CWE-665
DiscouragedImproper Initialization
Abstraction: Class · Status: Draft
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
425 vulnerabilities reference this CWE, most recent first.
GHSA-5HPG-VPRM-C7R7
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-20 00:00Improper Initialization vulnerability in the local server component of EZVIZ CS-C6N-A0-1C2WFR allows a local attacker to read the contents of the memory space containing the encrypted admin password. This issue affects: EZVIZ CS-C6N-A0-1C2WFR versions prior to 5.3.0 build 220428.
{
"affected": [],
"aliases": [
"CVE-2022-2472"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-15T14:15:00Z",
"severity": "MODERATE"
},
"details": "Improper Initialization vulnerability in the local server component of EZVIZ CS-C6N-A0-1C2WFR allows a local attacker to read the contents of the memory space containing the encrypted admin password. This issue affects: EZVIZ CS-C6N-A0-1C2WFR versions prior to 5.3.0 build 220428.",
"id": "GHSA-5hpg-vprm-c7r7",
"modified": "2022-09-20T00:00:28Z",
"published": "2022-09-16T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2472"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-smart-cams"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5MH9-R3RR-9597
Vulnerability from github – Published: 2020-05-21 21:08 – Updated: 2024-10-15 23:33HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.sourceforge.htmlunit:htmlunit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.37.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5529"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2020-05-21T17:25:38Z",
"nvd_published_at": "2020-02-11T12:15:00Z",
"severity": "HIGH"
},
"details": "HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. ",
"id": "GHSA-5mh9-r3rr-9597",
"modified": "2024-10-15T23:33:01Z",
"published": "2020-05-21T21:08:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5529"
},
{
"type": "WEB",
"url": "https://github.com/HtmlUnit/htmlunit/commit/bc1f58d483cc8854a9c4c1739abd5e04a2eb0367"
},
{
"type": "PACKAGE",
"url": "https://github.com/HtmlUnit/htmlunit"
},
{
"type": "WEB",
"url": "https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN34535327"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4584-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Code execution vulnerability in HtmlUnit"
}
GHSA-5MRV-F9XF-HPQP
Vulnerability from github – Published: 2023-10-29 09:30 – Updated: 2023-11-08 03:30iSulad uses the lcr+lxc runtime (default) to run malicious images, which can cause DOS.
{
"affected": [],
"aliases": [
"CVE-2021-33634"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-29T08:15:20Z",
"severity": "MODERATE"
},
"details": "iSulad uses the lcr+lxc runtime (default) to run malicious images, which can cause DOS.\n\n",
"id": "GHSA-5mrv-f9xf-hpqp",
"modified": "2023-11-08T03:30:31Z",
"published": "2023-10-29T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33634"
},
{
"type": "WEB",
"url": "https://gitee.com/src-openeuler/lcr/pulls/251/files"
},
{
"type": "WEB",
"url": "https://gitee.com/src-openeuler/lcr/pulls/257/files"
},
{
"type": "WEB",
"url": "https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5Q8V-93HH-2P33
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2025-11-04 00:31Improper initialization in firmware for some Intel(R) CSME may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-48361"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T14:15:14Z",
"severity": "MODERATE"
},
"details": "Improper initialization in firmware for some Intel(R) CSME may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-5q8v-93hh-2p33",
"modified": "2025-11-04T00:31:11Z",
"published": "2024-08-14T15:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48361"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241108-0003"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00999.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5VP3-V4HC-GX76
Vulnerability from github – Published: 2021-09-15 20:23 – Updated: 2021-11-16 21:44Impact
Upgradeable contracts using UUPSUpgradeable may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.
Patches
A fix is included in version 4.3.2 of @openzeppelin/contracts and @openzeppelin/contracts-upgradeable.
Workarounds
Initialize implementation contracts using UUPSUpgradeable by invoking the initializer function (usually called initialize). An example is provided in the forum.
References
For more information
If you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openzeppelin/contracts-upgradeable"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41264"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-14T22:17:42Z",
"nvd_published_at": "2021-11-12T18:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nUpgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. We will update this advisory with more information soon.\n\n### Patches\n\nA fix is included in version 4.3.2 of `@openzeppelin/contracts` and `@openzeppelin/contracts-upgradeable`.\n\n### Workarounds\n\nInitialize implementation contracts using `UUPSUpgradeable` by invoking the initializer function (usually called `initialize`). An example is provided [in the forum](https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301).\n\n### References\n\n[Post-mortem](https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680).\n\n### For more information\n\nIf you have any questions or comments about this advisory, or need assistance executing the mitigation, email us at security@openzeppelin.com.",
"id": "GHSA-5vp3-v4hc-gx76",
"modified": "2021-11-16T21:44:47Z",
"published": "2021-09-15T20:23:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-5vp3-v4hc-gx76"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41264"
},
{
"type": "WEB",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/024cc50df478d2e8f78539819749e94d6df60592"
},
{
"type": "WEB",
"url": "https://forum.openzeppelin.com/t/security-advisory-initialize-uups-implementation-contracts/15301"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "UUPSUpgradeable vulnerability in @openzeppelin/contracts"
}
GHSA-5WCH-8P23-HJ3X
Vulnerability from github – Published: 2026-07-02 15:32 – Updated: 2026-07-02 15:32A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras.
{
"affected": [],
"aliases": [
"CVE-2026-54409"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T15:17:04Z",
"severity": "HIGH"
},
"details": "A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras.",
"id": "GHSA-5wch-8p23-hj3x",
"modified": "2026-07-02T15:32:13Z",
"published": "2026-07-02T15:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54409"
},
{
"type": "WEB",
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5X29-3HR9-6WPW
Vulnerability from github – Published: 2022-02-11 23:18 – Updated: 2023-08-29 21:08Impact
TPM 2.0 users are unaffected by this issue.
An adversary eavesdropping on the TPM 1.2 transport path can calculate usageAuth for a key created with CreateWrapKey, even though this value is encrypted as part of the TPM 1.2 command protocol.
The TPM 1.2 CreateWrapKey command accepts two secrets: usageAuth and migrationAuth. The ADIP protocol (TPM 1.2 specification, part 1, section 13.4) calls for these values to be encrypted with two different XOR keys. Due to a bug in go-tpm prior to version 0.3.0, both usageAuth and migrationAuth are encrypted with the same XOR keystream. This allows an adversary to XOR encUsageAuth and encMigrationAuth together to calculate usageAuth ^ encMigrationAuth. Since migrationAuth is moot for all keys created with go-tpm's CreateWrapKey (since all keys created with this function are marked non-migratable), an adversary may guess or know (from code/binary inspection) that migrationAuth is all 0x00 bytes or some other fixed value. Such an adversary can then calculate usageAuth and use this value later to improperly use the created key, unbeknownst to the creator of the key.
Patches
Fixed in go-tpm version 0.3.0.
Workarounds
- TPM 2.0 users: No workaround needed. This issue only affects TPM 1.2 users.
- TPM 1.2 users: Call CreateWrapKey with a random 20-byte value for
migrationAuth, even though that value is not used again (since CreateWrapKey creates keys that are non-migratable). Do not store or log this value.
Details
TPM 1.2 uses a protocol called ADIP (Authorization Data Insertion Protocol) to encrypt authorization values over-the-wire for newly created objects. This prevents a bus-snooping attack like those publicized by TPM Genie. TPM 2.0 makes this optional (the way to do it is with parameter-encryption sessions). You can read more about ADIP in section 13.4 of Part 1: Design Principles in the latest TPM 1.2 specification. Normally, ADIP consists of the following steps:
Key := SHA1(authSession.SharedSecret || a nonce)
Note: nonces and auth values in TPM 1.2 are always 20 bytes
EncAuth := XOR(Key, Auth)
When commands require one ADIP-encrypted auth value, the nonce is the last nonceEven (last nonce from the TPM). When commands require two ADIP-encrypted auth values, the nonce for the first auth value is still nonceEven, and the nonce for the second auth value is the last nonceOdd, which is the one being provided by the caller along with the current command on the session. The reason for this is that you wouldn't want an adversary to be able to XOR the two encrypted auth values together and come up with (auth 1 XOR key) XOR (auth 2 XOR key) where the "one-time" pad key is used twice and cancels itself out.
Here are the commands that take one authorization value by ADIP:
- Seal (the sealed data's auth value)
- Sealx (the sealed data's auth value)
- CreateKey (the key's auth value)
- MakeIdentity (the AIK's auth value)
- ChangeAuth (the entity's new auth value)
- ChangeAuthOwner (the new owner auth value)
- Delegate_CreateKeyDelegation (the new delegation auth value)
- Delegate_CreateOwnerDelegation (the new delegation auth value)
- NV_DefineSpace (the NV's auth value)
- CreateCounter (the counter's auth value)
Here are the commands that take two authorization values by ADIP:
- CreateWrapKey (the key's auth value, and the key's migration (to export out of the TPM) auth value)
The migrationAuth value is never used if the key does not have the TPM_KEY_FLAGS.migratable flag set on it. go-tpm does not currently allow the caller to set this flag.
Here was the bug in our implementation of CreateWrapKey():
https://github.com/google/go-tpm/blob/16766ac4521425bd02ad23868fbdf24749268669/tpm/tpm.go#L1322-L1329
Here we see that both usageAuth and migrationAuth are encrypted by the same XOR key. This is the correct key (i.e., it is based on nonceEven) for usageAuth, but not migrationAuth.
This means 2 things:
First: migrationAuth is being set to some value that is effectively unrelated to migrationAuth as passed by the caller. Again, this is not interesting to all current callers (given that there is no way for them to pass TPM_KEY_FLAGS.migratable via the current API; migrationAuth is not a meaningful value).
Second, and much more importantly: a user of go-tpm is vulnerable to the following attack by a passive bus-snooping adversary (CVE-2020-8918)
1. Wait for a CreateWrapKey command
2. Collect encUsageAuth and encMigrationAuth
3. Calculate (usageAuth XOR migrationAuth) := (encUsageAuth XOR encMigrationAuth)
4. Assuming migrationAuth is all 0x00 (a reasonable assumption for a caller who knows the key is not migratable), the calculation in (3) is the usage auth of the key.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/google/go-tpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8918"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T18:32:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nTPM 2.0 users are unaffected by this issue.\n\nAn adversary eavesdropping on the TPM 1.2 transport path can calculate `usageAuth` for a key created with CreateWrapKey, even though this value is encrypted as part of the TPM 1.2 command protocol.\n\nThe TPM 1.2 CreateWrapKey command accepts two secrets: `usageAuth` and `migrationAuth`. The ADIP protocol ([TPM 1.2 specification, part 1, section 13.4](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-1-Design-Principles_v1.2_rev116_01032011.pdf)) calls for these values to be encrypted with two different XOR keys. Due to a bug in go-tpm prior to version 0.3.0, both `usageAuth` and `migrationAuth` are encrypted with the same XOR keystream. This allows an adversary to XOR `encUsageAuth` and `encMigrationAuth` together to calculate `usageAuth ^ encMigrationAuth`. Since `migrationAuth` is moot for all keys created with go-tpm\u0027s `CreateWrapKey` (since all keys created with this function are marked non-migratable), an adversary may guess or know (from code/binary inspection) that `migrationAuth` is all 0x00 bytes or some other fixed value. Such an adversary can then calculate `usageAuth` and use this value later to improperly use the created key, unbeknownst to the creator of the key.\n\n### Patches\nFixed in go-tpm version 0.3.0.\n\n### Workarounds\n\n- TPM 2.0 users: No workaround needed. This issue only affects TPM 1.2 users.\n- TPM 1.2 users: Call CreateWrapKey with a random 20-byte value for `migrationAuth`, even though that value is not used again (since CreateWrapKey creates keys that are non-migratable). Do not store or log this value.\n\n\n### Details\n\nTPM 1.2 uses a protocol called ADIP (Authorization Data Insertion Protocol) to encrypt authorization values over-the-wire for newly created objects. This prevents a bus-snooping attack like those publicized by TPM Genie. TPM 2.0 makes this optional (the way to do it is with parameter-encryption sessions). You can read more about ADIP in section 13.4 of Part 1: Design Principles in the latest [TPM 1.2 specification](https://trustedcomputinggroup.org/resource/tpm-main-specification/). Normally, ADIP consists of the following steps:\n```\nKey := SHA1(authSession.SharedSecret || a nonce)\nNote: nonces and auth values in TPM 1.2 are always 20 bytes\nEncAuth := XOR(Key, Auth)\n```\nWhen commands require one ADIP-encrypted auth value, the nonce is the last nonceEven (last nonce from the TPM).\nWhen commands require two ADIP-encrypted auth values, the nonce for the first auth value is still nonceEven, and the nonce for the second auth value is the last nonceOdd, which is the one being provided by the caller along with the current command on the session.\nThe reason for this is that you wouldn\u0027t want an adversary to be able to XOR the two encrypted auth values together and come up with (auth 1 XOR key) XOR (auth 2 XOR key) where the \"one-time\" pad key is used twice and cancels itself out.\n\nHere are the commands that take one authorization value by ADIP:\n\n- Seal (the sealed data\u0027s auth value)\n- Sealx (the sealed data\u0027s auth value)\n- CreateKey (the key\u0027s auth value)\n- MakeIdentity (the AIK\u0027s auth value)\n- ChangeAuth (the entity\u0027s new auth value)\n- ChangeAuthOwner (the new owner auth value)\n- Delegate_CreateKeyDelegation (the new delegation auth value)\n- Delegate_CreateOwnerDelegation (the new delegation auth value)\n- NV_DefineSpace (the NV\u0027s auth value)\n- CreateCounter (the counter\u0027s auth value)\n\nHere are the commands that take two authorization values by ADIP:\n\n- CreateWrapKey (the key\u0027s auth value, and the key\u0027s migration (to export out of the TPM) auth value)\n\nThe migrationAuth value is never used if the key does not have the `TPM_KEY_FLAGS.migratable` flag set on it. go-tpm does not currently allow the caller to set this flag.\nHere was the bug in our implementation of `CreateWrapKey()`:\n\nhttps://github.com/google/go-tpm/blob/16766ac4521425bd02ad23868fbdf24749268669/tpm/tpm.go#L1322-L1329\n\nHere we see that both usageAuth and migrationAuth are encrypted by the same XOR key. This is the correct key (i.e., it is based on nonceEven) for usageAuth, but not migrationAuth.\n\nThis means 2 things:\n\n**First: migrationAuth is being set to some value that is effectively unrelated to migrationAuth as passed by the caller.** Again, this is not interesting to all current callers (given that there is no way for them to pass `TPM_KEY_FLAGS.migratable` via the current API; migrationAuth is not a meaningful value).\n\n**Second, and much more importantly: a user of go-tpm is vulnerable to the following attack by a passive bus-snooping adversary (CVE-2020-8918)**\n1. Wait for a `CreateWrapKey` command\n2. Collect `encUsageAuth` and `encMigrationAuth`\n3. Calculate `(usageAuth XOR migrationAuth) := (encUsageAuth XOR encMigrationAuth)`\n4. Assuming migrationAuth is all 0x00 (a reasonable assumption for a caller who knows the key is not migratable), the calculation in (3) is the usage auth of the key.",
"id": "GHSA-5x29-3hr9-6wpw",
"modified": "2023-08-29T21:08:37Z",
"published": "2022-02-11T23:18:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8918"
},
{
"type": "WEB",
"url": "https://github.com/google/go-tpm/pull/195"
},
{
"type": "WEB",
"url": "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
},
{
"type": "PACKAGE",
"url": "https://github.com/google/go-tpm"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0095"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "TPM 1.2 key authorization values vulnerable to TPM transport eavesdropper in go-tpm"
}
GHSA-62PR-J2HQ-8W9P
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117965
{
"affected": [],
"aliases": [
"CVE-2021-0449"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T17:15:00Z",
"severity": "MODERATE"
},
"details": "In the Titan M chip firmware, there is a possible disclosure of stack memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117965",
"id": "GHSA-62pr-j2hq-8w9p",
"modified": "2022-05-24T17:44:09Z",
"published": "2022-05-24T17:44:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0449"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-676X-HFQR-52VW
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Skia, as used in Google Chrome before 16.0.912.77, does not perform all required initialization of values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2011-3927"
],
"database_specific": {
"cwe_ids": [
"CWE-665"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-01-24T04:03:00Z",
"severity": "HIGH"
},
"details": "Skia, as used in Google Chrome before 16.0.912.77, does not perform all required initialization of values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.",
"id": "GHSA-676x-hfqr-52vw",
"modified": "2022-05-13T01:26:57Z",
"published": "2022-05-13T01:26:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3927"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13948"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=108605"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/47694"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1026569"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-682W-9RVW-QW43
Vulnerability from github – Published: 2023-01-18 18:30 – Updated: 2023-01-26 18:30An issue in MatrixSSL 4.5.1-open and earlier leads to failure to securely check the SessionID field, resulting in the misuse of an all-zero MasterSecret that can decrypt secret data.
{
"affected": [],
"aliases": [
"CVE-2022-46505"
],
"database_specific": {
"cwe_ids": [
"CWE-665",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue in MatrixSSL 4.5.1-open and earlier leads to failure to securely check the SessionID field, resulting in the misuse of an all-zero MasterSecret that can decrypt secret data.",
"id": "GHSA-682w-9rvw-qw43",
"modified": "2023-01-26T18:30:47Z",
"published": "2023-01-18T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46505"
},
{
"type": "WEB",
"url": "https://github.com/SmallTown123/details-for-CVE-2022-46505"
},
{
"type": "WEB",
"url": "https://smalltown123.notion.site/MatrixSSL-session-resume-bug-a0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable's type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.
Mitigation
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Mitigation
Explicitly initialize all your variables and other data stores, either during declaration or just before the first usage.
Mitigation
Pay close attention to complex conditionals that affect initialization, since some conditions might not perform the initialization.
Mitigation
Avoid race conditions (CWE-362) during initialization routines.
Mitigation
Run or compile your product with settings that generate warnings about uninitialized variables or data.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.