CWE-670
Allowed-with-ReviewAlways-Incorrect Control Flow Implementation
Abstraction: Class · Status: Draft
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
203 vulnerabilities reference this CWE, most recent first.
GHSA-WHVC-FHWP-5X6H
Vulnerability from github β Published: 2022-05-13 01:13 β Updated: 2022-05-13 01:13An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.
{
"affected": [],
"aliases": [
"CVE-2018-19058"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-07T16:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Poppler 0.71.0. There is a reachable abort in Object.h, will lead to denial of service because EmbFile::save2 in FileSpec.cc lacks a stream check before saving an embedded file.",
"id": "GHSA-whvc-fhwp-5x6h",
"modified": "2022-05-13T01:13:47Z",
"published": "2022-05-13T01:13:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19058"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2022"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/poppler/poppler/issues/659"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00014.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00030.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3837-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPQR-JCPX-745R
Vulnerability from github β Published: 2022-07-05 21:06 β Updated: 2022-08-05 13:56Impact
What kind of vulnerability is it? Who is impacted?
Anyone parsing JSON from an untrusted source is vulnerable.
JSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries.
Examples:
# An unpaired high surrogate character is ignored.
>>> ujson.loads(r'"\uD800"')
''
>>> ujson.loads(r'"\uD800hello"')
'hello'
# An unpaired low surrogate character is preserved.
>>> ujson.loads(r'"\uDC00"')
'\udc00'
# A pair of surrogates with additional non surrogate characters pair up in spite of being invalid.
>>> ujson.loads(r'"\uD800foo bar\uDC00"')
'foo barπ'
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to UltraJSON 5.4.0.
From version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library's json module does, preserving them in the parsed output:
>>> ujson.loads(r'"\uD800"')
'\ud800'
>>> ujson.loads(r'"\uD800hello"')
'\ud800hello'
>>> ujson.loads(r'"\uDC00"')
'\udc00'
>>> ujson.loads(r'"\uD800foo bar\uDC00"')
'\ud800foo bar\udc00'
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Short of switching to an entirely different JSON library, there are no safe alternatives to upgrading.
For more information
If you have any questions or comments about this advisory: * Open an issue in UltraJSON
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ujson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31116"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T21:06:00Z",
"nvd_published_at": "2022-07-05T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAnyone parsing JSON from an untrusted source is vulnerable.\n\nJSON strings that contain escaped surrogate characters not part of a proper surrogate pair were decoded incorrectly. Besides corrupting strings, this allowed for potential key confusion and value overwriting in dictionaries.\n\nExamples:\n\n```python\n# An unpaired high surrogate character is ignored.\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800\"\u0027)\n\u0027\u0027\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800hello\"\u0027)\n\u0027hello\u0027\n\n# An unpaired low surrogate character is preserved.\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uDC00\"\u0027)\n\u0027\\udc00\u0027\n\n# A pair of surrogates with additional non surrogate characters pair up in spite of being invalid.\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800foo bar\\uDC00\"\u0027)\n\u0027foo bar\ud800\udc00\u0027\n```\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nUsers should upgrade to UltraJSON 5.4.0.\n\nFrom version 5.4.0, UltraJSON decodes lone surrogates in the same way as the standard library\u0027s `json` module does, preserving them in the parsed output:\n\n```python3\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800\"\u0027)\n\u0027\\ud800\u0027\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800hello\"\u0027)\n\u0027\\ud800hello\u0027\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uDC00\"\u0027)\n\u0027\\udc00\u0027\n\u003e\u003e\u003e ujson.loads(r\u0027\"\\uD800foo bar\\uDC00\"\u0027)\n\u0027\\ud800foo bar\\udc00\u0027\n```\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nShort of switching to an entirely different JSON library, there are no safe alternatives to upgrading.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [UltraJSON](http://github.com/ultrajson/ultrajson/issues)\n",
"id": "GHSA-wpqr-jcpx-745r",
"modified": "2022-08-05T13:56:18Z",
"published": "2022-07-05T21:06:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wpqr-jcpx-745r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31116"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/commit/67ec07183342589d602e0fcf7bb1ff3e19272687"
},
{
"type": "PACKAGE",
"url": "https://github.com/ultrajson/ultrajson"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect handling of invalid surrogate pair characters"
}
GHSA-WQ7P-5X5C-PHQR
Vulnerability from github β Published: 2023-04-20 15:30 β Updated: 2024-04-04 03:36An issue was discovered in ONOS 2.5.1. IntentManager attempts to install the IPv6 flow rules of an intent into an OpenFlow 1.0 switch that does not support IPv6. Improper handling of the difference in capabilities of the intent and switch is misleading to a network operator.
{
"affected": [],
"aliases": [
"CVE-2022-29605"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-20T13:15:07Z",
"severity": "HIGH"
},
"details": "An issue was discovered in ONOS 2.5.1. IntentManager attempts to install the IPv6 flow rules of an intent into an OpenFlow 1.0 switch that does not support IPv6. Improper handling of the difference in capabilities of the intent and switch is misleading to a network operator.",
"id": "GHSA-wq7p-5x5c-phqr",
"modified": "2024-04-04T03:36:48Z",
"published": "2023-04-20T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29605"
},
{
"type": "WEB",
"url": "https://wiki.onosproject.org/display/ONOS/Intent+Framework"
},
{
"type": "WEB",
"url": "https://www.usenix.org/system/files/sec23fall-prepub-285_kim-jiwon.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WV33-5PXH-R7J7
Vulnerability from github β Published: 2026-07-06 19:54 β Updated: 2026-07-06 19:54The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.
Zellic finding 3.22. Reported in the Zellic uutils coreutils Program Security Assessment (for Canonical, Jan 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "uu_cut"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35343"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T19:54:33Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newline character is specified as the delimiter. The implementation fails to verify the only_delimited flag in the cut_fields_newline_char_delim function, causing the utility to print non-delimited lines that should have been suppressed. This can lead to unexpected data being passed to downstream scripts that rely on strict output filtering.\n\n---\n_Zellic finding 3.22. Reported in the Zellic *uutils coreutils Program Security Assessment* (for Canonical, Jan 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`._",
"id": "GHSA-wv33-5pxh-r7j7",
"modified": "2026-07-06T19:54:33Z",
"published": "2026-07-06T19:54:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/security/advisories/GHSA-wv33-5pxh-r7j7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35343"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/pull/11143"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/commit/9bbb58b746c41802278b0cba738eebbf21517cf7"
},
{
"type": "PACKAGE",
"url": "https://github.com/uutils/coreutils"
},
{
"type": "WEB",
"url": "https://github.com/uutils/coreutils/releases/tag/0.7.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "cut: -s (only-delimited) ignored when delimiter is a newline"
}
GHSA-WVQ7-4F7C-Q7WC
Vulnerability from github β Published: 2026-04-02 18:31 β Updated: 2026-04-02 21:32A bug in POST request handling causes a crash under a certain condition.
This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.
Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.
A workaround for older versions is to setΒ proxy.config.http.request_buffer_enabled to 0 (the default value is 0).
{
"affected": [],
"aliases": [
"CVE-2025-58136"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-02T17:16:20Z",
"severity": "HIGH"
},
"details": "A bug in POST request handling causes a crash under a certain condition.\n\nThis issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12.\n\nUsers are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue.\n\nA workaround for older versions is to set\u00a0proxy.config.http.request_buffer_enabled to 0 (the default value is 0).",
"id": "GHSA-wvq7-4f7c-q7wc",
"modified": "2026-04-02T21:32:52Z",
"published": "2026-04-02T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58136"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/2s11roxlv1j8ph6q52rqo1klvl01n14q"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X6QJ-75G5-46WG
Vulnerability from github β Published: 2024-11-12 18:30 β Updated: 2024-11-12 18:30HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
{
"affected": [],
"aliases": [
"CVE-2024-30133"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T17:15:07Z",
"severity": "MODERATE"
},
"details": "HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.",
"id": "GHSA-x6qj-75g5-46wg",
"modified": "2024-11-12T18:30:57Z",
"published": "2024-11-12T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30133"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0114725"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XGR7-JGQ3-MHMC
Vulnerability from github β Published: 2024-06-06 18:51 β Updated: 2024-06-17 15:23Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
Details
We discovered a bug walking through how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile
Proof of Concept
// This function does not reduce the contract balance correctly but liquid stakes correctly
function transfer(
string memory sourcePort,
string memory sourceChannel,
string memory denom,
uint256 amount,
string memory receiver,
string memory evmosReceiver
) external returns (uint64 nextSequence) {
counter += 1; # Only happens when there is a local state update together with an ICS20 Transfer
Height memory timeoutHeight = Height(100, 100);
string memory memo = buildLiquidStakeMemo(receiver, evmosReceiver);
return ICS20_CONTRACT.transfer(
sourcePort,
sourceChannel,
denom,
amount,
address(this), # this is the sender address which is the contract
receiver,
timeoutHeight,
0,
memo
);
}
Impact
This is in essence the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.
Severity
Based on ImmuneFi Severity Classification System the severity was evaluated to Critical since the attack could have lead to create new supply of EVMOS and therefore lead to Direct loss of funds's value.
Patches
The issue has been patched in versions >=V18.1.0.
For more information
If you have any questions or comments about this advisory:
Reach out to the Core Team in Discord Open a discussion in evmos/evmos Email us at security@evmos.org for security questions
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 18.0.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v18"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 17.0.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v17"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 16.0.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v16"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 15.0.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v15"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 14.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v14"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 13.0.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v13"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.1.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v11"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.0.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v10"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v9"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.2.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.4"
},
"package": {
"ecosystem": "Go",
"name": "github.com/evmos/evmos/v6"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "18.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37153"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-06T18:51:25Z",
"nvd_published_at": "2024-06-06T19:15:58Z",
"severity": "HIGH"
},
"details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\n### Details\nWe discovered a bug walking through how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract\u0027s balance, that is using the contract address as the `sender` parameter in an ICS20 transfer using the ICS20 precompile\n\n### Proof of Concept\n```solidity\n// This function does not reduce the contract balance correctly but liquid stakes correctly \nfunction transfer(\n string memory sourcePort,\n string memory sourceChannel,\n string memory denom,\n uint256 amount,\n string memory receiver,\n string memory evmosReceiver\n ) external returns (uint64 nextSequence) {\n counter += 1; # Only happens when there is a local state update together with an ICS20 Transfer\n Height memory timeoutHeight = Height(100, 100);\n string memory memo = buildLiquidStakeMemo(receiver, evmosReceiver);\n return ICS20_CONTRACT.transfer(\n sourcePort, \n sourceChannel,\n denom,\n amount,\n address(this), # this is the sender address which is the contract\n receiver,\n timeoutHeight,\n 0,\n memo\n );\n }\n```\n\n### Impact\nThis is in essence the \"infinite money glitch\" allowing contracts to double the supply of Evmos after each transaction.\n\n### Severity\n\nBased on [ImmuneFi Severity Classification System](https://immunefisupport.zendesk.com/hc/en-us/articles/13332717597585-Severity-Classification-System) the severity was evaluated to `Critical` since the attack could have lead to create new supply of EVMOS and therefore lead to Direct loss of funds\u0027s value.\n\n### Patches\n\nThe issue has been patched in versions \u003e=V18.1.0. \n\n## For more information\nIf you have any questions or comments about this advisory:\n\nReach out to the Core Team in [Discord](https://discord.gg/evmos)\nOpen a discussion in [evmos/evmos](https://github.com/evmos/evmos/discussions)\nEmail us at [security@evmos.org](mailto:security@evmos.org) for security questions\n",
"id": "GHSA-xgr7-jgq3-mhmc",
"modified": "2024-06-17T15:23:41Z",
"published": "2024-06-06T18:51:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37153"
},
{
"type": "WEB",
"url": "https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7"
},
{
"type": "PACKAGE",
"url": "https://github.com/evmos/evmos"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Contract balance not updating correctly after interchain transaction"
}
GHSA-XH7P-G3JR-X8P8
Vulnerability from github β Published: 2022-09-07 00:01 β Updated: 2022-09-10 00:00In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604.
{
"affected": [],
"aliases": [
"CVE-2022-26461"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604.",
"id": "GHSA-xh7p-g3jr-x8p8",
"modified": "2022-09-10T00:00:33Z",
"published": "2022-09-07T00:01:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26461"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/September-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMJ9-7625-F634
Vulnerability from github β Published: 2026-04-15 19:19 β Updated: 2026-04-24 20:39Affected Components
- DSF FHIR Server with enabled bearer-token authentication or back-channel logout.
- DSF BPE Server with enabled bearer-token authentication or back-channel logout.
- DSF BPE Server API v2 process plugins using FHIR client connections with configured OIDC authentication.
Summary
- The OIDC JWKS and Metadata Document caches used an inverted time comparison (
isBeforeinstead ofisAfter), causing the cache to never return cached values. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider. - The OIDC token cache for the FHIR client connections used an inverted time comparison (
isBeforeinstead ofisAfter), causing the cache to never invalidate. Every incoming request returned the same OIDC token even if expired.
Impact
- Performance: Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency
- Reliability: Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys
- Load: Unnecessary load on the OIDC provider, potentially causing rate limiting
Fix (commits 31c2e974d, d3ca59b4d)
- Fixed cache timeout comparison from
isBeforetoisAfterinBaseOidcClientWithCache(configuration and JWKS caches) andOidcClientWithCache(configuration, JWKS, and access token caches) - Added configurable cache timeouts via
dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resourceanddev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource(default:PT1H)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "dev.dsf:dsf-bpe-process-api-v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "dev.dsf:dsf-bpe-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40942"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-15T19:19:50Z",
"nvd_published_at": "2026-04-21T22:16:19Z",
"severity": "MODERATE"
},
"details": "### Affected Components\n- DSF FHIR Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\n- DSF BPE Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n- DSF BPE Server API v2 process plugins using [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) with configured OIDC authentication.\n\n### Summary\n- The OIDC JWKS and Metadata Document caches used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never return cached values**. Every incoming request triggered a fresh HTTP fetch of the OIDC Metadata Document and JWKS keys from the OIDC provider.\n- The OIDC token cache for the [FHIR client connections](https://dsf.dev/operations/v2.1.0/bpe/fhir-client-connections.html) used an inverted time comparison (`isBefore` instead of `isAfter`), causing the cache to **never invalidate**. Every incoming request returned the same OIDC token even if expired.\n\n### Impact\n- **Performance:** Every OIDC-authenticated request added network round-trips to the OIDC provider, increasing latency\n- **Reliability:** Cached OIDC tokens become unusable after expiration and can only be invalidated by restart of the BPE. \n If the OIDC provider is temporarily unreachable, all requests fail immediately instead of using cached keys\n- **Load:** Unnecessary load on the OIDC provider, potentially causing rate limiting\n\n### Fix (commits 31c2e974d, d3ca59b4d)\n- Fixed cache timeout comparison from `isBefore` to `isAfter` in `BaseOidcClientWithCache` (configuration and JWKS caches) and `OidcClientWithCache` (configuration, JWKS, and access token caches)\n- Added configurable cache timeouts via `dev.dsf.server.auth.oidc.provider.client.cache.timeout.configuration.resource` and `dev.dsf.server.auth.oidc.provider.client.cache.timeout.jwks.resource` (default: `PT1H`)",
"id": "GHSA-xmj9-7625-f634",
"modified": "2026-04-24T20:39:38Z",
"published": "2026-04-15T19:19:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/security/advisories/GHSA-xmj9-7625-f634"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40942"
},
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/commit/31c2e974dfd4351756104ee8c53dbcd666192fef"
},
{
"type": "WEB",
"url": "https://github.com/datasharingframework/dsf/commit/d3ca59b4daccde16a006fedeccce28fd1f826908"
},
{
"type": "PACKAGE",
"url": "https://github.com/datasharingframework/dsf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Data Sharing Framework has an Inverted Time Comparison in OIDC JWKS and Token Cache"
}
GHSA-XMPG-XCMW-JV5W
Vulnerability from github β Published: 2023-01-26 21:30 β Updated: 2023-02-01 21:30In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-243378132
{
"affected": [],
"aliases": [
"CVE-2023-20921"
],
"database_specific": {
"cwe_ids": [
"CWE-670"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "HIGH"
},
"details": "In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-243378132",
"id": "GHSA-xmpg-xcmw-jv5w",
"modified": "2023-02-01T21:30:24Z",
"published": "2023-01-26T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20921"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2023-01-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.