CVE-2025-34324
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| infocert | gosign | to 2.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects GoSign Desktop versions 2.4.0 and earlier, where the update manifest used to distribute application updates is unsigned. Although the manifest includes package URLs and SHA-256 hashes, it is not digitally signed, relying only on the TLS channel for authenticity. However, if a proxy is configured, TLS certificate validation can be disabled, allowing an attacker who intercepts network traffic to provide a malicious update manifest and package with a matching hash. This can lead to the client downloading and installing a tampered update, resulting in arbitrary code execution with the privileges of the GoSign Desktop user on Windows and macOS, or elevated privileges on some Linux systems. Additionally, a local attacker who can modify proxy settings may exploit this to escalate privileges by forcing installation of a crafted update.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code on your system with the privileges of the GoSign Desktop user on Windows and macOS, or with elevated privileges on some Linux deployments. This means an attacker could potentially take control of your system, install malicious software, or perform unauthorized actions. A local attacker could also escalate their privileges by exploiting this vulnerability through proxy settings manipulation.