CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
686 vulnerabilities reference this CWE, most recent first.
GHSA-52VF-HVV3-98H7
Vulnerability from github – Published: 2023-03-03 22:53 – Updated: 2023-03-03 22:53Impact
Users with write rights can insert well-formed content that is not handled well by the parser. For instance, with xwiki/2.1, inserting a deeply nested group blocks (((( ((( ((( ((( .... ))) ))) ))) ))) (see the generator below to produce a large payload) can lead to the parser throwing a StackOverflowError.
As a consequence, some pages becomes unusable, including:
- the user index (if the page containing the faulty content is a user page)
- the page index
Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted.
Patches
This has been patched on XWiki 13.10.10, 14.4.6, and 14.9-rc-1.
Workarounds
A temporary solution to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the -Xss JVM parameter (e.g., -Xss32m). This should allow the parser to pass and to fix the faulty content.
Note that we did not evaluated the consequence on other aspects of the system (e.g., performances), and should be only be used as a temporary solution.
Also, this does not prevent the issue to occur again with another content.
Consequently, it is strongly advised to upgrade to a version where the issue has been patched.
References
- https://jira.xwiki.org/browse/XWIKI-19838
For more information
If you have any questions or comments about this advisory: - Open an issue in Jira - Email us at Security ML
Payload Generator
The Javascript code below produces 32768 nested group blocks, around the Hello text.
let result = "(((\nHello\n)))";
for (let i = 0; i < 15; ++i) {
result = result.replace("Hello", result);
}
console.log(result);
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-parser"
},
"ranges": [
{
"events": [
{
"introduced": "6.0"
},
{
"fixed": "13.10.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-parser"
},
"ranges": [
{
"events": [
{
"introduced": "14.0"
},
{
"fixed": "14.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rendering-parser"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.9-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26479"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T22:53:35Z",
"nvd_published_at": "2023-03-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nUsers with write rights can insert well-formed content that is not handled well by the parser. For instance, with `xwiki/2.1`, inserting a deeply nested group blocks (`((( ((( ((( ((( .... ))) ))) ))) )))` (see the generator below to produce a large payload) can lead to the parser throwing a `StackOverflowError`.\nAs a consequence, some pages becomes unusable, including:\n- the user index (if the page containing the faulty content is a user page)\n- the page index\n\nNote that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted.\n\n### Patches\nThis has been patched on XWiki 13.10.10, 14.4.6, and 14.9-rc-1.\n\n### Workarounds\nA temporary solution to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). This should allow the parser to pass and to fix the faulty content.\nNote that we did not evaluated the consequence on other aspects of the system (e.g., performances), and should be only be used as a temporary solution.\nAlso, this does not prevent the issue to occur again with another content.\nConsequently, it is strongly advised to upgrade to a version where the issue has been patched.\n\n### References\n- https://jira.xwiki.org/browse/XWIKI-19838\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [Jira](http://jira.xwiki.org/)\n- Email us at [Security ML](mailto:security@xwiki.org)\n\n### Payload Generator\n\nThe Javascript code below produces 32768 nested group blocks, around the `Hello` text.\n\n```javascript\nlet result = \"(((\\nHello\\n)))\";\nfor (let i = 0; i \u003c 15; ++i) {\n result = result.replace(\"Hello\", result);\n}\nconsole.log(result);\n```\n",
"id": "GHSA-52vf-hvv3-98h7",
"modified": "2023-03-03T22:53:35Z",
"published": "2023-03-03T22:53:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26479"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19838"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "xwiki vulnerable to Improper Handling of Exceptional Conditions"
}
GHSA-556R-96Q6-PPP2
Vulnerability from github – Published: 2024-11-13 18:32 – Updated: 2024-11-27 18:34The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.
{
"affected": [],
"aliases": [
"CVE-2024-9413"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T17:15:12Z",
"severity": "HIGH"
},
"details": "The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.",
"id": "GHSA-556r-96q6-ppp2",
"modified": "2024-11-27T18:34:00Z",
"published": "2024-11-13T18:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9413"
},
{
"type": "WEB",
"url": "https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-55H2-P95W-Q7PV
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-22 12:00Dell EMC PowerScale OneFS versions 8.1.2 – 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system.
{
"affected": [],
"aliases": [
"CVE-2020-26195"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T22:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC PowerScale OneFS versions 8.1.2 \u2013 9.1.0 contain an issue where the OneFS SMB directory auto-create may erroneously create a directory for a user. A remote unauthenticated attacker may take advantage of this issue to slow down the system.",
"id": "GHSA-55h2-p95w-q7pv",
"modified": "2022-10-22T12:00:30Z",
"published": "2022-05-24T22:28:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26195"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000182873/dsa-2021-009-dell-powerscale-onefs-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-55RX-W9V4-HWVV
Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-07-11 18:31An Improper Handling of Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
When conflicting information (IP or ISO addresses) about a node is added to the Traffic Engineering (TE) database and then a subsequent operation attempts to process these, rpd will crash and restart.
This issue affects:
Junos OS:
- 22.4 versions before 22.4R3-S1,
- 23.2 versions before 23.2R2,
- 23.4 versions before 23.4R1-S1, 23.4R2,
This issue does not affect Junos OS versions earlier than 22.4R1.
Junos OS Evolved:
- 22.4-EVO versions before 22.4R3-S2-EVO,
- 23.2-EVO versions before 23.2R2-EVO,
- 23.4-EVO versions before 23.4R1-S1-EVO, 23.4R2-EVO,
This issue does not affect Junos OS Evolved versions earlier than
before 22.4R1.
{
"affected": [],
"aliases": [
"CVE-2024-39541"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-11T17:15:13Z",
"severity": "HIGH"
},
"details": "An Improper Handling of Exceptional Conditions vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\n\nWhen conflicting information (IP or ISO addresses) about a node is added to the Traffic Engineering (TE) database and then a subsequent operation attempts to process these, rpd will crash and restart.\n\nThis issue affects:\n\nJunos OS:\n\n\n\n * 22.4 versions before 22.4R3-S1,\n * 23.2 versions before 23.2R2,\u00a0\n * 23.4 versions before 23.4R1-S1, 23.4R2,\u00a0\n\n\n\n\nThis issue does not affect Junos OS versions earlier than 22.4R1.\n\nJunos OS Evolved:\n\n\n\n * 22.4-EVO versions before 22.4R3-S2-EVO,\n * 23.2-EVO versions before 23.2R2-EVO,\n * 23.4-EVO versions before 23.4R1-S1-EVO, 23.4R2-EVO,\n\n\n\n\n\n\nThis issue does not affect Junos OS Evolved versions earlier than \n\nbefore 22.4R1.",
"id": "GHSA-55rx-w9v4-hwvv",
"modified": "2024-07-11T18:31:13Z",
"published": "2024-07-11T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39541"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA83001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-563C-G7MM-G4XP
Vulnerability from github – Published: 2024-08-06 15:30 – Updated: 2024-08-07 00:30Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
{
"affected": [],
"aliases": [
"CVE-2024-7521"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T13:15:57Z",
"severity": "CRITICAL"
},
"details": "Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox \u003c 129, Firefox ESR \u003c 115.14, and Firefox ESR \u003c 128.1.",
"id": "GHSA-563c-g7mm-g4xp",
"modified": "2024-08-07T00:30:47Z",
"published": "2024-08-06T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7521"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1904644"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-35"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-37"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56J4-446M-QRF6
Vulnerability from github – Published: 2025-06-30 17:54 – Updated: 2025-07-29 23:43Summary
Sending transactions with fees different than native Babylon genesis denom (ubbn) leads to chain halt.
Impact
Denial of Service - Due to panic in the x/distribution module BeginBlocker triggered by a error when sending fees from feeCollector to x/distribution module - https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28 Babylon Genesis will halt
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/babylonlabs-io/babylon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-30T17:54:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nSending transactions with fees different than native Babylon genesis denom (`ubbn`) leads to chain halt.\n\n### Impact\n\nDenial of Service - Due to panic in the `x/distribution` module `BeginBlocker` triggered by a error when sending fees from `feeCollector` to `x/distribution` module - https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28 Babylon Genesis will halt",
"id": "GHSA-56j4-446m-qrf6",
"modified": "2025-07-29T23:43:41Z",
"published": "2025-06-30T17:54:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/security/advisories/GHSA-56j4-446m-qrf6"
},
{
"type": "WEB",
"url": "https://github.com/babylonlabs-io/babylon/commit/fe67aebd5216e7d3afa1d7dee2a3f82e548556f3"
},
{
"type": "PACKAGE",
"url": "https://github.com/babylonlabs-io/babylon"
},
{
"type": "WEB",
"url": "https://github.com/cosmos/cosmos-sdk/blob/main/x/distribution/keeper/allocation.go#L28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Babylon vulnerable to chain half when transaction has fees different than `ubbn`"
}
GHSA-574H-82R6-G95W
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10Uncaught exception in system driver for Intel(R) Graphics Drivers before version 15.40.44.5107 may allow an authenticated user to potentially enable a denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2020-0511"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-12T20:15:00Z",
"severity": "LOW"
},
"details": "Uncaught exception in system driver for Intel(R) Graphics Drivers before version 15.40.44.5107 may allow an authenticated user to potentially enable a denial of service via local access.",
"id": "GHSA-574h-82r6-g95w",
"modified": "2022-05-24T17:10:51Z",
"published": "2022-05-24T17:10:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0511"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200320-0003"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00315.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-58P3-3997-G6QM
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 produce incorrect PDF document signatures because the certificate name, document owner, and signature author are mishandled.
{
"affected": [],
"aliases": [
"CVE-2021-33795"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "Foxit Reader before 10.1.4 and PhantomPDF before 10.1.4 produce incorrect PDF document signatures because the certificate name, document owner, and signature author are mishandled.",
"id": "GHSA-58p3-3997-g6qm",
"modified": "2022-05-24T19:07:20Z",
"published": "2022-05-24T19:07:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33795"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-58P7-GJ75-3437
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2023-08-31 03:30DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-21439"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-14T08:15:00Z",
"severity": "MODERATE"
},
"details": "DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.",
"id": "GHSA-58p7-gj75-3437",
"modified": "2023-08-31T03:30:36Z",
"published": "2022-05-24T19:05:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21439"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2021-09"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58P8-2Q88-9M3P
Vulnerability from github – Published: 2024-09-04 06:30 – Updated: 2024-09-04 06:30Improper handling of exceptional conditions in Setupwizard prior to SMR Aug-2024 Release 1 allows physical attackers to bypass proper validation.
{
"affected": [],
"aliases": [
"CVE-2024-34639"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-04T06:15:11Z",
"severity": "MODERATE"
},
"details": "Improper handling of exceptional conditions in Setupwizard prior to SMR Aug-2024 Release 1 allows physical attackers to bypass proper validation.",
"id": "GHSA-58p8-2q88-9m3p",
"modified": "2024-09-04T06:30:41Z",
"published": "2024-09-04T06:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34639"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024\u0026month=08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.