CWE-347: Improper Verification of Cryptographic Signature
Improper Verification of Cryptographic Signature
Weakness ID: 347 (Weakness Base)
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
Time of Introduction
Architecture and Design
Technical Impact: Gain privileges / assume
identity; Modify application
data; Execute unauthorized code or
An attacker could gain access to sensitive data and possibly execute
In the following Java snippet, a JarFile object (representing a JAR
file that was potentially downloaded from an untrusted source) is created
without verifying the signature (if present). An alternate constructor that
accepts a boolean verify parameter should be used instead.