Common Weakness Enumeration

CWE-459

Allowed

Incomplete Cleanup

Abstraction: Base · Status: Draft

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

223 vulnerabilities reference this CWE, most recent first.

GHSA-RCGX-6RCQ-V2MX

Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-26 00:00
VLAI
Details

Under certain circumstances the session token is not cleared on logout.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36205"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-15T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Under certain circumstances the session token is not cleared on logout.",
  "id": "GHSA-rcgx-6rcq-v2mx",
  "modified": "2022-04-26T00:00:58Z",
  "published": "2022-04-16T00:00:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36205"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFJG-6M84-CRJ2

Vulnerability from github – Published: 2026-02-28 01:59 – Updated: 2026-02-28 01:59
VLAI
Summary
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Details

Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.

This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.

Technical Analysis The vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.

  1. Logic Error in Password Reset (No Invalidation) In pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user's password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.

Vulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)

func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {
    // ... [Validation and User Lookup] ...

    // Hash the password
    user.Password, err = HashPassword(reset.NewPassword)
    if err != nil {
        return
    }

    // FLAW: Deletes 'TokenEmailConfirm' instead of the current 'TokenPasswordReset'
    err = removeTokens(s, user, TokenEmailConfirm)
    if err != nil {
        return
    }

    // ... [Update User Status and Return] ...
    // The reset token is never removed and remains valid in the DB.
}
  1. Logic Error in Token Cleanup (Inverted Expiry) The background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.

Vulnerable Code: pkg/user/token.go (Lines 125-151)

func RegisterTokenCleanupCron() {
    // ...
    err := cron.Schedule("0 * * * *", func() {
        // ...
        // FLAW: "created > ?" selects tokens created AFTER 24 hours ago.
        // This deletes NEW valid tokens and keeps OLD expired tokens forever.
        deleted, err := s.
            Where("created > ? AND (kind = ? OR kind = ?)", 
            time.Now().Add(time.Hour*24*-1), 
            TokenPasswordReset, TokenAccountDeletion).
            Delete(&Token{})
        // ...
    })
}

Impact Persistent Account Takeover: An attacker with a single valid token can reset the victim's password an unlimited number of times.

Bypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.

Infinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of "forever," allowing exploitation months or years after the token was issued.

Remediation 1. Invalidate Token on Use Update ResetPassword to delete the specific reset token upon successful completion. // Recommended Fix err = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind 2. Fix Cleanup Logic Update the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time. // Recommended Fix Where("created < ? ...", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (<)

A fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.vikunja.io/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.24.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T01:59:28Z",
    "nvd_published_at": "2026-02-27T21:16:18Z",
    "severity": "CRITICAL"
  },
  "details": "**Summary**\nA critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever.\n\nThis allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls.\n\n**Technical Analysis**\nThe vulnerability stems from two distinct logic errors in the pkg/user/ package that confirm the tokens are never removed.\n\n1. Logic Error in Password Reset (No Invalidation)\nIn pkg/user/user_password_reset.go, the ResetPassword function successfully updates the user\u0027s password but fails to delete the reset token used to authorize the request. Instead, it attempts to delete a TokenEmailConfirm token, leaving the TokenPasswordReset active.\n\nVulnerable Code: pkg/user/user_password_reset.go (Lines 36-94)\n```\nfunc ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err error) {\n    // ... [Validation and User Lookup] ...\n\n    // Hash the password\n    user.Password, err = HashPassword(reset.NewPassword)\n    if err != nil {\n        return\n    }\n\n    // FLAW: Deletes \u0027TokenEmailConfirm\u0027 instead of the current \u0027TokenPasswordReset\u0027\n    err = removeTokens(s, user, TokenEmailConfirm)\n    if err != nil {\n        return\n    }\n\n    // ... [Update User Status and Return] ...\n    // The reset token is never removed and remains valid in the DB.\n}\n```\n2. Logic Error in Token Cleanup (Inverted Expiry)\nThe background cron job intended to expire old tokens contains an inverted comparison operator. It deletes tokens newer than 24 hours instead of older ones.\n\nVulnerable Code: pkg/user/token.go (Lines 125-151)\n```\nfunc RegisterTokenCleanupCron() {\n    // ...\n    err := cron.Schedule(\"0 * * * *\", func() {\n        // ...\n        // FLAW: \"created \u003e ?\" selects tokens created AFTER 24 hours ago.\n        // This deletes NEW valid tokens and keeps OLD expired tokens forever.\n        deleted, err := s.\n            Where(\"created \u003e ? AND (kind = ? OR kind = ?)\", \n            time.Now().Add(time.Hour*24*-1), \n            TokenPasswordReset, TokenAccountDeletion).\n            Delete(\u0026Token{})\n        // ...\n    })\n}\n\n```\n\n**Impact**\nPersistent Account Takeover: An attacker with a single valid token can reset the victim\u0027s password an unlimited number of times.\n\nBypass of Remediation: Even if the victim notices suspicious activity and changes their password, the attacker can use the same old token to reset it again immediately.\n\nInfinite Attack Window: Because the cleanup cron is broken, the token effectively has a generic TTL of \"forever,\" allowing exploitation months or years after the token was issued.\n\n**Remediation**\n1. Invalidate Token on Use\nUpdate ResetPassword to delete the specific reset token upon successful completion.\n`// Recommended Fix\nerr = removeTokens(s, user, TokenPasswordReset) // Correct TokenKind`\n2. Fix Cleanup Logic\nUpdate the SQL query in RegisterTokenCleanupCron to target tokens created before the cutoff time.\n`// Recommended Fix\nWhere(\"created \u003c ? ...\", time.Now().Add(time.Hour*24*-1), ...) // Use Less Than (\u003c)`\n\nA fix is available at https://github.com/go-vikunja/vikunja/releases/tag/v2.1.0",
  "id": "GHSA-rfjg-6m84-crj2",
  "modified": "2026-02-28T01:59:28Z",
  "published": "2026-02-28T01:59:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-vikunja/vikunja"
    },
    {
      "type": "WEB",
      "url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
}

GHSA-RG58-XHH7-MQJW

Vulnerability from github – Published: 2025-12-10 12:31 – Updated: 2025-12-10 17:21
VLAI
Summary
Apache Struts has a Denial of Service vulnerability
Details

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "6.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66675"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-10T17:21:39Z",
    "nvd_published_at": "2025-12-10T10:16:02Z",
    "severity": "HIGH"
  },
  "details": "Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.\n\nThis issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.\n\nUsers are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.",
  "id": "GHSA-rg58-xhh7-mqjw",
  "modified": "2025-12-10T17:21:39Z",
  "published": "2025-12-10T12:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66675"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468"
    },
    {
      "type": "WEB",
      "url": "https://cve.org/CVERecord?id=CVE-2025-64775"
    },
    {
      "type": "WEB",
      "url": "https://cwiki.apache.org/confluence/display/WW/S2-068"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Struts has a Denial of Service vulnerability"
}

GHSA-RJ66-WVW5-RCVP

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

Incomplete cleanup in the ASP may expose the Master Encryption Key (MEK) to a privileged attacker with access to the BIOS menu or UEFI shell and a memory exfiltration vulnerability, potentially resulting in loss of confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T17:15:19Z",
    "severity": "LOW"
  },
  "details": "Incomplete cleanup in the ASP may expose the Master Encryption Key (MEK) to a privileged attacker with access to the BIOS menu or UEFI shell and a memory exfiltration vulnerability, potentially resulting in loss of confidentiality.",
  "id": "GHSA-rj66-wvw5-rcvp",
  "modified": "2024-08-13T18:31:15Z",
  "published": "2024-08-13T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20518"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-5002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V4XF-4525-WQQ9

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-v4xf-4525-wqq9",
  "modified": "2022-05-24T19:04:26Z",
  "published": "2022-05-24T19:04:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24489"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4934"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00442.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V682-8VV8-VPWR

Vulnerability from github – Published: 2024-03-13 18:31 – Updated: 2025-08-08 18:33
VLAI
Summary
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat
Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.0-M16"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-M1"
            },
            {
              "fixed": "11.0.0-M17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.1.18"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0-M1"
            },
            {
              "fixed": "10.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.85"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-M1"
            },
            {
              "fixed": "9.0.86"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.5.98"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.99"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.0-M16"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-M1"
            },
            {
              "fixed": "11.0.0-M17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.1.18"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0-M1"
            },
            {
              "fixed": "10.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.85"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-M1"
            },
            {
              "fixed": "9.0.86"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.5.98"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-websocket"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.99"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23672"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-14T14:04:03Z",
    "nvd_published_at": "2024-03-13T16:15:29Z",
    "severity": "MODERATE"
  },
  "details": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.",
  "id": "GHSA-v682-8vv8-vpwr",
  "modified": "2025-08-08T18:33:22Z",
  "published": "2024-03-13T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/0052b374684b613b0c849899b325ebe334ac6501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/3631adb1342d8bbd8598802a12b63ad02c37d591"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/52d6650e062d880704898d7d8c1b2b7a3efe8068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/b0e3b1bd78de270d53e319d7cb79eb282aa53cb9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240402-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/13/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat"
}

GHSA-V82W-Q73W-95P8

Vulnerability from github – Published: 2022-10-19 12:00 – Updated: 2022-10-21 12:00
VLAI
Details

Information disclosure due to exposure of information while GPU reads the data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25664"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-19T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Information disclosure due to exposure of information while GPU reads the data in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables",
  "id": "GHSA-v82w-q73w-95p8",
  "modified": "2022-10-21T12:00:17Z",
  "published": "2022-10-19T12:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25664"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/october-2022-bulletin"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/172853/Qualcomm-Adreno-GPU-Information-Leak.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VJM2-5VCH-882G

Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30
VLAI
Details

A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the public-key infrastructure (PKI) server that is running on an affected device.

This vulnerability is due to incomplete cleanup upon completion of the Day One setup process. An attacker could exploit this vulnerability by sending Simple Certificate Enrollment Protocol (SCEP) requests to an affected device. A successful exploit could allow the attacker to request a certificate from the virtual wireless controller and then use the acquired certificate to join an attacker-controlled device to the virtual wireless controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T18:15:34Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the public-key infrastructure (PKI) server that is running on an affected device.\n\n This vulnerability is due to incomplete cleanup upon completion of the Day One setup process. An attacker could exploit this vulnerability by sending Simple Certificate Enrollment Protocol (SCEP) requests to an affected device. A successful exploit could allow the attacker to request a certificate from the virtual wireless controller and then use the acquired certificate to join an attacker-controlled device to the virtual wireless controller.",
  "id": "GHSA-vjm2-5vch-882g",
  "modified": "2025-09-24T18:30:31Z",
  "published": "2025-09-24T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20293"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-9800cl-openscep-SB4xtxzP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMGF-252X-QC99

Vulnerability from github – Published: 2025-04-02 15:31 – Updated: 2025-11-03 21:33
VLAI
Details

A denial of service vulnerability exists in the NetX Component HTTP server functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability affects X-CUBE-AZRTOS-F7 NetX Duo Component HTTP Server HTTP server v 1.1.0. This HTTP server implementation is contained in this file - x-cube-azrtos-f7\Middlewares\ST\netxduo\addons\http\nxd_http_server.c

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50385"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-02T14:15:43Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability exists in the NetX Component HTTP server functionality of STMicroelectronics X-CUBE-AZRTOS-WL 2.0.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability affects X-CUBE-AZRTOS-F7 NetX Duo Component HTTP Server HTTP server v 1.1.0. This HTTP server implementation is contained in this file - x-cube-azrtos-f7\\Middlewares\\ST\\netxduo\\addons\\http\\nxd_http_server.c",
  "id": "GHSA-vmgf-252x-qc99",
  "modified": "2025-11-03T21:33:28Z",
  "published": "2025-04-02T15:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50385"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-2097"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2097"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMQF-GRH3-9RRR

Vulnerability from github – Published: 2024-03-25 12:30 – Updated: 2025-03-17 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

scsi: target: core: Avoid smp_processor_id() in preemptible code

The BUG message "BUG: using smp_processor_id() in preemptible [00000000] code" was observed for TCMU devices with kernel config DEBUG_PREEMPT.

The message was observed when blktests block/005 was run on TCMU devices with fileio backend or user:zbc backend [1]. The commit 1130b499b4a7 ("scsi: target: tcm_loop: Use LIO wq cmd submission helper") triggered the symptom. The commit modified work queue to handle commands and changed 'current->nr_cpu_allowed' at smp_processor_id() call.

The message was also observed at system shutdown when TCMU devices were not cleaned up [2]. The function smp_processor_id() was called in SCSI host work queue for abort handling, and triggered the BUG message. This symptom was observed regardless of the commit 1130b499b4a7 ("scsi: target: tcm_loop: Use LIO wq cmd submission helper").

To avoid the preemptible code check at smp_processor_id(), get CPU ID with raw_smp_processor_id() instead. The CPU ID is used for performance improvement then thread move to other CPU will not affect the code.

[1]

[ 56.468103] run blktests block/005 at 2021-05-12 14:16:38 [ 57.369473] check_preemption_disabled: 85 callbacks suppressed [ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511 [ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510 [ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506 [ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.369617] Call Trace: [ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507 [ 57.369628] dump_stack+0x6d/0x89 [ 57.369642] check_preemption_disabled+0xc8/0xd0 [ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod] [ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop] [ 57.369744] scsi_queue_rq+0x38e/0xc40 [ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0 [ 57.369779] blk_mq_try_issue_directly+0x43/0x90 [ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0 [ 57.369812] submit_bio_noacct+0x46e/0x4e0 [ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0 [ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60 [ 57.369880] generic_file_read_iter+0x89/0x160 [ 57.369898] blkdev_read_iter+0x44/0x60 [ 57.369906] new_sync_read+0x102/0x170 [ 57.369929] vfs_read+0xd4/0x160 [ 57.369941] __x64_sys_pread64+0x6e/0xa0 [ 57.369946] ? lockdep_hardirqs_on+0x79/0x100 [ 57.369958] do_syscall_64+0x3a/0x70 [ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.369973] RIP: 0033:0x7f7ed4c1399f [ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b [ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011 [ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f [ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009 [ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001 [ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70 [ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568 [ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.370039] Call Trace: [ 57.370045] dump_stack+0x6d/0x89 [ 57.370056] ch ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47178"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-25T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Avoid smp_processor_id() in preemptible code\n\nThe BUG message \"BUG: using smp_processor_id() in preemptible [00000000]\ncode\" was observed for TCMU devices with kernel config DEBUG_PREEMPT.\n\nThe message was observed when blktests block/005 was run on TCMU devices\nwith fileio backend or user:zbc backend [1]. The commit 1130b499b4a7\n(\"scsi: target: tcm_loop: Use LIO wq cmd submission helper\") triggered the\nsymptom. The commit modified work queue to handle commands and changed\n\u0027current-\u003enr_cpu_allowed\u0027 at smp_processor_id() call.\n\nThe message was also observed at system shutdown when TCMU devices were not\ncleaned up [2]. The function smp_processor_id() was called in SCSI host\nwork queue for abort handling, and triggered the BUG message. This symptom\nwas observed regardless of the commit 1130b499b4a7 (\"scsi: target:\ntcm_loop: Use LIO wq cmd submission helper\").\n\nTo avoid the preemptible code check at smp_processor_id(), get CPU ID with\nraw_smp_processor_id() instead. The CPU ID is used for performance\nimprovement then thread move to other CPU will not affect the code.\n\n[1]\n\n[   56.468103] run blktests block/005 at 2021-05-12 14:16:38\n[   57.369473] check_preemption_disabled: 85 callbacks suppressed\n[   57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511\n[   57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510\n[   57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506\n[   57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[   57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34\n[   57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[   57.369617] Call Trace:\n[   57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507\n[   57.369628]  dump_stack+0x6d/0x89\n[   57.369642]  check_preemption_disabled+0xc8/0xd0\n[   57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod]\n[   57.369655]  __target_init_cmd+0x157/0x170 [target_core_mod]\n[   57.369695]  target_init_cmd+0x76/0x90 [target_core_mod]\n[   57.369732]  tcm_loop_queuecommand+0x109/0x210 [tcm_loop]\n[   57.369744]  scsi_queue_rq+0x38e/0xc40\n[   57.369761]  __blk_mq_try_issue_directly+0x109/0x1c0\n[   57.369779]  blk_mq_try_issue_directly+0x43/0x90\n[   57.369790]  blk_mq_submit_bio+0x4e5/0x5d0\n[   57.369812]  submit_bio_noacct+0x46e/0x4e0\n[   57.369830]  __blkdev_direct_IO_simple+0x1a3/0x2d0\n[   57.369859]  ? set_init_blocksize.isra.0+0x60/0x60\n[   57.369880]  generic_file_read_iter+0x89/0x160\n[   57.369898]  blkdev_read_iter+0x44/0x60\n[   57.369906]  new_sync_read+0x102/0x170\n[   57.369929]  vfs_read+0xd4/0x160\n[   57.369941]  __x64_sys_pread64+0x6e/0xa0\n[   57.369946]  ? lockdep_hardirqs_on+0x79/0x100\n[   57.369958]  do_syscall_64+0x3a/0x70\n[   57.369965]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[   57.369973] RIP: 0033:0x7f7ed4c1399f\n[   57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b\n[   57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011\n[   57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f\n[   57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009\n[   57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001\n[   57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70\n[   57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568\n[   57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34\n[   57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018\n[   57.370039] Call Trace:\n[   57.370045]  dump_stack+0x6d/0x89\n[   57.370056]  ch\n---truncated---",
  "id": "GHSA-vmqf-grh3-9rrr",
  "modified": "2025-03-17T15:31:36Z",
  "published": "2024-03-25T12:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47178"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/70ca3c57ff914113f681e657634f7fbfa68e1ad1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a20b6eaf4f35046a429cde57bee7eb5f13d6857f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a222d2794c53f8165de20aa91b39e35e4b72bce9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Temporary files and other supporting resources should be deleted/released immediately after they are no longer needed.

No CAPEC attack patterns related to this CWE.