affected Versions: Apache Hive versions prior to 4.0.0 Description: The issue arises from the use of Arrays.equals in LlapSignerImpl to compare message signatures, allowing an attacker to forge a valid signature for an arbitrary message byte by byte. This can...
CVE-2025-0306
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...
CVE-2023-46809
A flaw was found in Node.js. The privateDecrypt API of the crypto library may allow a covert timing side-channel during PKCS1 v1.5 padding error handling. This issue revealed significant timing differences in decryption for valid and invalid ciphertexts, which may allow a remote attacker to decry...
CVE-2023-6935 Marvin Attack vulnerability in SP Math All RSA
wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSLSTATICRSA" The define “WOLFSSLSTATICRSA” enables static RSA cipher suites, which is n...
Security feature bypass
A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS by setting the USERSASUITES define, it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is...
Timing side-channel in PKCS#1 v1.5 decryption depadding code — Mozilla
The NSS code used for checking PKCS1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected...
xml-security Data Forgery Issue Vulnerability
xml-security is SimpleSAMLphp open source library. xml-security version 1.6.11, saml2 5.0.0-alpha.13 version of the data forgery problem vulnerability , the vulnerability stems from the XML signature validation needs to verify that the hash value of the XML document in question matches a specific...
USN-5503-2 gnupg, gnupg2 vulnerability
USN-5503-1 fixed a vulnerability in GnuPG. This update provides the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. Original advisory details: Demi Marie Obenour discovered that GnuPG incorrectly handled injection in the status message. A remote attacker could possibly use this...
GHSA-XX36-6RV4-GJ8R ecdsa-elixir fails to check signatures, vulnerable to message forging
Summary Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and...
libreoffice: Timestamp Manipulation with Signature Wrapping
A flaw was found in LibreOffice, where it inserted a signing timestamp. This flaw allows LibreOffice to present a valid signature due to the altered signing time. The highest threat from this vulnerability is to confidentiality and integrity...
CVE-2021-43570
The verify function in the Stark Bank Java ECDSA library ecdsa-java 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages...
CVE-2021-43568
The verify function in the Stark Bank Elixir ECDSA library ecdsa-elixir 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages...