Common Weakness Enumeration

CWE-228

Allowed-with-Review

Improper Handling of Syntactically Invalid Structure

Abstraction: Class · Status: Incomplete

The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification.

35 vulnerabilities reference this CWE, most recent first.

CVE-2024-6382 (GCVE-0-2024-6382)

Vulnerability from cvelistv5 – Published: 2024-07-02 17:17 – Updated: 2024-08-01 21:41
VLAI
Title
Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.
Summary
Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-228 - Improper Handling of Syntactically Invalid Structure
Assigner
References
Impacted products
Vendor Product Version
MongoDB Inc MongoDB Rust Driver Affected: 2.0 , < 2.8.2 (custom)
    cpe:2.3:a:mongodb:rust-driver:2.0.0:alpha:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:alpha1:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:beta1:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:beta2:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:beta3:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.1:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.0.2:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.1.0:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.1.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.2.0:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.2.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.2.1:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.2.2:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.2.3:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.3.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.3.1:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.4.0:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.4.0:beta2:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.4.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.5.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.6.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.6.1:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.7.0:beta:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.7.0:beta1:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.7.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.7.1:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.8.0:*:*:*:*:mongodb:*:*
    cpe:2.3:a:mongodb:rust-driver:2.8.1:*:*:*:*:mongodb:*:*
Create a notification for this product.
Date Public
2024-07-02 17:17
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6382",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-02T19:25:24.875879Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-02T19:38:21.077Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:41:03.220Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jira.mongodb.org/browse/RUST-1881"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:alpha:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:alpha1:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:beta1:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:beta2:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:beta3:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.1:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.0.2:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.1.0:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.1.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.2.0:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.2.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.2.1:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.2.2:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.2.3:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.3.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.3.1:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.4.0:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.4.0:beta2:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.4.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.5.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.6.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.6.1:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.7.0:beta:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.7.0:beta1:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.7.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.7.1:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.8.0:*:*:*:*:mongodb:*:*",
            "cpe:2.3:a:mongodb:rust-driver:2.8.1:*:*:*:*:mongodb:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "MongoDB Rust Driver",
          "vendor": "MongoDB Inc",
          "versions": [
            {
              "lessThan": "2.8.2",
              "status": "affected",
              "version": "2.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2024-07-02T17:17:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIncorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2\u003c/p\u003e"
            }
          ],
          "value": "Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-02T17:17:50.237Z",
        "orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
        "shortName": "mongodb"
      },
      "references": [
        {
          "url": "https://jira.mongodb.org/browse/RUST-1881"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Adversarial unsanitized input may cause MongoDB Rust Driver to issue unintended commands.",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb",
    "assignerShortName": "mongodb",
    "cveId": "CVE-2024-6382",
    "datePublished": "2024-07-02T17:17:50.237Z",
    "dateReserved": "2024-06-27T08:37:36.558Z",
    "dateUpdated": "2024-08-01T21:41:03.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-42784 (GCVE-0-2023-42784)

Vulnerability from cvelistv5 – Published: 2025-03-11 14:54 – Updated: 2025-03-11 16:10
VLAI
Summary
An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-228 - Execute unauthorized code or commands
Assigner
References
Impacted products
Vendor Product Version
Fortinet FortiWeb Affected: 7.4.0 , ≤ 7.4.7 (semver)
Affected: 7.2.0 , ≤ 7.2.10 (semver)
Affected: 7.0.0 , ≤ 7.0.10 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42784",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-11T16:10:51.450991Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-11T16:10:57.143Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [],
          "defaultStatus": "unaffected",
          "product": "FortiWeb",
          "vendor": "Fortinet",
          "versions": [
            {
              "lessThanOrEqual": "7.4.7",
              "status": "affected",
              "version": "7.4.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.2.10",
              "status": "affected",
              "version": "7.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.10",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F/RL:X/RC:X",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "Execute unauthorized code or commands",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-11T14:54:28.924Z",
        "orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
        "shortName": "fortinet"
      },
      "references": [
        {
          "name": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115",
          "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Please upgrade to FortiWeb version 7.6.0 or above"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
    "assignerShortName": "fortinet",
    "cveId": "CVE-2023-42784",
    "datePublished": "2025-03-11T14:54:28.924Z",
    "dateReserved": "2023-09-14T08:37:38.656Z",
    "dateUpdated": "2025-03-11T16:10:57.143Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-38443 (GCVE-0-2021-38443)

Vulnerability from cvelistv5 – Published: 2022-05-05 15:16 – Updated: 2025-04-16 16:23
VLAI
Title
Eclipse CycloneDDS Improper Handling of Syntactically Invalid Structure
Summary
Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-228 - Improper Handling of Syntactically Invalid Structure
Assigner
References
Impacted products
Vendor Product Version
Eclipse CycloneDDS Affected: unspecified , < 0.8.0 (custom)
Create a notification for this product.
Credits
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), Víctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T01:44:22.345Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://projects.eclipse.org/projects/iot.cyclonedds"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-38443",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T15:52:55.764048Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T16:23:56.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CycloneDDS",
          "vendor": "Eclipse",
          "versions": [
            {
              "lessThan": "0.8.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), V\u00edctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "CWE-228 Improper Handling of Syntactically Invalid Structure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-05T15:16:53.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://projects.eclipse.org/projects/iot.cyclonedds"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Eclipse recommends users apply the latest CycloneDDS patches.\nhttps://projects.eclipse.org/projects/iot.cyclonedds"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Eclipse CycloneDDS Improper Handling of Syntactically Invalid Structure",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-38443",
          "STATE": "PUBLIC",
          "TITLE": "Eclipse CycloneDDS Improper Handling of Syntactically Invalid Structure"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "CycloneDDS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "0.8.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Eclipse"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), V\u00edctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-228 Improper Handling of Syntactically Invalid Structure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02"
            },
            {
              "name": "https://projects.eclipse.org/projects/iot.cyclonedds",
              "refsource": "CONFIRM",
              "url": "https://projects.eclipse.org/projects/iot.cyclonedds"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Eclipse recommends users apply the latest CycloneDDS patches.\nhttps://projects.eclipse.org/projects/iot.cyclonedds"
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-38443",
    "datePublished": "2022-05-05T15:16:53.000Z",
    "dateReserved": "2021-08-10T00:00:00.000Z",
    "dateUpdated": "2025-04-16T16:23:56.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-36199 (GCVE-0-2021-36199)

Vulnerability from cvelistv5 – Published: 2022-01-14 19:10 – Updated: 2024-09-16 18:44
VLAI
Title
VideoEdge
Summary
Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop.
CWE
  • CWE-228 - Improper Handling of Syntactically Invalid Structure
Assigner
jci
References
URL Tags
https://www.johnsoncontrols.com/cyber-solutions/s… x_refsource_CONFIRM
https://us-cert.gov/ics/advisories/ICSA-22-011-01 third-party-advisoryx_refsource_CERT
Impacted products
Vendor Product Version
Johnson Controls VideoEdge Affected: 5.4.1 to 5.7.1
Create a notification for this product.
Date Public
2022-01-11 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:54:50.683Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
          },
          {
            "name": "ICS-CERT Advisory",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT",
              "x_transferred"
            ],
            "url": "https://us-cert.gov/ics/advisories/ICSA-22-011-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VideoEdge",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "status": "affected",
              "version": "5.4.1 to 5.7.1"
            }
          ]
        }
      ],
      "datePublic": "2022-01-11T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-14T19:10:42.000Z",
        "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "shortName": "jci"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
        },
        {
          "name": "ICS-CERT Advisory",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT"
          ],
          "url": "https://us-cert.gov/ics/advisories/ICSA-22-011-01"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update VideoEdge with hot fix for versions 5.4.1 to 5.7.1 or upgrade VideoEdge to version 5.9."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "VideoEdge",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "productsecurity@jci.com",
          "DATE_PUBLIC": "2022-01-11T19:30:00.000Z",
          "ID": "CVE-2021-36199",
          "STATE": "PUBLIC",
          "TITLE": "VideoEdge"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "VideoEdge",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "5.4.1 to 5.7.1",
                            "version_value": "5.4.1 to 5.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Johnson Controls"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Running a vulnerability scanner against VideoEdge NVRs can cause some functionality to stop."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-228: Improper Handling of Syntactically Invalid Structure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
              "refsource": "CONFIRM",
              "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
            },
            {
              "name": "ICS-CERT Advisory",
              "refsource": "CERT",
              "url": "https://us-cert.gov/ics/advisories/ICSA-22-011-01"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update VideoEdge with hot fix for versions 5.4.1 to 5.7.1 or upgrade VideoEdge to version 5.9."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
    "assignerShortName": "jci",
    "cveId": "CVE-2021-36199",
    "datePublished": "2022-01-14T19:10:42.869Z",
    "dateReserved": "2021-07-06T00:00:00.000Z",
    "dateUpdated": "2024-09-16T18:44:18.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-27847 (GCVE-0-2020-27847)

Vulnerability from cvelistv5 – Published: 2021-05-28 10:20 – Updated: 2024-08-04 16:25
VLAI
Summary
A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
n/a dexidp/dex Affected: dex 2.27.0
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:25:43.583Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907732"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dexidp/dex",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "dex 2.27.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "CWE-228-\u003eCWE-290",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-28T10:20:35.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907732"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-27847",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "dexidp/dex",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "dex 2.27.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-228-\u003eCWE-290"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/",
              "refsource": "MISC",
              "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1907732",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907732"
            },
            {
              "name": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5",
              "refsource": "MISC",
              "url": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-27847",
    "datePublished": "2021-05-28T10:20:35.000Z",
    "dateReserved": "2020-10-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:25:43.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-5381 (GCVE-0-2018-5381)

Vulnerability from cvelistv5 – Published: 2018-02-19 13:00 – Updated: 2024-09-16 16:17
VLAI
Summary
The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.
CWE
  • CWE-228 - Improper Handling of Syntactically Invalid Structure
Assigner
References
URL Tags
https://gogs.quagga.net/Quagga/quagga/src/master/… x_refsource_CONFIRM
https://usn.ubuntu.com/3573-1/ vendor-advisoryx_refsource_UBUNTU
https://www.debian.org/security/2018/dsa-4115 vendor-advisoryx_refsource_DEBIAN
http://savannah.nongnu.org/forum/forum.php?forum_… x_refsource_CONFIRM
https://security.gentoo.org/glsa/201804-17 vendor-advisoryx_refsource_GENTOO
https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
http://www.kb.cert.org/vuls/id/940439 third-party-advisoryx_refsource_CERT-VN
https://cert-portal.siemens.com/productcert/pdf/s… x_refsource_CONFIRM
Impacted products
Vendor Product Version
Quagga bgpd Affected: bpgd , < 1.2.3 (custom)
Create a notification for this product.
Date Public
2018-02-15 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T05:33:44.219Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt"
          },
          {
            "name": "USN-3573-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3573-1/"
          },
          {
            "name": "DSA-4115",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4115"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095"
          },
          {
            "name": "GLSA-201804-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201804-17"
          },
          {
            "name": "[debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00021.html"
          },
          {
            "name": "VU#940439",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/940439"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bgpd",
          "vendor": "Quagga",
          "versions": [
            {
              "lessThan": "1.2.3",
              "status": "affected",
              "version": "bpgd",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-02-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of \"Capabilities\" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-228",
              "description": "CWE-228: Improper Handling of Syntactically Invalid Structure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-09T12:06:07.000Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt"
        },
        {
          "name": "USN-3573-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3573-1/"
        },
        {
          "name": "DSA-4115",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4115"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095"
        },
        {
          "name": "GLSA-201804-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201804-17"
        },
        {
          "name": "[debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00021.html"
        },
        {
          "name": "VU#940439",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/940439"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "DATE_PUBLIC": "2018-02-15T00:00:00.000Z",
          "ID": "CVE-2018-5381",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "bgpd",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_name": "bpgd",
                            "version_value": "1.2.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Quagga"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of \"Capabilities\" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-228: Improper Handling of Syntactically Invalid Structure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt",
              "refsource": "CONFIRM",
              "url": "https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt"
            },
            {
              "name": "USN-3573-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3573-1/"
            },
            {
              "name": "DSA-4115",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4115"
            },
            {
              "name": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095",
              "refsource": "CONFIRM",
              "url": "http://savannah.nongnu.org/forum/forum.php?forum_id=9095"
            },
            {
              "name": "GLSA-201804-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201804-17"
            },
            {
              "name": "[debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00021.html"
            },
            {
              "name": "VU#940439",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/940439"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2018-5381",
    "datePublished": "2018-02-19T13:00:00.000Z",
    "dateReserved": "2018-01-12T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:17:27.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2X32-JM95-2CPX

Vulnerability from github – Published: 2021-12-20 17:52 – Updated: 2021-06-01 17:58
VLAI
Summary
Authentication Bypass in dex
Details

A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/dexidp/dex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.27.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-27847"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-228",
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T17:58:22Z",
    "nvd_published_at": "2021-05-28T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability exists in the SAML connector of the github.com/dexidp/dex library used to process SAML Signature Validation. This flaw allows an attacker to bypass SAML authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This flaw affects dex versions before 2.27.0.",
  "id": "GHSA-2x32-jm95-2cpx",
  "modified": "2021-06-01T17:58:22Z",
  "published": "2021-12-20T17:52:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27847"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1907732"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass in dex"
}

GHSA-32JF-H775-G29H

Vulnerability from github – Published: 2024-07-02 21:32 – Updated: 2025-10-02 21:35
VLAI
Summary
MongoDB Rust driver may issue unintended commands
Details

Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "mongodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6382"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-228"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-02T21:35:38Z",
    "nvd_published_at": "2024-07-02T18:15:04Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect handling of certain string inputs may result in MongoDB Rust driver constructing unintended server commands. This may cause unexpected application behavior including data modification. This issue affects MongoDB Rust Driver 2.0 versions prior to 2.8.2",
  "id": "GHSA-32jf-h775-g29h",
  "modified": "2025-10-02T21:35:39Z",
  "published": "2024-07-02T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6382"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-rust-driver/pull/1045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-rust-driver/commit/8eac3bc6dc37a6d7667ed6c1a895c224e3ff47e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mongodb/mongo-rust-driver/commit/a3fe6c84ce6287348b1268f651fdac9fbed66187"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mongodb/mongo-rust-driver"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/RUST-1881"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MongoDB Rust driver may issue unintended commands"
}

GHSA-3W7P-3W6W-7FPG

Vulnerability from github – Published: 2024-04-22 12:30 – Updated: 2024-07-03 18:36
VLAI
Details

An issue in the communication protocol of Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) via crafted commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-228"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-22T12:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the communication protocol of Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) via crafted commands.",
  "id": "GHSA-3w7p-3w6w-7fpg",
  "modified": "2024-07-03T18:36:23Z",
  "published": "2024-04-22T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22815"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/VcuCyber/51075894d1728db07fc2df286c003df9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5WR9-JP8M-F367

Vulnerability from github – Published: 2025-03-11 15:31 – Updated: 2025-03-11 15:31
VLAI
Details

An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-228"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.",
  "id": "GHSA-5wr9-jp8m-f367",
  "modified": "2025-03-11T15:31:01Z",
  "published": "2025-03-11T15:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42784"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.