Common Weakness Enumeration

CWE-130

Allowed

Improper Handling of Length Parameter Inconsistency

Abstraction: Base · Status: Incomplete

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

160 vulnerabilities reference this CWE, most recent first.

GHSA-98W9-JQJV-X727

Vulnerability from github – Published: 2024-04-03 15:30 – Updated: 2024-04-03 15:30
VLAI
Details

A denial of service vulnerability exists in the OAS Engine File Data Source Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T14:15:15Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability exists in the OAS Engine File Data Source Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can cause the running program to stop. An attacker can send a sequence of requests to trigger this vulnerability.",
  "id": "GHSA-98w9-jqjv-x727",
  "modified": "2024-04-03T15:30:41Z",
  "published": "2024-04-03T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24976"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1948"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1948"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F5J-8JWJ-X28G

Vulnerability from github – Published: 2026-03-27 15:56 – Updated: 2026-03-30 20:17
VLAI
Summary
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
Details

Summary

An issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.

  1. ecdsa.der.remove_octet_string() accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.

  2. Because of that, a crafted DER input can cause SigningKey.from_der() to raise an internal exception (IndexError: index out of bounds on dimension 1) rather than cleanly rejecting malformed DER (e.g., raising UnexpectedDER or ValueError). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.

Impact

Potential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.

Reproduction

Attach and run the following PoCs:

poc_truncated_der_octet.py

from ecdsa.der import remove_octet_string, UnexpectedDER

# OCTET STRING (0x04)
# Declared length: 0x82 0x10 0x00  -> 4096 bytes
# Actual body: only 3 bytes -> truncated DER
bad = b"\x04\x82\x10\x00" + b"ABC"

try:
    body, rest = remove_octet_string(bad)
    print("[BUG] remove_octet_string accepted truncated DER.")
    print("Declared length=4096, actual body_len=", len(body), "rest_len=", len(rest))
    print("Body=", body)
    print("Rest=", rest)
except UnexpectedDER as e:
    print("[OK] Rejected malformed DER:", e)
  • Expected: reject malformed DER when declared length exceeds available bytes
  • Actual: accepts the truncated DER and returns a shorter body
  • Example output:
Parsed body_len= 3 rest_len= 0 (while declared length is 4096)

poc_signingkey_from_der_indexerror.py

from ecdsa import SigningKey, NIST256p
import ecdsa

print("ecdsa version:", ecdsa.__version__)

sk = SigningKey.generate(curve=NIST256p)
good = sk.to_der()
print("Good DER len:", len(good))


def find_crashing_mutation(data: bytes):
    b = bytearray(data)

    # Try every OCTET STRING tag position and corrupt a short-form length byte
    for i in range(len(b) - 4):
        if b[i] != 0x04:  # OCTET STRING tag
            continue

        L = b[i + 1]
        if L >= 0x80:
            # skip long-form lengths for simplicity
            continue

        max_possible = len(b) - (i + 2)
        if max_possible <= 10:
            continue

        # Claim more bytes than exist -> truncation
        newL = min(0x7F, max_possible + 20)
        b2 = bytearray(b)
        b2[i + 1] = newL

        try:
            SigningKey.from_der(bytes(b2))
        except Exception as e:
            return i, type(e).__name__, str(e)

    return None


res = find_crashing_mutation(good)
if res is None:
    print("[INFO] No exception triggered by this mutation strategy.")
else:
    i, etype, msg = res
    print("[BUG] SigningKey.from_der raised unexpected exception type.")
    print("Offset:", i, "Exception:", etype, "Message:", msg)
  • Expected: reject malformed DER with UnexpectedDER or ValueError
  • Actual: deterministically triggers an internal IndexError (DoS risk)
  • Example output:
Result: (5, 'IndexError', 'index out of bounds on dimension 1')

Suggested fix

Add “declared length must fit buffer” checks in DER helper functions similarly to the existing check in remove_sequence():

  • remove_octet_string()
  • remove_constructed()
  • remove_implicit()

Additionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as UnexpectedDER to avoid crashy failure modes.

Credit

Mohamed Abdelaal (@0xmrma)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ecdsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T15:56:01Z",
    "nvd_published_at": "2026-03-27T23:17:13Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nAn issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.\n\n1. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.\n\n2. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.\n\n## Impact\n\nPotential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.\n\n## Reproduction\n\nAttach and run the following PoCs:\n\n###  poc_truncated_der_octet.py\n\n```python\nfrom ecdsa.der import remove_octet_string, UnexpectedDER\n\n# OCTET STRING (0x04)\n# Declared length: 0x82 0x10 0x00  -\u003e 4096 bytes\n# Actual body: only 3 bytes -\u003e truncated DER\nbad = b\"\\x04\\x82\\x10\\x00\" + b\"ABC\"\n\ntry:\n    body, rest = remove_octet_string(bad)\n    print(\"[BUG] remove_octet_string accepted truncated DER.\")\n    print(\"Declared length=4096, actual body_len=\", len(body), \"rest_len=\", len(rest))\n    print(\"Body=\", body)\n    print(\"Rest=\", rest)\nexcept UnexpectedDER as e:\n    print(\"[OK] Rejected malformed DER:\", e)\n```\n\n- Expected: reject malformed DER when declared length exceeds available bytes\n- Actual: accepts the truncated DER and returns a shorter body\n- Example output:\n```\nParsed body_len= 3 rest_len= 0 (while declared length is 4096)\n```\n\n### poc_signingkey_from_der_indexerror.py\n\n```python\nfrom ecdsa import SigningKey, NIST256p\nimport ecdsa\n\nprint(\"ecdsa version:\", ecdsa.__version__)\n\nsk = SigningKey.generate(curve=NIST256p)\ngood = sk.to_der()\nprint(\"Good DER len:\", len(good))\n\n\ndef find_crashing_mutation(data: bytes):\n    b = bytearray(data)\n\n    # Try every OCTET STRING tag position and corrupt a short-form length byte\n    for i in range(len(b) - 4):\n        if b[i] != 0x04:  # OCTET STRING tag\n            continue\n\n        L = b[i + 1]\n        if L \u003e= 0x80:\n            # skip long-form lengths for simplicity\n            continue\n\n        max_possible = len(b) - (i + 2)\n        if max_possible \u003c= 10:\n            continue\n\n        # Claim more bytes than exist -\u003e truncation\n        newL = min(0x7F, max_possible + 20)\n        b2 = bytearray(b)\n        b2[i + 1] = newL\n\n        try:\n            SigningKey.from_der(bytes(b2))\n        except Exception as e:\n            return i, type(e).__name__, str(e)\n\n    return None\n\n\nres = find_crashing_mutation(good)\nif res is None:\n    print(\"[INFO] No exception triggered by this mutation strategy.\")\nelse:\n    i, etype, msg = res\n    print(\"[BUG] SigningKey.from_der raised unexpected exception type.\")\n    print(\"Offset:\", i, \"Exception:\", etype, \"Message:\", msg)\n```\n\n- Expected: reject malformed DER with `UnexpectedDER` or `ValueError`\n- Actual: deterministically triggers an internal `IndexError` (DoS risk)\n- Example output:\n```\nResult: (5, \u0027IndexError\u0027, \u0027index out of bounds on dimension 1\u0027)\n```\n\n## Suggested fix\n\nAdd \u201cdeclared length must fit buffer\u201d checks in DER helper functions similarly to the existing check in `remove_sequence()`:\n\n- `remove_octet_string()`\n- `remove_constructed()`\n- `remove_implicit()`\n\nAdditionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as `UnexpectedDER` to avoid crashy failure modes.\n\n## Credit\n\nMohamed Abdelaal (@0xmrma)",
  "id": "GHSA-9f5j-8jwj-x28g",
  "modified": "2026-03-30T20:17:11Z",
  "published": "2026-03-27T15:56:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33936"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tlsfuzzer/python-ecdsa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-ecdsa: Denial of Service via improper DER length validation in crafted private keys"
}

GHSA-9J63-JQR8-FH2V

Vulnerability from github – Published: 2025-04-07 15:31 – Updated: 2025-04-11 18:30
VLAI
Details

In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., rdlen=ntohs(rr->rdlen) and memcpy(response+offset,end,*rdlen).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-05T23:15:40Z",
    "severity": "LOW"
  },
  "details": "In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr-\u003erdlen) and memcpy(response+offset,*end,*rdlen).",
  "id": "GHSA-9j63-jqr8-fh2v",
  "modified": "2025-04-11T18:30:41Z",
  "published": "2025-04-07T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32366"
    },
    {
      "type": "WEB",
      "url": "https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20250410130356/https://lapis-sawfish-be3.notion.site/0-day-Comman-memory-Leak-190dc00d01d080688472d322c93c4340"
    },
    {
      "type": "WEB",
      "url": "https://web.git.kernel.org/pub/scm/network/connman/connman.git/tree/src/dnsproxy.c?h=1.44#n1001"
    },
    {
      "type": "WEB",
      "url": "https://web.git.kernel.org/pub/scm/network/connman/connman.git/tree/src/dnsproxy.c?h=1.44#n988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RMP-2568-59RV

Vulnerability from github – Published: 2024-12-05 17:30 – Updated: 2025-12-26 16:30
VLAI
Summary
rPGP Panics on Malformed Untrusted Input
Details

During a security audit, Radically Open Security discovered several reachable edge cases which allow an attacker to trigger rpgp crashes by providing crafted data.

Impact

When processing malformed input, rpgp can run into Rust panics which halt the program.

This can happen in the following scenarios: * Parsing OpenPGP messages from binary or armor format * Decrypting OpenPGP messages via decrypt_with_password() * Parsing or converting public keys * Parsing signed cleartext messages from armor format * Using malformed private keys to sign or encrypt

Given the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the rpgp library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.

The result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.

Versions and Patches

All recent versions are affected by at least some of the above mentioned issues.

The vulnerabilities have been fixed with version 0.14.1. We recommend all users to upgrade to this version.

References

The security audit was made possible by the NLnet Foundation NGI Zero Core grant program for rpgp.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "pgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-248",
      "CWE-617"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T17:30:52Z",
    "nvd_published_at": "2024-12-05T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "During a security audit, [Radically Open Security](https://www.radicallyopensecurity.com/) discovered several reachable edge cases which allow an attacker to trigger `rpgp` crashes by providing crafted data.\n\n### Impact\nWhen processing malformed input, `rpgp` can run into Rust panics which halt the program.\n\nThis can happen in the following scenarios:\n* Parsing OpenPGP messages from binary or armor format\n* Decrypting OpenPGP messages via `decrypt_with_password()`\n* Parsing or converting public keys\n* Parsing signed cleartext messages from armor format\n* Using malformed private keys to sign or encrypt\n\nGiven the affected components, we consider most attack vectors to be reachable by remote attackers during typical use cases of the `rpgp` library. The attack complexity is low since the malformed messages are generic, short, and require no victim-specific knowledge.\n\nThe result is a denial-of-service impact via program termination. There is no impact to confidentiality or integrity security properties.\n\n### Versions and Patches\nAll recent versions are affected by at least some of the above mentioned issues. \n\nThe vulnerabilities have been fixed with version `0.14.1`. We recommend all users to upgrade to this version.\n\n### References\n\n\nThe security audit was made possible by the [NLnet Foundation NGI Zero Core](https://nlnet.nl/core/) grant program [for rpgp](https://nlnet.nl/project/rPGP-cryptorefresh/).",
  "id": "GHSA-9rmp-2568-59rv",
  "modified": "2025-12-26T16:30:25Z",
  "published": "2024-12-05T17:30:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-9rmp-2568-59rv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53856"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rpgp/rpgp"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0447.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rPGP Panics on Malformed Untrusted Input"
}

GHSA-C4JG-97GH-363X

Vulnerability from github – Published: 2023-04-20 18:30 – Updated: 2024-04-04 03:37
VLAI
Details

A heap-based buffer overflow vulnerability exists in the TriangleMesh clone functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially-crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-20T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "A heap-based buffer overflow vulnerability exists in the TriangleMesh clone functionality of Slic3r libslic3r 1.3.0 and Master Commit b1a5500. A specially-crafted STL file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-c4jg-97gh-363x",
  "modified": "2024-04-04T03:37:01Z",
  "published": "2023-04-20T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36788"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1593"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C894-282R-PX6W

Vulnerability from github – Published: 2021-12-02 00:00 – Updated: 2022-04-27 00:00
VLAI
Details

Improper Handling of Length Parameter Inconsistency vulnerability in MELSEC iQ-R Series R00/01/02CPU Firmware versions "24" and prior, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions "57" and prior, MELSEC iQ-R Series R08/16/32/120SFCPU All versions, MELSEC iQ-R Series R08/16/32/120PCPU Firmware versions "29" and prior, MELSEC iQ-R Series R08/16/32/120PSFCPU All versions, MELSEC iQ-R Series R16/32/64MTCPU All versions, MELSEC iQ-R Series R12CCPU-V All versions, MELSEC Q Series Q03UDECPU All versions, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU All versions, MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q04/06/13/26UDPVCPU The first 5 digits of serial No. "23071" and prior, MELSEC Q Series Q12DCCPU-V All versions, MELSEC Q Series Q24DHCCPU-V(G) All versions, MELSEC Q Series Q24/26DHCCPU-LS All versions, MELSEC Q Series MR-MQ100 All versions, MELSEC Q Series Q172/173DCPU-S1 All versions, MELSEC Q Series Q172/172DSCPU All versions, MELSEC Q Series Q170MCPU All versions, MELSEC Q Series Q170MSCPU(-S1) All versions, MELSEC L Series L02/06/26CPU(-P) All versions, MELSEC L Series L26CPU-(P)BT All versions and MELIPC Series MI5122-VW All versions allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-01T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper Handling of Length Parameter Inconsistency vulnerability in MELSEC iQ-R Series R00/01/02CPU Firmware versions \"24\" and prior, MELSEC iQ-R Series R04/08/16/32/120(EN)CPU Firmware versions \"57\" and prior, MELSEC iQ-R Series R08/16/32/120SFCPU All versions, MELSEC iQ-R Series R08/16/32/120PCPU Firmware versions \"29\" and prior, MELSEC iQ-R Series R08/16/32/120PSFCPU All versions, MELSEC iQ-R Series R16/32/64MTCPU All versions, MELSEC iQ-R Series R12CCPU-V All versions, MELSEC Q Series Q03UDECPU All versions, MELSEC Q Series Q04/06/10/13/20/26/50/100UDEHCPU All versions, MELSEC Q Series Q03/04/06/13/26UDVCPU The first 5 digits of serial No. \"23071\" and prior, MELSEC Q Series Q04/06/13/26UDPVCPU The first 5 digits of serial No. \"23071\" and prior, MELSEC Q Series Q12DCCPU-V All versions, MELSEC Q Series Q24DHCCPU-V(G) All versions, MELSEC Q Series Q24/26DHCCPU-LS All versions, MELSEC Q Series MR-MQ100 All versions, MELSEC Q Series Q172/173DCPU-S1 All versions, MELSEC Q Series Q172/172DSCPU All versions, MELSEC Q Series Q170MCPU All versions, MELSEC Q Series Q170MSCPU(-S1) All versions, MELSEC L Series L02/06/26CPU(-P) All versions, MELSEC L Series L26CPU-(P)BT All versions and MELIPC Series MI5122-VW All versions allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets. System reset is required for recovery.",
  "id": "GHSA-c894-282r-px6w",
  "modified": "2022-04-27T00:00:51Z",
  "published": "2021-12-02T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20610"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU94434051/index.html"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-019_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C96H-CXX6-RMG9

Vulnerability from github – Published: 2024-05-18 00:30 – Updated: 2025-03-27 18:40
VLAI
Summary
Tor path lengths too short when "full Vanguards" configured
Details

In Tor Arti before 1.2.3, circuits sometimes incorrectly have a length of 3 (with full vanguards), aka TROVE-2024-004.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tor-circmgr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.18.0"
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "arti"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.2"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.2.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35313"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-20T16:37:19Z",
    "nvd_published_at": "2024-05-17T22:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In Tor Arti before 1.2.3, circuits sometimes incorrectly have a length of 3 (with full vanguards), aka TROVE-2024-004.",
  "id": "GHSA-c96h-cxx6-rmg9",
  "modified": "2025-03-27T18:40:05Z",
  "published": "2024-05-18T00:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35313"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitlab.torproject.org/tpo/core/arti"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/arti/-/blob/main/CHANGELOG.md#arti-123-15-may-2024"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/arti/-/commit/1a89d5c9659d799a84dd3ff00fae530f5c8ba280"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/arti/-/issues/1400"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/arti/-/issues/1409"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0339.html"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0340.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tor path lengths too short when \"full Vanguards\" configured"
}

GHSA-CCW9-Q5H2-8C2W

Vulnerability from github – Published: 2023-05-18 17:30 – Updated: 2023-06-19 17:01
VLAI
Summary
swift-nio-http2 vulnerable to denial of service via invalid HTTP/2 HEADERS frame length
Details

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. It is fixed in 1.19.2 and later releases.

This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process.

Sending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack.

The attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service.

The attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks.

The risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services.

The issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/apple/swift-nio-http2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-18T17:30:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This attack affects all swift-nio-http2 versions from 1.0.0 to 1.19.1. It is fixed in 1.19.2 and later releases.\n\nThis vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS frame where the frame contains priority information without any other data. This logical error caused confusion about the size of the frame, leading to a parsing error. This parsing error immediately crashes the entire process.\n\nSending a HEADERS frame with HTTP/2 priority information does not require any special permission, so any HTTP/2 connection peer may send such a frame. For clients, this means any server to which they connect may launch this attack. For servers, anyone they allow to connect to them may launch such an attack.\n\nThe attack is low-effort: it takes very little resources to send an appropriately crafted frame. The impact on availability is high: receiving the frame immediately crashes the server, dropping all in-flight connections and causing the service to need to restart. It is straightforward for an attacker to repeatedly send appropriately crafted frames, so attackers require very few resources to achieve a substantial denial of service.\n\nThe attack does not have any confidentiality or integrity risks in and of itself: swift-nio-http2 is parsing the frame in memory-safe code, so the crash is safe. However, sudden process crashes can lead to violations of invariants in services, so it is possible that this attack can be used to trigger an error condition that has confidentiality or integrity risks.\n\nThe risk can be mitigated if untrusted peers can be prevented from communicating with the service. This mitigation is not available to many services.\n\nThe issue is fixed by rewriting the parsing code to correctly handle the condition. The issue was found by automated fuzzing by oss-fuzz.",
  "id": "GHSA-ccw9-q5h2-8c2w",
  "modified": "2023-06-19T17:01:31Z",
  "published": "2023-05-18T17:30:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-ccw9-q5h2-8c2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/commit/93215774aa7d223a5ad5aa0b80453375d669fa8f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apple/swift-nio-http2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apple/swift-nio-http2/releases/tag/1.19.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "swift-nio-http2 vulnerable to denial of service via invalid HTTP/2 HEADERS frame length"
}

GHSA-CG4X-CCFP-J6Q9

Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30
VLAI
Details

Azure Private 5G Core Denial of Service Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Azure Private 5G Core Denial of Service Vulnerability",
  "id": "GHSA-cg4x-ccfp-j6q9",
  "modified": "2024-04-09T18:30:24Z",
  "published": "2024-04-09T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20685"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20685"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CGWH-HFR7-38M2

Vulnerability from github – Published: 2022-03-25 00:00 – Updated: 2025-11-03 21:30
VLAI
Details

A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password\u0027s length is 0.",
  "id": "GHSA-cgwh-hfr7-38m2",
  "modified": "2025-11-03T21:30:38Z",
  "published": "2022-03-25T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43666"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ARMmbed/mbedtls/issues/5136"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00034.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When processing structured incoming data containing a size field followed by raw data, ensure that you identify and resolve any inconsistencies between the size field and the actual size of the data.

Mitigation
Implementation

Do not let the user control the size of the buffer.

Mitigation
Implementation

Validate that the length of the user-supplied data is consistent with the buffer size.

CAPEC-47: Buffer Overflow via Parameter Expansion

In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.