Common Weakness Enumeration

CWE-237

Allowed

Improper Handling of Structural Elements

Abstraction: Base · Status: Incomplete

The product does not handle or incorrectly handles inputs that are related to complex structures.

7 vulnerabilities reference this CWE, most recent first.

CVE-2025-24336 (GCVE-0-2025-24336)

Vulnerability from cvelistv5 – Published: 2025-01-31 00:02 – Updated: 2025-01-31 17:43
VLAI
Summary
SXF Common Library handles input data improperly. If a product using the library reads a crafted file, the product may be crashed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-237 - Improper handling of structural elements
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24336",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-31T17:43:37.561152Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-31T17:43:46.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SXF Common Library",
          "vendor": "General Incorporated Association OCF",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SXF Common Library handles input data improperly. If a product using the library reads a crafted file, the product may be crashed."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-237",
              "description": "Improper handling of structural elements",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-31T00:02:56.347Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://ocf.or.jp/about/download/sxflibrary"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN23839833/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-24336",
    "datePublished": "2025-01-31T00:02:56.347Z",
    "dateReserved": "2025-01-20T05:53:08.631Z",
    "dateUpdated": "2025-01-31T17:43:46.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-34429 (GCVE-0-2023-34429)

Vulnerability from cvelistv5 – Published: 2023-07-19 21:45 – Updated: 2024-10-28 14:29
VLAI
Title
Weintek Weincloud Improper Handling of Structural Elements
Summary
Weintek Weincloud v0.13.6 could allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-237 - Improper Handling of Structural Elements
Assigner
Impacted products
Vendor Product Version
Weintek Weincloud Affected: 0 , ≤ 0.13.6 (custom)
Create a notification for this product.
Date Public
2023-07-18 17:00
Credits
​Hank Chen (PSIRT and Threat Research of TXOne Networks) reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:10:07.023Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34429",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-28T14:29:27.447079Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-28T14:29:40.049Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Weincloud",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThanOrEqual": "0.13.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "\u200bHank Chen (PSIRT and Threat Research of TXOne Networks) reported these vulnerabilities to CISA."
        }
      ],
      "datePublic": "2023-07-18T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWeintek Weincloud v\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e0.13.6\u003c/span\u003e\n\n \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eallow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n"
            }
          ],
          "value": "\n\n\nWeintek Weincloud v0.13.6\n\n \n\ncould allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.\n\n\n\n\n\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-237",
              "description": "CWE-237 Improper Handling of Structural Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-19T21:45:39.544Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003e\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.\u003c/p\u003e\u003cp\u003e\u200b\u003c/p\u003e"
            }
          ],
          "value": "\n\n\n\n\n\u200bWeintek has updated their account API to v0.13.8, which has fixed the issue. This fix does not require any action for users.\n\n\u200b\n\n"
        }
      ],
      "source": {
        "advisory": "ICSA-23-199-04",
        "discovery": "EXTERNAL"
      },
      "title": "Weintek Weincloud Improper Handling of Structural Elements",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003eAdditional mitigations are recommended to help reduce risk:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.\u003c/li\u003e\u003cli\u003e\u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.\u003c/li\u003e\u003cli\u003e\u200bRegularly change passwords to reduce risks.\u003c/li\u003e\u003cli\u003e\u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nAdditional mitigations are recommended to help reduce risk:\n\n  *  \u200bLog in on trusted computers if possible. Log out after usage on un-trusted ones.\n  *  \u200bOn the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.\n  *  \u200bRegularly change passwords to reduce risks.\n  *  \u200bMinimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.\n\n\n\n\n\n"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-34429",
    "datePublished": "2023-07-19T21:45:39.544Z",
    "dateReserved": "2023-07-13T15:55:48.894Z",
    "dateUpdated": "2024-10-28T14:29:40.049Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6110 (GCVE-0-2023-6110)

Vulnerability from cvelistv5 – Published: 2024-11-17 10:22 – Updated: 2024-12-05 20:30
VLAI
Title
Openstack: deleting a non existing access rule deletes another existing access rule in it's scope
Summary
A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which are not associated with any application credentials.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-237 - Improper Handling of Structural Elements
Assigner
Impacted products
Vendor Product Version
Red Hat Red Hat OpenStack Platform 17.1 for RHEL 8 Unaffected: 0:5.5.2-17.1.20230829213816.el8ost , < * (rpm)
    cpe:/a:redhat:openstack:17.1::el8
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 17.1 for RHEL 9 Unaffected: 0:5.5.2-17.1.20230829210830.el9ost , < * (rpm)
    cpe:/a:redhat:openstack:17.1::el9
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 16.1     cpe:/a:redhat:openstack:16.1
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 16.2     cpe:/a:redhat:openstack:16.2
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 17.0     cpe:/a:redhat:openstack:17.0
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
Create a notification for this product.
Date Public
2024-01-24 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-6110",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-17T16:17:28.263809Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T14:38:40.898Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.1::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "python-openstackclient",
          "product": "Red Hat OpenStack Platform 17.1 for RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.5.2-17.1.20230829213816.el8ost",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.1::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "python-openstackclient",
          "product": "Red Hat OpenStack Platform 17.1 for RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:5.5.2-17.1.20230829210830.el9ost",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:16.1"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 16.1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:16.2"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 16.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:17.0"
          ],
          "defaultStatus": "unknown",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 17.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openstack:18.0"
          ],
          "defaultStatus": "affected",
          "packageName": "openstack-keystone",
          "product": "Red Hat OpenStack Platform 18.0",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-01-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it\u0027s scope, it deletes other existing access rules which are not associated with any application credentials."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-237",
              "description": "Improper Handling of Structural Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-05T20:30:27.043Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:2737",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2737"
        },
        {
          "name": "RHSA-2024:2769",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2769"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-6110"
        },
        {
          "name": "RHBZ#2212960",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2212960"
        },
        {
          "url": "https://code.engineering.redhat.com/gerrit/gitweb?p=python-openstackclient.git;a=commit;h=7a7c364bdd7b2cd2b56e73724110710a68d58abf"
        },
        {
          "url": "https://review.opendev.org/c/openstack/python-openstackclient/+/888697"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-06-05T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-01-24T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Openstack: deleting a non existing access rule deletes another existing access rule in it\u0027s scope",
      "x_redhatCweChain": "CWE-237: Improper Handling of Structural Elements"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-6110",
    "datePublished": "2024-11-17T10:22:34.776Z",
    "dateReserved": "2023-11-13T19:27:25.305Z",
    "dateUpdated": "2024-12-05T20:30:27.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2PPF-2M6F-6V6F

Vulnerability from github – Published: 2024-11-17 12:30 – Updated: 2024-11-18 20:08
VLAI
Summary
OpenStack improperly deletes access rules
Details

A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which are not associated with any application credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-openstackclient"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-237"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-18T20:08:25Z",
    "nvd_published_at": "2024-11-17T11:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it\u0027s scope, it deletes other existing access rules which are not associated with any application credentials.",
  "id": "GHSA-2ppf-2m6f-6v6f",
  "modified": "2024-11-18T20:08:25Z",
  "published": "2024-11-17T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6110"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/python-openstackclient/commit/bc60e3bb908a7f10c87993d791184bfe46784d6c"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2737"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2769"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6110"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2212960"
    },
    {
      "type": "WEB",
      "url": "https://code.engineering.redhat.com/gerrit/gitweb?p=python-openstackclient.git;a=commit;h=7a7c364bdd7b2cd2b56e73724110710a68d58abf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/python-openstackclient"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/python-openstackclient/+/888697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": " OpenStack improperly deletes access rules"
}

GHSA-6M9G-JR8C-CQW3

Vulnerability from github – Published: 2020-04-29 17:12 – Updated: 2024-09-04 19:55
VLAI
Summary
Depth counting error in guard() leading to multiple potential security issues in aioxmpp
Details

Impact

Possible remote Denial of Service or Data Injection.

Patches

Patches are available in https://github.com/horazont/aioxmpp/pull/268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.

Workarounds

To make the bug exploitable, an error suppressing xso_error_handler is required. By not using xso_error_handlers or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).

References

The pull request contains a detailed description: https://github.com/horazont/aioxmpp/pull/268

For more information

If you have any questions or comments about this advisory: * Join our chat * Email the maintainer Jonas Schäfer

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aioxmpp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-1000007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-237"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-29T17:12:16Z",
    "nvd_published_at": "2019-02-04T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPossible remote Denial of Service or Data Injection.\n\n### Patches\nPatches are available in https://github.com/horazont/aioxmpp/pull/268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.\n\n### Workarounds\nTo make the bug exploitable, an error suppressing ``xso_error_handler`` is required. By not using ``xso_error_handlers`` or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).\n\n### References\nThe pull request contains a detailed description: https://github.com/horazont/aioxmpp/pull/268\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Join our chat](xmpp:aioxmpp@conference.zombofant.net?join)\n* Email the maintainer [Jonas Sch\u00e4fer](mailto:jonas@wielicki.name)",
  "id": "GHSA-6m9g-jr8c-cqw3",
  "modified": "2024-09-04T19:55:01Z",
  "published": "2020-04-29T17:12:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/horazont/aioxmpp/security/advisories/GHSA-6m9g-jr8c-cqw3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1000007"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horazont/aioxmpp/pull/268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/horazont/aioxmpp/commit/f151f920f439d97d4103fc11057ed6dc34fe98be"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6m9g-jr8c-cqw3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/horazont/aioxmpp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/aioxmpp/PYSEC-2019-1.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Depth counting error in guard() leading to multiple potential security issues in aioxmpp"
}

GHSA-CG49-M89Q-2J7Q

Vulnerability from github – Published: 2025-01-31 00:30 – Updated: 2025-01-31 00:30
VLAI
Details

SXF Common Library handles input data improperly. If a product using the library reads a crafted file, the product may be crashed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24336"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-237"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-31T00:15:20Z",
    "severity": "LOW"
  },
  "details": "SXF Common Library handles input data improperly. If a product using the library reads a crafted file, the product may be crashed.",
  "id": "GHSA-cg49-m89q-2j7q",
  "modified": "2025-01-31T00:30:45Z",
  "published": "2025-01-31T00:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24336"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN23839833"
    },
    {
      "type": "WEB",
      "url": "https://ocf.or.jp/about/download/sxflibrary"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WF6P-C35G-P4CW

Vulnerability from github – Published: 2023-07-20 00:30 – Updated: 2024-04-04 06:17
VLAI
Details

Weintek Weincloud v0.13.6

could allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-237"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "\n\n\nWeintek Weincloud v0.13.6\n\n \n\ncould allow an attacker to cause a denial-of-service condition for Weincloud by sending a forged JWT token.\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-wf6p-c35g-p4cw",
  "modified": "2024-04-04T06:17:23Z",
  "published": "2023-07-20T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34429"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.