Common Weakness Enumeration

CWE-1116

Allowed

Inaccurate Source Code Comments

Abstraction: Base · Status: Incomplete

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.

4 vulnerabilities reference this CWE, most recent first.

CVE-2025-47271 (GCVE-0-2025-47271)

Vulnerability from cvelistv5 – Published: 2025-05-12 10:52 – Updated: 2025-05-12 12:12
VLAI
Title
OZI-Project/ozi-publish Code Injection vulnerability
Summary
The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
  • CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-1116 - Inaccurate Comments
Assigner
References
Impacted products
Vendor Product Version
OZI-Project publish Affected: >= 1.13.2, < 1.13.6
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47271",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T12:10:34.546853Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T12:12:40.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "publish",
          "vendor": "OZI-Project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.13.2, \u003c 1.13.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1116",
              "description": "CWE-1116: Inaccurate Comments",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T10:52:26.916Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9"
        },
        {
          "name": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c"
        }
      ],
      "source": {
        "advisory": "GHSA-2487-9f55-2vg9",
        "discovery": "UNKNOWN"
      },
      "title": "OZI-Project/ozi-publish Code Injection vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47271",
    "datePublished": "2025-05-12T10:52:26.916Z",
    "dateReserved": "2025-05-05T16:53:10.372Z",
    "dateUpdated": "2025-05-12T12:12:40.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2487-9F55-2VG9

Vulnerability from github – Published: 2025-05-12 19:58 – Updated: 2025-05-12 19:58
VLAI
Summary
OZI-Project/ozi-publish Code Injection vulnerability
Details

Impact

Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

Patches

This is patched in 1.13.6

Workarounds

Downgrade to <1.13.2

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "OZI-Project/publish"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.2"
            },
            {
              "fixed": "1.13.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1116",
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-12T19:58:07Z",
    "nvd_published_at": "2025-05-12T11:15:51Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPotentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.\n\n### Patches\nThis is patched in 1.13.6\n\n### Workarounds\nDowngrade to \u003c1.13.2\n\n### References\n\n* [Understanding the Risk of Script Injections](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)",
  "id": "GHSA-2487-9f55-2vg9",
  "modified": "2025-05-12T19:58:07Z",
  "published": "2025-05-12T19:58:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47271"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OZI-Project/publish"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OZI-Project/ozi-publish Code Injection vulnerability"
}

GHSA-JWXQ-F9VM-725G

Vulnerability from github – Published: 2023-02-21 00:30 – Updated: 2025-03-18 18:30
VLAI
Details

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1116",
      "CWE-116",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-20T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.",
  "id": "GHSA-jwxq-f9vm-725g",
  "modified": "2025-03-18T18:30:37Z",
  "published": "2023-02-21T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48339"
    },
    {
      "type": "WEB",
      "url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V82W-4932-72HF

Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2025-02-18 18:33
VLAI
Details

PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is "locked" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1116",
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is \"locked\" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.",
  "id": "GHSA-v82w-4932-72hf",
  "modified": "2025-02-18T18:33:02Z",
  "published": "2023-03-30T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30351"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/pdf/2206.02285.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.pdfzorro.com/pdf-edit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Verify that each comment accurately reflects what is intended to happen during execution of the code.

No CAPEC attack patterns related to this CWE.