CWE-349
AllowedAcceptance of Extraneous Untrusted Data With Trusted Data
Abstraction: Base · Status: Draft
The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
76 vulnerabilities reference this CWE, most recent first.
CVE-2019-9535 (GCVE-0-2019-9535)
Vulnerability from cvelistv5 – Published: 2019-10-09 19:15 – Updated: 2024-09-17 02:11| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/763073/ | third-party-advisoryx_refsource_CERT-VN |
| https://blog.mozilla.org/security/2019/10/09/iter… | x_refsource_MISC |
| https://groups.google.com/forum/#%21topic/iterm2-… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T21:54:44.484Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#763073",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "https://kb.cert.org/vuls/id/763073/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://groups.google.com/forum/#%21topic/iterm2-discuss/57k_AuLdQa4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iTerm2",
"vendor": "iTerm2",
"versions": [
{
"lessThanOrEqual": "3.3.5",
"status": "affected",
"version": "3.3.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Thanks to Stefan Gr\u00f6nke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability."
}
],
"datePublic": "2019-10-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability exists in the way that iTerm2 integrates with tmux\u0027s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim\u0027s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-09T19:15:44.000Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"name": "VU#763073",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "https://kb.cert.org/vuls/id/763073/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://groups.google.com/forum/#%21topic/iterm2-discuss/57k_AuLdQa4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution",
"workarounds": [
{
"lang": "en",
"value": "Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.8"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"DATE_PUBLIC": "2019-10-09T04:00:00.000Z",
"ID": "CVE-2019-9535",
"STATE": "PUBLIC",
"TITLE": "iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iTerm2",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.3.5",
"version_value": "3.3.5"
}
]
}
}
]
},
"vendor_name": "iTerm2"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Thanks to Stefan Gr\u00f6nke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability exists in the way that iTerm2 integrates with tmux\u0027s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim\u0027s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.8"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-349"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#763073",
"refsource": "CERT-VN",
"url": "https://kb.cert.org/vuls/id/763073/"
},
{
"name": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/",
"refsource": "MISC",
"url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
},
{
"name": "https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2019-9535",
"datePublished": "2019-10-09T19:15:44.101Z",
"dateReserved": "2019-03-01T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:11:00.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1131 (GCVE-0-2018-1131)
Vulnerability from cvelistv5 – Published: 2018-05-15 13:00 – Updated: 2024-09-16 23:16| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1576492 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/104218 | vdb-entryx_refsource_BID |
| https://access.redhat.com/errata/RHSA-2018:1833 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisoryx_refsource_REDHAT |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat, Inc. | infinispan |
Affected:
9.0.3.Final
Affected: 9.1.7.Final Affected: 8.2.10.Final Affected: 9.2.2.Final Affected: 9.3.0.Alpha1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
},
{
"name": "104218",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104218"
},
{
"name": "RHSA-2018:1833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1833"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "infinispan",
"vendor": "Red Hat, Inc.",
"versions": [
{
"status": "affected",
"version": "9.0.3.Final"
},
{
"status": "affected",
"version": "9.1.7.Final"
},
{
"status": "affected",
"version": "8.2.10.Final"
},
{
"status": "affected",
"version": "9.2.2.Final"
},
{
"status": "affected",
"version": "9.3.0.Alpha1"
}
]
}
],
"datePublic": "2018-05-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-14T23:07:11.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
},
{
"name": "104218",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104218"
},
{
"name": "RHSA-2018:1833",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:1833"
},
{
"name": "RHSA-2019:3892",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-05-14T00:00:00",
"ID": "CVE-2018-1131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "infinispan",
"version": {
"version_data": [
{
"version_value": "9.0.3.Final"
},
{
"version_value": "9.1.7.Final"
},
{
"version_value": "8.2.10.Final"
},
{
"version_value": "9.2.2.Final"
},
{
"version_value": "9.3.0.Alpha1"
}
]
}
}
]
},
"vendor_name": "Red Hat, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-349"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
},
{
"name": "104218",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104218"
},
{
"name": "RHSA-2018:1833",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:1833"
},
{
"name": "RHSA-2019:3892",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1131",
"datePublished": "2018-05-15T13:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:16:45.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2HM8-9847-Q7GC
Vulnerability from github – Published: 2025-07-16 15:32 – Updated: 2025-07-16 15:32A named caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.
This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.
{
"affected": [],
"aliases": [
"CVE-2025-40776"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-16T14:15:25Z",
"severity": "HIGH"
},
"details": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.",
"id": "GHSA-2hm8-9847-q7gc",
"modified": "2025-07-16T15:32:32Z",
"published": "2025-07-16T15:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40776"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2025-40776"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3G8H-86W9-WVMQ
Vulnerability from github – Published: 2026-05-11 16:12 – Updated: 2026-05-14 20:35Impact
Next.js uses the x-nextjs-data request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.
When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients.
If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged.
Affected scenarios
This affects applications that: - use middleware or proxy redirects - are deployed behind a caching CDN or reverse proxy - allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests
Fix
The fix stops trusting x-nextjs-data by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.
Workarounds
Before upgrading, users can reduce risk by:
- configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "12.2.0"
},
{
"fixed": "15.5.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "next"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0"
},
{
"fixed": "16.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44572"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-11T16:12:07Z",
"nvd_published_at": "2026-05-13T16:16:58Z",
"severity": "LOW"
},
"details": "### Impact\n\nNext.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.\n\nWhen that happened, the middleware/proxy could treat the request as a data request and replace the standard `Location` redirect header with the internal `x-nextjs-redirect` header. Browsers do not follow `x-nextjs-redirect`, so the response became an unusable redirect for normal clients.\n\nIf the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a `Location` header, causing a denial of service for that redirect path until the cache entry expired or was purged.\n\n### Affected scenarios\n\nThis affects applications that:\n- use middleware or proxy redirects\n- are deployed behind a caching CDN or reverse proxy\n- allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests\n\n### Fix\n\nThe fix stops trusting `x-nextjs-data` by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.\n\n### Workarounds\n\nBefore upgrading, users can reduce risk by:\n- configuring the CDN or reverse proxy to vary its cache key on `x-nextjs-data` for affected responses",
"id": "GHSA-3g8h-86w9-wvmq",
"modified": "2026-05-14T20:35:56Z",
"published": "2026-05-11T16:12:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44572"
},
{
"type": "PACKAGE",
"url": "https://github.com/vercel/next.js"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
},
{
"type": "WEB",
"url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Next.js\u0027s Middleware / Proxy redirects can be cache-poisoned"
}
GHSA-4GWR-F7FQ-56WC
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2023-02-02 21:33A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
{
"affected": [],
"aliases": [
"CVE-2020-10751"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-26T15:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
"id": "GHSA-4gwr-f7fq-56wc",
"modified": "2023-02-02T21:33:41Z",
"published": "2022-05-24T17:18:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/04/30/5"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4699"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4698"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4413-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4412-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4391-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4390-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4389-1"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg@mail.gmail.com"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg%40mail.gmail.com"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10751"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1839634"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-10751"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:4609"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:4431"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:4062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2020:4060"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00008.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/05/27/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4QGF-3M3Q-8XM4
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
{
"affected": [],
"aliases": [
"CVE-2025-68269"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T16:16:06Z",
"severity": "MODERATE"
},
"details": "In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH",
"id": "GHSA-4qgf-3m3q-8xm4",
"modified": "2025-12-16T18:31:33Z",
"published": "2025-12-16T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68269"
},
{
"type": "WEB",
"url": "https://www.jetbrains.com/privacy-security/issues-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59Q3-MH2G-PPQ7
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
{
"affected": [],
"aliases": [
"CVE-2025-48804"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:43Z",
"severity": "MODERATE"
},
"details": "Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
"id": "GHSA-59q3-mh2g-ppq7",
"modified": "2025-07-08T18:31:45Z",
"published": "2025-07-08T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48804"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48804"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MHJ-93X4-VF9F
Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.
{
"affected": [],
"aliases": [
"CVE-2026-41120"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T14:16:39Z",
"severity": "CRITICAL"
},
"details": "Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.",
"id": "GHSA-5mhj-93x4-vf9f",
"modified": "2026-06-25T15:32:00Z",
"published": "2026-06-25T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41120"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-in/000465356/dsa-2026-225?msockid=3021cac2195069ed3194ddad186a68f9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XR6-XHWW-33M4
Vulnerability from github – Published: 2024-11-25 15:26 – Updated: 2024-11-25 15:26Summary
In versions of dawidd6/action-download-artifact before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.
Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false to disable searching forks for artifacts.
Details
GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.
Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):
- Repository
alice/foorunsbuild.yml, producingbuild.exe - Repository
alice/foorunspublish.yml, which usesaction-download-artifact@v5to retrieve the latestbuild.exefrombuild.yml
To compromise publish.yml in this scenario, Mallory forks alice/foo to mallory/foo, and then modifies build.yml to produce a compromised build.exe. Mallory can then repeatedly trigger their copy of build.yml to ensure that their compromised build.exe is always the latest artifact, meaning that Alice's publish.yml will retrieve it.
Additional details on this vulnerability can be found in this blog post from 2022:
- https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust
Impact
This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5 or older and do not disable allow_forks: true, which is the default.
If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push or pull_request_target).
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "dawidd6/action-download-artifact"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-25T15:26:43Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nIn versions of `dawidd6/action-download-artifact` before v6, a repository\u0027s forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.\n\nUsers should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set `allow_forks: false` to disable searching forks for artifacts.\n\n### Details\n\nGitHub\u0027s artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the \"latest\" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream. \n\nBecause any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):\n\n1. Repository `alice/foo` runs `build.yml`, producing `build.exe`\n2. Repository `alice/foo` runs `publish.yml`, which uses `action-download-artifact@v5` to retrieve the latest `build.exe` from `build.yml`\n\nTo compromise `publish.yml` in this scenario, Mallory forks `alice/foo` to `mallory/foo`, and then modifies `build.yml` to produce a compromised `build.exe`. Mallory can then repeatedly trigger their copy of `build.yml` to ensure that their compromised `build.exe` is always the latest artifact, meaning that Alice\u0027s `publish.yml` will retrieve it.\n\nAdditional details on this vulnerability can be found in this blog post from 2022:\n\n* https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust\n\n### Impact\n\nThis vulnerability impacts all repositories on GitHub that use `action-download-artifacts@v5` or older and do **not** disable `allow_forks: true`, which is the default.\n\nIf a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as `push` or `pull_request_target`).\n",
"id": "GHSA-5xr6-xhww-33m4",
"modified": "2024-11-25T15:26:43Z",
"published": "2024-11-25T15:26:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dawidd6/action-download-artifact/security/advisories/GHSA-5xr6-xhww-33m4"
},
{
"type": "WEB",
"url": "https://github.com/dawidd6/action-download-artifact/commit/bf251b5aa9c2f7eeb574a96ee720e24f801b7c11"
},
{
"type": "PACKAGE",
"url": "https://github.com/dawidd6/action-download-artifact"
},
{
"type": "WEB",
"url": "https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Artifact poisoning vulnerability in action-download-artifact v5 and earlier"
}
GHSA-6W73-X38P-26G5
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2025-12-01 03:30NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.
{
"affected": [],
"aliases": [
"CVE-2025-11411"
],
"database_specific": {
"cwe_ids": [
"CWE-349"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T13:15:29Z",
"severity": "MODERATE"
},
"details": "NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver\u0027s knowledge of the zone\u0027s name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.",
"id": "GHSA-6w73-x38p-26g5",
"modified": "2025-12-01T03:30:25Z",
"published": "2025-10-22T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11411"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/11/26/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.