Common Weakness Enumeration

CWE-155

Allowed

Improper Neutralization of Wildcards or Matching Symbols

Abstraction: Variant · Status: Draft

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.

31 vulnerabilities reference this CWE, most recent first.

GHSA-477Q-5HXF-4XR2

Vulnerability from github – Published: 2024-03-19 09:30 – Updated: 2024-11-08 09:30
VLAI
Details

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-19T07:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi\u00a0was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS\nversions for the highlighted flaw. Please refer to the Axis security advisory\nfor more information and solution.\n\n",
  "id": "GHSA-477q-5hxf-4xr2",
  "modified": "2024-11-08T09:30:30Z",
  "published": "2024-03-19T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0054"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/76/f3/1d/cve-2024-0054-en-US-432116.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59RF-FQ39-RH6X

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2023-08-31 03:30
VLAI
Details

It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-1772"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "It\u0027s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.",
  "id": "GHSA-59rf-fq39-rh6x",
  "modified": "2023-08-31T03:30:36Z",
  "published": "2022-05-24T17:12:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1772"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-09"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5F55-V7C2-39W2

Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-10-03 00:30
VLAI
Details

An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T17:15:14Z",
    "severity": "MODERATE"
  },
  "details": "An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.",
  "id": "GHSA-5f55-v7c2-39w2",
  "modified": "2024-10-03T00:30:40Z",
  "published": "2024-09-11T18:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8688"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2024-8688"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5PPP-5MCP-FQFV

Vulnerability from github – Published: 2024-03-19 09:30 – Updated: 2024-03-19 09:30
VLAI
Details

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0055"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-19T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.\n",
  "id": "GHSA-5ppp-5mcp-fqfv",
  "modified": "2024-03-19T09:30:32Z",
  "published": "2024-03-19T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0055"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/c4/00/c5/cve-2024-0055-en-US-432117.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-78FX-H6XR-VCH4

Vulnerability from github – Published: 2025-03-05 19:09 – Updated: 2025-03-12 21:29
VLAI
Summary
Laravel has a File Validation Bypass
Details

When using wildcard validation to validate a given file or image field array (files.*), a user-crafted malicious request could potentially bypass the validation rules.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.44.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.48.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27515"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-05T19:09:39Z",
    "nvd_published_at": "2025-03-05T19:15:39Z",
    "severity": "MODERATE"
  },
  "details": "When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.",
  "id": "GHSA-78fx-h6xr-vch4",
  "modified": "2025-03-12T21:29:27Z",
  "published": "2025-03-05T19:09:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27515"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/framework/commit/a4f7a8f9b83e21882abeef78c3174c66b0f4a26b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laravel/framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Laravel has a File Validation Bypass"
}

GHSA-7P8F-8HJM-WM92

Vulnerability from github – Published: 2022-01-13 15:05 – Updated: 2022-01-13 15:02
VLAI
Summary
Lookup operations do not take into account wildcards in SpiceDB
Details

Impact

Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion.

For example, given schema:

definition user {}

definition resource {
   relation viewer: user
   relation banned: user | user:*
   permission view = viewer - banned
}

If user:* is placed into the banned relation for a particular resource, view should return false for all resources. in v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion.

Workarounds

Don't make use of wildcards on the right side of intersections or within exclusions.

References

https://github.com/authzed/spicedb/issues/358

For more information

If you have any questions or comments about this advisory: * Open an issue in SpiceDB * Ask a question in the SpiceDB Discord

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/authzed/spicedb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-11T21:06:45Z",
    "nvd_published_at": "2022-01-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAny user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as \"accessible\" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion.\n\nFor example, given schema:\n\n```zed\ndefinition user {}\n\ndefinition resource {\n   relation viewer: user\n   relation banned: user | user:*\n   permission view = viewer - banned\n}\n```\n\nIf `user:*` is placed into the `banned` relation for a particular resource, `view` should return false for *all* resources. in `v1.3.0`, the wildcard is ignored entirely in lookup\u0027s dispatch, resulting in the `banned` wildcard being ignored in the exclusion.\n\n### Workarounds\nDon\u0027t make use of wildcards on the right side of intersections or within exclusions. \n\n### References\nhttps://github.com/authzed/spicedb/issues/358\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [SpiceDB](https://github.com/authzed/spicedb)\n* Ask a question in the [SpiceDB Discord](https://authzed.com/discord)\n",
  "id": "GHSA-7p8f-8hjm-wm92",
  "modified": "2022-01-13T15:02:31Z",
  "published": "2022-01-13T15:05:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/issues/358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/authzed/spicedb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lookup operations do not take into account wildcards in SpiceDB"
}

GHSA-CCRR-HX7G-HMM4

Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-11-29 06:35
VLAI
Details

Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-10T05:15:12Z",
    "severity": "MODERATE"
  },
  "details": "Marinus Pfund, member of the AXIS OS Bug Bounty Program, \nhas found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
  "id": "GHSA-ccrr-hx7g-hmm4",
  "modified": "2024-11-29T06:35:28Z",
  "published": "2024-09-10T06:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6509"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/47/bf/2c/cve-2024-6509-en-US-448996.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.axis.com/dam/public/f6/c6/f5/cve-2024-6509-en-US-458043.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F339-MQQR-7GVR

Vulnerability from github – Published: 2024-12-06 21:30 – Updated: 2024-12-06 21:30
VLAI
Details

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.",
  "id": "GHSA-f339-mqqr-7gvr",
  "modified": "2024-12-06T21:30:39Z",
  "published": "2024-12-06T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47791"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FC89-JGHX-8PVG

Vulnerability from github – Published: 2025-01-30 17:52 – Updated: 2025-02-05 16:23
VLAI
Summary
KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources
Details

Impact

By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.

Patches

Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.

Workarounds

On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: "deny-interaction-with-policyreport"
spec:
  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest
  settings:
    variables:
      - name: hasWildcardInsideOfApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == '*'))"
      - name: hasWildcardInsideOfResources
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == '*' || ag == '*/*' || ag == 'policyreports/*'))"
      - name: dealsWithPolicyReportApiGroup
        expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == 'wgpolicyk8s.io'))"
      - name: dealsWithPolicyReportResource
        expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == 'policyreports' || ag == 'policyreports/'))"
      - name: isPendingDeletion
        expression: "has(object.metadata.deletionTimestamp)"
    validations:
      - expression: |
          !( variables.hasWildcardInsideOfApiGroup ||
             variables.hasWildcardInsideOfResources ||
             variables.dealsWithPolicyReportResource ||
             variables.dealsWithPolicyReportApiGroup
          ) || variables.isPendingDeletion
        message: "cannot target PolicyReport resources or use wildcards in apiGroups or resources"
  rules:
    - apiGroups: ["policies.kubewarden.io"]
      apiVersions: ["v1"]
      operations: ["CREATE", "UPDATE"]
      resources: ["admissionpolicies", "admissionpolicygroups"]
  mutating: false
  backgroundAudit: true

For more information

If you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the “security disclosure“ guidelines of the Kubewarden project.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/kubewarden/kubewarden-controller"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-30T17:52:37Z",
    "nvd_published_at": "2025-01-30T16:15:31Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nBy design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy.\nThere might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature.\nFor example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See [this section](https://docs.kubewarden.io/explanations/audit-scanner/policy-reports) of Kubewarden\u2019s documentation for more details about PolicyReport resources.\nAn attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources.\nMoreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.\n\n### Patches\n\nStarting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.\nThe new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.\n\n### Workarounds\n\nOn clusters running Kubewarden \u003c 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:\n\n```yaml\napiVersion: policies.kubewarden.io/v1\nkind: ClusterAdmissionPolicy\nmetadata:\n  name: \"deny-interaction-with-policyreport\"\nspec:\n  module: registry://ghcr.io/kubewarden/policies/cel-policy:latest\n  settings:\n    variables:\n      - name: hasWildcardInsideOfApiGroup\n        expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027*\u0027))\"\n      - name: hasWildcardInsideOfResources\n        expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027*\u0027 || ag == \u0027*/*\u0027 || ag == \u0027policyreports/*\u0027))\"\n      - name: dealsWithPolicyReportApiGroup\n        expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027wgpolicyk8s.io\u0027))\"\n      - name: dealsWithPolicyReportResource\n        expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027policyreports\u0027 || ag == \u0027policyreports/\u0027))\"\n      - name: isPendingDeletion\n        expression: \"has(object.metadata.deletionTimestamp)\"\n    validations:\n      - expression: |\n          !( variables.hasWildcardInsideOfApiGroup ||\n             variables.hasWildcardInsideOfResources ||\n             variables.dealsWithPolicyReportResource ||\n             variables.dealsWithPolicyReportApiGroup\n          ) || variables.isPendingDeletion\n        message: \"cannot target PolicyReport resources or use wildcards in apiGroups or resources\"\n  rules:\n    - apiGroups: [\"policies.kubewarden.io\"]\n      apiVersions: [\"v1\"]\n      operations: [\"CREATE\", \"UPDATE\"]\n      resources: [\"admissionpolicies\", \"admissionpolicygroups\"]\n  mutating: false\n  backgroundAudit: true\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the \u201c[security disclosure](https://docs.kubewarden.io/disclosure)\u201c guidelines of the Kubewarden project.",
  "id": "GHSA-fc89-jghx-8pvg",
  "modified": "2025-02-05T16:23:59Z",
  "published": "2025-01-30T17:52:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-fc89-jghx-8pvg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24376"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubewarden/kubewarden-controller/commit/8124039b5f0c955d0ee8c8ca12d4415282f02d2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubewarden/kubewarden-controller"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "KubeWarden\u0027s AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources"
}

GHSA-R6WV-X735-W2V5

Vulnerability from github – Published: 2025-01-11 03:30 – Updated: 2026-01-23 22:06
VLAI
Details

A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-155"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T03:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem.",
  "id": "GHSA-r6wv-x735-w2v5",
  "modified": "2026-01-23T22:06:23Z",
  "published": "2025-01-11T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0106"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/PAN-SA-2025-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation

Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.