CWE-134
AllowedUse of Externally-Controlled Format String
Abstraction: Base · Status: Draft
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
499 vulnerabilities reference this CWE, most recent first.
GHSA-XFPX-QRR3-2GMV
Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43CloudView NMS before 2.10a has a format string issue exploitable over SNMP.
{
"affected": [],
"aliases": [
"CVE-2016-5074"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-10T03:59:00Z",
"severity": "CRITICAL"
},
"details": "CloudView NMS before 2.10a has a format string issue exploitable over SNMP.",
"id": "GHSA-xfpx-qrr3-2gmv",
"modified": "2022-05-17T02:43:09Z",
"published": "2022-05-17T02:43:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5074"
},
{
"type": "WEB",
"url": "https://community.rapid7.com/community/infosec/blog/2016/09/07/multiple-disclosures-for-multiple-network-management-systems-part-2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98723"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGJ6-PGRM-X4R2
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-01-26 22:31Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "gtk2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2007-6183"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:03:18Z",
"nvd_published_at": "2007-11-30T00:46:00Z",
"severity": "MODERATE"
},
"details": "Format string vulnerability in the `mdiag_initialize` function in `gtk/src/rbgtkmessagedialog.c` in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.",
"id": "GHSA-xgj6-pgrm-x4r2",
"modified": "2023-01-26T22:31:40Z",
"published": "2017-10-24T18:33:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6183"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=402871"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38757"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200228174159/http://www.securityfocus.com/bid/26616"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201207224244/https://www.securityfocus.com/archive/1/484240/100/0/threaded"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00214.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00251.html"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453689"
},
{
"type": "WEB",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=200623"
},
{
"type": "WEB",
"url": "http://em386.blogspot.com/2007/11/your-favorite-better-than-c-scripting.html"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200712-09.xml"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/3407"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2007/dsa-1431"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2008:033/?name=MDVSA-2008:033"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "gtk2 vulnerable to Use of Externally-Controlled Format String"
}
GHSA-XH6G-PRC3-64GX
Vulnerability from github – Published: 2022-05-01 06:59 – Updated: 2025-04-03 04:33Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.
{
"affected": [],
"aliases": [
"CVE-2006-2453"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2006-05-28T10:06:00Z",
"severity": "HIGH"
},
"details": "Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.",
"id": "GHSA-xh6g-prc3-64gx",
"modified": "2025-04-03T04:33:15Z",
"published": "2022-05-01T06:59:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2453"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11600"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/286-1"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20254"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20339"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20422"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20457"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/20513"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1016203"
},
{
"type": "WEB",
"url": "http://www.gentoo.org/security/en/glsa/glsa-200606-03.xml"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2006:093"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2006-06-02.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/archives/fedora-security-list/2006-May/msg00099.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2006-0541.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/18166"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XH7P-83H3-2GRW
Vulnerability from github – Published: 2022-05-01 17:41 – Updated: 2022-05-01 17:41Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
{
"affected": [],
"aliases": [
"CVE-2007-0017"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-01-03T02:28:00Z",
"severity": "MODERATE"
},
"details": "Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.",
"id": "GHSA-xh7p-83h3-2grw",
"modified": "2022-05-01T17:41:21Z",
"published": "2022-05-01T17:41:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0017"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31226"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14313"
},
{
"type": "WEB",
"url": "http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html"
},
{
"type": "WEB",
"url": "http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html"
},
{
"type": "WEB",
"url": "http://osvdb.org/31163"
},
{
"type": "WEB",
"url": "http://projects.info-pull.com/moab/MOAB-02-01-2007.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/23592"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/23829"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/23910"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/23971"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200701-24.xml"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1017464"
},
{
"type": "WEB",
"url": "http://trac.videolan.org/vlc/changeset/18481"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2007/dsa-1252"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2007_13_xine.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/21852"
},
{
"type": "WEB",
"url": "http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.html"
},
{
"type": "WEB",
"url": "http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch"
},
{
"type": "WEB",
"url": "http://www.videolan.org/sa0701.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/0026"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XH8H-MFRV-W6WH
Vulnerability from github – Published: 2025-12-23 00:30 – Updated: 2025-12-23 00:30SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application.
{
"affected": [],
"aliases": [
"CVE-2023-53966"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-22T22:16:01Z",
"severity": "CRITICAL"
},
"details": "SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application.",
"id": "GHSA-xh8h-mfrv-w6wh",
"modified": "2025-12-23T00:30:31Z",
"published": "2025-12-23T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53966"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20221207074555/https://www.sound4.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51259"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sound-linkandshare-transmitter-format-string-stack-buffer-overflow"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XMQ7-7FXM-RR79
Vulnerability from github – Published: 2020-09-25 18:28 – Updated: 2024-10-28 21:23Impact
By controlling the fill argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74
This can result in unexpected output:
In [1]: tf.strings.as_string(input=[1234], width=6, fill='-')
Out[1]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['1234 '], dtype=object)>
In [2]: tf.strings.as_string(input=[1234], width=6, fill='+')
Out[2]: <tf.Tensor: shape=(1,), dtype=string, numpy=array([' +1234'], dtype=object)>
In [3]: tf.strings.as_string(input=[1234], width=6, fill="h")
Out[3]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['%6d'], dtype=object)>
In [4]: tf.strings.as_string(input=[1234], width=6, fill="d")
Out[4]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['12346d'], dtype=object)>
In [5]: tf.strings.as_string(input=[1234], width=6, fill="o")
Out[5]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['23226d'], dtype=object)>
In [6]: tf.strings.as_string(input=[1234], width=6, fill="x")
Out[6]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['4d26d'], dtype=object)>
In [7]: tf.strings.as_string(input=[1234], width=6, fill="g")
Out[7]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['8.67458e-3116d'], dtype=object)>
In [8]: tf.strings.as_string(input=[1234], width=6, fill="a")
Out[8]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['0x0.00ff7eebb4d4p-10226d'], dtype=object)>
In [9]: tf.strings.as_string(input=[1234], width=6, fill="c")
Out[9]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['\xd26d'], dtype=object)>
In [10]: tf.strings.as_string(input=[1234], width=6, fill="p")
Out[10]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['0x4d26d'], dtype=object)>
In [11]: tf.strings.as_string(input=[1234], width=6, fill='m')
Out[11]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['Success6d'], dtype=object)>
However, passing in n or s results in segmentation fault.
Patches
We have patched the issue in 33be22c65d86256e6826666662e40dbdfe70ee83 and will release patch releases for all versions between 1.15 and 2.3.
We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by members of the Aivul Team from Qihoo 360.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.3.0"
]
}
],
"aliases": [
"CVE-2020-15203"
],
"database_specific": {
"cwe_ids": [
"CWE-134",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-25T17:34:02Z",
"nvd_published_at": "2020-09-25T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nBy controlling the `fill` argument of [`tf.strings.as_string`](https://www.tensorflow.org/api_docs/python/tf/strings/as_string), a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74\n\nThis can result in unexpected output:\n```python\nIn [1]: tf.strings.as_string(input=[1234], width=6, fill=\u0027-\u0027) \nOut[1]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00271234 \u0027], dtype=object)\u003e \nIn [2]: tf.strings.as_string(input=[1234], width=6, fill=\u0027+\u0027) \nOut[2]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027 +1234\u0027], dtype=object)\u003e \nIn [3]: tf.strings.as_string(input=[1234], width=6, fill=\"h\") \nOut[3]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027%6d\u0027], dtype=object)\u003e \nIn [4]: tf.strings.as_string(input=[1234], width=6, fill=\"d\") \nOut[4]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u002712346d\u0027], dtype=object)\u003e \nIn [5]: tf.strings.as_string(input=[1234], width=6, fill=\"o\")\nOut[5]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u002723226d\u0027], dtype=object)\u003e\nIn [6]: tf.strings.as_string(input=[1234], width=6, fill=\"x\")\nOut[6]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00274d26d\u0027], dtype=object)\u003e\nIn [7]: tf.strings.as_string(input=[1234], width=6, fill=\"g\")\nOut[7]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00278.67458e-3116d\u0027], dtype=object)\u003e\nIn [8]: tf.strings.as_string(input=[1234], width=6, fill=\"a\")\nOut[8]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00270x0.00ff7eebb4d4p-10226d\u0027], dtype=object)\u003e\nIn [9]: tf.strings.as_string(input=[1234], width=6, fill=\"c\")\nOut[9]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027\\xd26d\u0027], dtype=object)\u003e\nIn [10]: tf.strings.as_string(input=[1234], width=6, fill=\"p\")\nOut[10]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00270x4d26d\u0027], dtype=object)\u003e\nIn [11]: tf.strings.as_string(input=[1234], width=6, fill=\u0027m\u0027) \nOut[11]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027Success6d\u0027], dtype=object)\u003e\n```\n\nHowever, passing in `n` or `s` results in segmentation fault.\n\n### Patches\nWe have patched the issue in 33be22c65d86256e6826666662e40dbdfe70ee83 and will release patch releases for all versions between 1.15 and 2.3.\n\nWe recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
"id": "GHSA-xmq7-7fxm-rr79",
"modified": "2024-10-28T21:23:19Z",
"published": "2020-09-25T18:28:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xmq7-7fxm-rr79"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15203"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/33be22c65d86256e6826666662e40dbdfe70ee83"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-283.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-318.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-126.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Denial of Service in Tensorflow"
}
GHSA-XQPV-JVPQ-XJVC
Vulnerability from github – Published: 2023-09-18 03:31 – Updated: 2024-04-04 07:42ASUS router RT-AX88U has a vulnerability of using externally controllable format strings within its Advanced Open VPN function. An authenticated remote attacker can exploit the exported OpenVPN configuration to execute an externally-controlled format string attack, resulting in sensitivity information leakage, or forcing the device to reset and permanent denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-41349"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T03:15:08Z",
"severity": "HIGH"
},
"details": "\nASUS router RT-AX88U has a vulnerability of using externally controllable format strings within its Advanced Open VPN function. An authenticated remote attacker can exploit the exported OpenVPN configuration to execute an externally-controlled format string attack, resulting in sensitivity information leakage, or forcing the device to reset and permanent denial of service.\n\n",
"id": "GHSA-xqpv-jvpq-xjvc",
"modified": "2024-04-04T07:42:55Z",
"published": "2023-09-18T03:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41349"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7371-aecf1-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRQ4-CXFP-74J4
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.
{
"affected": [],
"aliases": [
"CVE-2021-29740"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-01T14:15:00Z",
"severity": "HIGH"
},
"details": "IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.",
"id": "GHSA-xrq4-cxfp-74j4",
"modified": "2022-05-24T19:03:44Z",
"published": "2022-05-24T19:03:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29740"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201474"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6457629"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XWHQ-77CP-J75X
Vulnerability from github – Published: 2022-05-17 02:11 – Updated: 2022-05-17 02:11The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request.
{
"affected": [],
"aliases": [
"CVE-2008-6395"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-03-04T17:30:00Z",
"severity": "HIGH"
},
"details": "The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request.",
"id": "GHSA-xwhq-77cp-j75x",
"modified": "2022-05-17T02:11:21Z",
"published": "2022-05-17T02:11:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6395"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44890"
},
{
"type": "WEB",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064226.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/31714"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/30988"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1020807"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Choose a language that is not subject to this flaw.
Mitigation
Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]
Mitigation
Run compilers and linkers with high warning levels, since they may detect incorrect usage.
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.