CWE-372
DiscouragedIncomplete Internal State Distinction
Abstraction: Base · Status: Draft
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.
13 vulnerabilities reference this CWE, most recent first.
GHSA-86H5-XCPX-CFQC
Vulnerability from github – Published: 2024-02-27 21:55 – Updated: 2024-11-04 17:14ASA-2024-005: Potential slashing evasion during re-delegation
Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9 Affected Users: Chain developers, Validator and Node operators Impact: Slashing Evasion
Summary
An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.
Next Steps for Impacted Parties
If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.
A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.
This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2023. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.50.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0.50.0"
},
{
"fixed": "0.50.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.47.9"
},
"package": {
"ecosystem": "Go",
"name": "github.com/cosmos/cosmos-sdk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.47.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-372"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-27T21:55:52Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## ASA-2024-005: Potential slashing evasion during re-delegation\n\n**Component**: Cosmos SDK\n**Criticality**: Low\n**Affected Versions**: Cosmos SDK versions \u003c= 0.50.4; \u003c= 0.47.9\n**Affected Users**: Chain developers, Validator and Node operators\n**Impact**: Slashing Evasion\n\n## Summary\n\nAn issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.\n\n## Next Steps for Impacted Parties\n\nIf you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.\n\nA Github Security Advisory for this issue is available in the Cosmos-SDK [repository](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-86h5-xcpx-cfqc). For more information about Cosmos SDK, see https://docs.cosmos.network/.\n\nThis issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2023. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n",
"id": "GHSA-86h5-xcpx-cfqc",
"modified": "2024-11-04T17:14:28Z",
"published": "2024-02-27T21:55:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-86h5-xcpx-cfqc"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/commit/7dbed2fc0c3ed7c285645e21cb1037d8810372ae"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/commit/d1b5b0c5ae2c51206cc1849e09e4d59986742cc3"
},
{
"type": "PACKAGE",
"url": "https://github.com/cosmos/cosmos-sdk"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ASA-2024-005: Potential slashing evasion during re-delegation"
}
GHSA-G42G-737J-QX6J
Vulnerability from github – Published: 2021-05-28 19:49 – Updated: 2022-03-22 18:43A vulnerability in Kubernetes kube-apiserver could allow node updates to bypass a Validating Admission Webhook and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the overwriting takes place before the validation, this could lead the admission controller to accept requests that should be blocked. The vulnerability can be exploited when an update action on node resources is performed and an admission controller is in place and configured to validate the action.
Users are only affected by this vulnerability if they are running a Validating Admission Webhook for Nodes that denies admission based partially on the old state of the Node object. It only impacts validating admission plugins that rely on old values in certain fields and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.20.5"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.20.0"
},
{
"fixed": "1.20.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.19.9"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.19.0"
},
{
"fixed": "1.19.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.18.17"
},
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-25735"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-372",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-22T18:25:38Z",
"nvd_published_at": "2021-09-06T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Kubernetes `kube-apiserver` could allow node updates to bypass a _Validating Admission Webhook_ and allow unauthorized node updates. The information that is provided to the admission controller could contain old configurations that overwrite values used for validation. Since the overwriting takes place before the validation, this could lead the admission controller to accept requests that should be blocked. The vulnerability can be exploited when an update action on node resources is performed and an admission controller is in place and configured to validate the action.\n\nUsers are only affected by this vulnerability if they are running a _Validating Admission Webhook_ for Nodes that denies admission based partially on the old state of the Node object. It only impacts validating admission plugins that rely on old values in certain fields and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.",
"id": "GHSA-g42g-737j-qx6j",
"modified": "2022-03-22T18:43:41Z",
"published": "2021-05-28T19:49:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25735"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/100096"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/99946"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937562"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserver"
},
{
"type": "WEB",
"url": "https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Access Restriction Bypass in kube-apiserver"
}
GHSA-Q85G-CF2C-5GQ6
Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-04-24 00:31OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
{
"affected": [],
"aliases": [
"CVE-2026-41340"
],
"database_specific": {
"cwe_ids": [
"CWE-372"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-23T22:16:40Z",
"severity": "MODERATE"
},
"details": "OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.",
"id": "GHSA-q85g-cf2c-5gq6",
"modified": "2026-04-24T00:31:51Z",
"published": "2026-04-24T00:31:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f693-58pc-2gfr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41340"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/d8c68c8d4265ea6fa5e8c5e056534c351bddef37"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-boundary-bypass-via-telegram-legacy-allowfrom-migration"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets
Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.
CAPEC-74: Manipulating State
The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.
State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.
If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.