Common Weakness Enumeration

CWE-436

Allowed-with-Review

Interpretation Conflict

Abstraction: Class · Status: Incomplete

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

199 vulnerabilities reference this CWE, most recent first.

GHSA-W7MG-Q4HH-M9CQ

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-10-22 00:32
VLAI
Details

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-23",
      "CWE-434",
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-13T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.",
  "id": "GHSA-w7mg-q4hh-m9cq",
  "modified": "2025-10-22T00:32:19Z",
  "published": "2022-05-24T19:14:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40870"
    },
    {
      "type": "WEB",
      "url": "https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021"
    },
    {
      "type": "WEB",
      "url": "https://wearetradecraft.com/advisories/tc-2021-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40870"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFC6-R584-VFW7

Vulnerability from github – Published: 2026-05-11 15:54 – Updated: 2026-05-14 20:38
VLAI
Summary
Next.js vulnerable to cache poisoning in React Server Component responses
Details

Impact

Applications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.

Fix

We now validate and interpret RSC request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.

Workarounds

If you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors Vary, or disable shared caching for affected App Router and RSC responses.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.2.0"
            },
            {
              "fixed": "15.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T15:54:46Z",
    "nvd_published_at": "2026-05-13T17:16:23Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nApplications using React Server Components can be vulnerable to cache poisoning when shared caches do not correctly partition response variants. Under affected conditions, an attacker can cause an RSC response to be served from the original URL and poison shared cache entries so later visitors receive component payloads instead of the expected HTML.\n\n### Fix\n\nWe now validate and interpret `RSC` request headers consistently across request classification and rendering, and we enforce the intended cache-busting behavior so RSC payloads are not unexpectedly served from the original URL.\n\n### Workarounds\n\nIf you cannot upgrade immediately, ensure your CDN or reverse proxy keys on the relevant RSC request headers and honors `Vary`, or disable shared caching for affected App Router and RSC responses.",
  "id": "GHSA-wfc6-r584-vfw7",
  "modified": "2026-05-14T20:38:11Z",
  "published": "2026-05-11T15:54:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-wfc6-r584-vfw7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44576"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js vulnerable to cache poisoning in React Server Component responses"
}

GHSA-WFQ4-F757-C65C

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2023-05-16 21:30
VLAI
Details

For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-02T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript.",
  "id": "GHSA-wfq4-f757-c65c",
  "modified": "2023-05-16T21:30:17Z",
  "published": "2022-05-24T17:13:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19089"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJFC-PGFP-PV9C

Vulnerability from github – Published: 2023-04-21 20:27 – Updated: 2023-04-21 20:27
VLAI
Summary
Improper Input Validation in nyholm/psr7
Details

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.6.1.

Workarounds

There are no known workarounds.

References

  • https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "nyholm/psr7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-21T20:27:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nImproper header parsing. An attacker could sneak in a newline (`\\n`) into both the header names and values. While the specification states that `\\r\\n\\r\\n` is used to terminate the header list, many servers in the wild will also accept `\\n\\n`.\n\n### Patches\n\nThe issue is patched in 1.6.1.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4",
  "id": "GHSA-wjfc-pgfp-pv9c",
  "modified": "2023-04-21T20:27:30Z",
  "published": "2023-04-21T20:27:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/nyholm/psr7/2023-04-17.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Nyholm/psr7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in nyholm/psr7"
}

GHSA-WVJ2-96WP-FQ3F

Vulnerability from github – Published: 2026-02-26 22:20 – Updated: 2026-02-26 22:20
VLAI
Summary
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
Details

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. Additionally, Go's standard library folds the Unicode characters ſ (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like "paramſ" would match "params". This violated the JSON-RPC 2.0 specification, which defines exact field names.

Impact:

A malicious MCP peer may have been able to send protocol messages with non-standard field casing (e.g., "Method" instead of "method") that the SDK would silently accept. This had the potential for: - Bypassing intermediary inspection: Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages. - Cross-implementation inconsistency: Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.

Fix:

Go's standard JSON unmarshaling was replaced with a case-sensitive decoder (github.com/segmentio/encoding) in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

Credits:

MCP Go SDK thanks Francesco Lacerenza (Doyensec) for reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/modelcontextprotocol/go-sdk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-178",
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-26T22:20:08Z",
    "nvd_published_at": "2026-02-26T01:16:25Z",
    "severity": "HIGH"
  },
  "details": "The Go MCP SDK used Go\u0027s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go\u0027s standard library performs case-insensitive matching of JSON keys to struct field tags \u2014 a field tagged json:\"method\" would also match \"Method\", \"METHOD\", etc. Additionally, Go\u0027s standard library folds the Unicode characters \u017f (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like \"param\u017f\" would match \"params\". This violated the JSON-RPC 2.0 specification, which defines exact field names.\n\n#### Impact:\n\nA malicious MCP peer may have been able to send protocol messages with non-standard field casing (e.g., \"Method\" instead of \"method\") that the SDK would silently accept. This had the potential for:\n  - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.\n  - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.\n\n####  Fix:\n\nGo\u0027s standard JSON unmarshaling was replaced with a case-sensitive decoder (github.com/segmentio/encoding) in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.\n\n#### Credits:\nMCP Go SDK thanks Francesco Lacerenza (Doyensec) for reporting this issue.",
  "id": "GHSA-wvj2-96wp-fq3f",
  "modified": "2026-02-26T22:20:08Z",
  "published": "2026-02-26T22:20:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/modelcontextprotocol/go-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity"
}

GHSA-WXMH-65F7-JCVW

Vulnerability from github – Published: 2023-04-19 18:25 – Updated: 2023-04-19 18:25
VLAI
Summary
Improper header name validation in guzzlehttp/psr7
Details

Impact

Improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n.

Patches

The issue is patched in 1.9.1 and 2.4.5.

Workarounds

There are no known workarounds.

References

  • https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/psr7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/psr7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-19T18:25:53Z",
    "nvd_published_at": "2023-04-17T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nImproper header parsing. An attacker could sneak in a newline (`\\n`) into both the header names and values. While the specification states that `\\r\\n\\r\\n` is used to terminate the header list, many servers in the wild will also accept `\\n\\n`.\n\n### Patches\n\nThe issue is patched in 1.9.1 and 2.4.5.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### References\n\n* https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4\n",
  "id": "GHSA-wxmh-65f7-jcvw",
  "modified": "2023-04-19T18:25:53Z",
  "published": "2023-04-19T18:25:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29197"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-24775"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/psr7/CVE-2023-29197.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/guzzle/psr7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FJANWDXJZE5BGLN4MQ4FEHV5LJ6CMKQF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O35UN4IK6VS2LXSRWUDFWY7NI73RKY2U"
    },
    {
      "type": "WEB",
      "url": "https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper header name validation in guzzlehttp/psr7"
}

GHSA-X5MQ-JJR3-VMX6

Vulnerability from github – Published: 2025-01-21 21:13 – Updated: 2025-01-21 21:13
VLAI
Summary
Missing validation of header name and value in codeigniter4/framework
Details

Impact

Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application.

Patches

Upgrade to v4.5.8 or later.

Workarounds

Validate HTTP header keys and/or values if using user-supplied values before passing them to Header class.

Differences from CVE-2023-29197

  1. Affected Software:

    • CVE-2023-29197 specifically addresses a vulnerability in the guzzlehttp/psr7 library.
    • The reported issue in this Security Advisory is within the CodeIgniter4 framework and does not depend on or use the guzzlehttp/psr7 library.
  2. Root Cause and Implementation:

    • The vulnerability reported arises from an issue in the Header class of CodeIgniter4, which is unrelated to the functionality or implementation of guzzlehttp/psr7.
  3. Scope of Impact:

    • The vulnerability described in this Security Advisory affects applications built with the CodeIgniter4 framework, which does not use or rely on the guzzlehttp/psr7 library.

References

  • https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
  • https://github.com/advisories/GHSA-wxmh-65f7-jcvw
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-21T21:13:40Z",
    "nvd_published_at": "2025-01-20T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nLack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with `Header` class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service\u2019s web application firewall interprets them as malicious and blocks further communication with the application.\n\n### Patches\nUpgrade to v4.5.8 or later.\n\n### Workarounds\nValidate HTTP header keys and/or values if using user-supplied values before passing them to `Header` class.\n\n### Differences from CVE-2023-29197\n\n1. **Affected Software**:\n    * CVE-2023-29197 specifically addresses a vulnerability in the `guzzlehttp/psr7` library.\n    * The reported issue in this Security Advisory is within the **CodeIgniter4** framework and does not depend on or use the `guzzlehttp/psr7` library.\n\n2. **Root Cause and Implementation**:\n    * The vulnerability reported arises from an issue in the **Header class** of CodeIgniter4, which is unrelated to the functionality or implementation of `guzzlehttp/psr7`.\n\n3. **Scope of Impact**:\n    * The vulnerability described in this Security Advisory affects applications built with the **CodeIgniter4** framework, which does not use or rely on the `guzzlehttp/psr7` library.\n\n### References\n* https://datatracker.ietf.org/doc/html/rfc7230#section-3.2\n* https://github.com/advisories/GHSA-wxmh-65f7-jcvw",
  "id": "GHSA-x5mq-jjr3-vmx6",
  "modified": "2025-01-21T21:13:41Z",
  "published": "2025-01-21T21:13:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6"
    },
    {
      "type": "WEB",
      "url": "https://datatracker.ietf.org/doc/html/rfc7230#section-3.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-wxmh-65f7-jcvw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/CodeIgniter4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Missing validation of header name and value in codeigniter4/framework"
}

GHSA-XX2R-XRGJ-FM3F

Vulnerability from github – Published: 2024-01-10 15:30 – Updated: 2024-01-17 00:30
VLAI
Details

The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113",
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-10T13:15:46Z",
    "severity": "MODERATE"
  },
  "details": "The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim\u2019s session via a crafted URL or HTTP request.",
  "id": "GHSA-xx2r-xrgj-fm3f",
  "modified": "2024-01-17T00:30:18Z",
  "published": "2024-01-10T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48256"
    },
    {
      "type": "WEB",
      "url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XX9R-H2Q8-Q5M3

Vulnerability from github – Published: 2022-10-11 12:00 – Updated: 2022-10-14 12:00
VLAI
Details

A vulnerability in the implementation of IPv6 VPN over MPLS (6VPE) with Zone-Based Firewall (ZBFW) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling of an IPv6 packet that is forwarded from an MPLS and ZBFW-enabled interface in a 6VPE deployment. An attacker could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the IPv6-enabled virtual routing and forwarding (VRF) interface through the affected device. A successful exploit could allow the attacker to reload the device, resulting in a DoS condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20915"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-10T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the implementation of IPv6 VPN over MPLS (6VPE) with Zone-Based Firewall (ZBFW) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling of an IPv6 packet that is forwarded from an MPLS and ZBFW-enabled interface in a 6VPE deployment. An attacker could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the IPv6-enabled virtual routing and forwarding (VRF) interface through the affected device. A successful exploit could allow the attacker to reload the device, resulting in a DoS condition.",
  "id": "GHSA-xx9r-h2q8-q5m3",
  "modified": "2022-10-14T12:00:24Z",
  "published": "2022-10-11T12:00:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20915"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-105: HTTP Request Splitting

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server).

See CanPrecede relationships for possible consequences.

CAPEC-273: HTTP Response Smuggling

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server).

See CanPrecede relationships for possible consequences.

CAPEC-34: HTTP Response Splitting

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.

See CanPrecede relationships for possible consequences.