CWE-913
Allowed-with-ReviewImproper Control of Dynamically-Managed Code Resources
Abstraction: Class · Status: Incomplete
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
159 vulnerabilities reference this CWE, most recent first.
GHSA-GJ28-GW7W-3PXC
Vulnerability from github – Published: 2026-02-02 18:31 – Updated: 2026-02-02 22:36Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:craftercms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-1770"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T22:36:58Z",
"nvd_published_at": "2026-02-02T17:16:17Z",
"severity": "MODERATE"
},
"details": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).",
"id": "GHSA-gj28-gw7w-3pxc",
"modified": "2026-02-02T22:36:58Z",
"published": "2026-02-02T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1770"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/current/security/advisory.html#cv-2026020201"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftercms/craftercms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:U",
"type": "CVSS_V4"
}
],
"summary": "Crafter CMS has Improper Control of Dynamically-Managed Code Resources"
}
GHSA-GQ3H-3P4J-VFFV
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list. This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.
{
"affected": [],
"aliases": [
"CVE-2020-3419"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T19:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to join a Webex session without appearing on the participant list. This vulnerability is due to improper handling of authentication tokens by a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit requires the attacker to have access to join a Webex meeting, including applicable meeting join links and passwords. The attacker could then exploit this vulnerability to join meetings, without appearing in the participant list, while having full access to audio, video, chat, and screen sharing capabilities.",
"id": "GHSA-gq3h-3p4j-vffv",
"modified": "2022-05-24T17:34:34Z",
"published": "2022-05-24T17:34:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3419"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H5CG-53G7-GQJW
Vulnerability from github – Published: 2024-03-06 17:05 – Updated: 2024-08-02 15:37An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the __array__ attribute component. This vulnerability was introduced in 9f45f826.
Attack Vector
RPyC services that rely on the __array__ attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named __array__ for a a client provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class which results in remote code execution
Impact
Assuming the system exposes a method that calls the attribute __array__, an attacker can execute code using the vulnerable component.
Patches
The fix is available in RPyC 6.0.0. The major version change is because some users may need to set allow_pickle to True when migrating to RPyC 6.
Workarounds
While the recommend fix is to upgrade to RPyC 6.0.0, the workaround is to apply bba1d356 as patch.
Affected Component
The affected component is the __array__ method constructed for NetrefClass.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "rpyc"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "6.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-27758"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-358",
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-06T17:05:30Z",
"nvd_published_at": "2024-03-12T16:15:08Z",
"severity": "HIGH"
},
"details": "An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the `__array__` attribute component. This vulnerability was introduced in [9f45f826](https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911).\n\n### Attack Vector\nRPyC services that rely on the `__array__` attribute used by numpy are impacted. When the server-side exposes a method that calls the attribute named `__array__` for a a client provided netref (e.g., `np.array(client_netref)`), a remote attacker can craft a class which results in remote code execution\n\n### Impact\nAssuming the system exposes a method that calls the attribute `__array__`, an attacker can execute code using the vulnerable component. \n\n### Patches\nThe fix is available in RPyC 6.0.0. The major version change is because some users may need to set `allow_pickle` to `True` when migrating to RPyC 6.\n\n### Workarounds\nWhile the recommend fix is to upgrade to RPyC 6.0.0, the workaround is to [apply bba1d356 as patch.](https://github.com/tomerfiliba-org/rpyc/commit/bba1d3562e6f9f1256ec64048cc23001c0bb7516)\n\n### Affected Component\n[The affected component](https://github.com/tomerfiliba-org/rpyc/blob/5.3.1/rpyc/core/netref.py#L252-L255) is the `__array__` method constructed for `NetrefClass`.\n\n### References\n- [Original disclosure](https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09) by [renbou (Artem Mikheev)](https://gist.github.com/renbou)\n- [CVE-2024-27758](https://nvd.nist.gov/vuln/detail/CVE-2024-27758)\n",
"id": "GHSA-h5cg-53g7-gqjw",
"modified": "2024-08-02T15:37:26Z",
"published": "2024-03-06T17:05:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27758"
},
{
"type": "WEB",
"url": "https://github.com/tomerfiliba-org/rpyc/commit/9f45f8269d4106905db61d82cd529cacdb178911"
},
{
"type": "WEB",
"url": "https://github.com/tomerfiliba-org/rpyc/commit/bba1d3562e6f9f1256ec64048cc23001c0bb7516"
},
{
"type": "WEB",
"url": "https://gist.github.com/renbou/957f70d27470982994f12a1d70153d09"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/rpyc/PYSEC-2024-44.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tomerfiliba-org/rpyc"
},
{
"type": "WEB",
"url": "https://github.com/tomerfiliba-org/rpyc/blob/5.3.1/rpyc/core/netref.py#L252-L255"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "RPyC\u0027s missing security check results in code execution when using numpy.array on the server-side."
}
GHSA-HH7J-PG39-Q563
Vulnerability from github – Published: 2023-05-24 17:38 – Updated: 2023-05-30 06:41Impact
Websites that use Website.user_vars property in versions.
Patches
It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1
Workarounds
Do not use Website.user_vars in websites when using versions v2.0.1 to v2.4.0. Also, do not use Website.signin_user() in version v2.4.0 only.
Explanation
ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "toui"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.1"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33175"
],
"database_specific": {
"cwe_ids": [
"CWE-913",
"CWE-914"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-24T17:38:52Z",
"nvd_published_at": "2023-05-30T05:15:11Z",
"severity": "CRITICAL"
},
"details": "### Impact\nWebsites that use `Website.user_vars` property in versions.\n\n### Patches\nIt affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1\n\n### Workarounds\nDo not use `Website.user_vars` in websites when using versions v2.0.1 to v2.4.0. Also, do not use `Website.signin_user()` in version v2.4.0 only.\n\n### Explanation\nToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client\u0027s browser, but it seems that these are stored in the server side.\n",
"id": "GHSA-hh7j-pg39-q563",
"modified": "2023-05-30T06:41:13Z",
"published": "2023-05-24T17:38:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33175"
},
{
"type": "PACKAGE",
"url": "https://github.com/mubarakalmehairbi/ToUI"
},
{
"type": "WEB",
"url": "https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "toui allows user-specific variables to be shared between users"
}
GHSA-J2HP-QMRF-626C
Vulnerability from github – Published: 2021-12-03 00:00 – Updated: 2021-12-04 00:01Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).
{
"affected": [],
"aliases": [
"CVE-2021-23259"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-02T16:15:00Z",
"severity": "HIGH"
},
"details": "Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).",
"id": "GHSA-j2hp-qmrf-626c",
"modified": "2021-12-04T00:01:14Z",
"published": "2021-12-03T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23259"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120102"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J6X3-3JQQ-M922
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-20 17:41Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:craftercms"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.23"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40635"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-913"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-20T17:41:27Z",
"nvd_published_at": "2022-09-13T19:15:00Z",
"severity": "HIGH"
},
"details": "Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.",
"id": "GHSA-j6x3-3jqq-m922",
"modified": "2022-09-20T17:41:27Z",
"published": "2022-09-14T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40635"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2022051602"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftercms/craftercms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "CrafterCMS OS Command Injection vulnerability"
}
GHSA-J7MP-FRQ8-HWP3
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.
{
"affected": [],
"aliases": [
"CVE-2026-48700"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-22T19:17:04Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file\u0027s path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O.",
"id": "GHSA-j7mp-frq8-hwp3",
"modified": "2026-05-26T13:30:20Z",
"published": "2026-05-26T13:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48700"
},
{
"type": "WEB",
"url": "https://github.com/lxqt/pcmanfm-qt/releases"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/19/1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/05/20/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:I/V:D/RE:M/U:Clear",
"type": "CVSS_V4"
}
]
}
GHSA-JGC5-XGWJ-77VF
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-03-19 00:01In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.
{
"affected": [],
"aliases": [
"CVE-2022-25265"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T21:15:00Z",
"severity": "HIGH"
},
"details": "In the Linux kernel through 5.16.10, certain binary files may have the exec-all attribute if they were built in approximately 2003 (e.g., with GCC 3.2.2 and Linux kernel 2.4.20). This can cause execution of bytes located in supposedly non-executable regions of a file.",
"id": "GHSA-jgc5-xgwj-77vf",
"modified": "2022-03-19T00:01:46Z",
"published": "2022-02-17T00:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25265"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/blob/1c33bb0507508af24fd754dd7123bd8e997fab2f/arch/x86/include/asm/elf.h#L281-L294"
},
{
"type": "WEB",
"url": "https://github.com/x0reaxeax/exec-prot-bypass"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220318-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQV5-7XPX-QJ74
Vulnerability from github – Published: 2023-03-13 20:00 – Updated: 2023-03-16 21:34Impact
Due to the underlying implementation of .ToString(), it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.
Users of sqlite3 v5.0.0 - v5.1.4 are affected by this.
Patches
Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.
Workarounds
- Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.
References
- Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781
For more information
If you have any questions or comments about this advisory:
- Email us at security@ghost.org
Credits: Dave McDaniel of Cisco Talos
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "sqlite3"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43441"
],
"database_specific": {
"cwe_ids": [
"CWE-913",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-13T20:00:52Z",
"nvd_published_at": "2023-03-16T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nDue to the underlying implementation of `.ToString()`, it\u0027s possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object.\n\nUsers of `sqlite3` v5.0.0 - v5.1.4 are affected by this.\n\n### Patches\n\nFixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later.\n\n### Workarounds\n\n* Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters.\n\n### References\n\n* Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Email us at [security@ghost.org](mailto:security@ghost.org)\n\nCredits: Dave McDaniel of Cisco Talos",
"id": "GHSA-jqv5-7xpx-qj74",
"modified": "2023-03-16T21:34:27Z",
"published": "2023-03-13T20:00:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43441"
},
{
"type": "WEB",
"url": "https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781"
},
{
"type": "PACKAGE",
"url": "https://github.com/TryGhost/node-sqlite3"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1645"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "sqlite vulnerable to code execution due to Object coercion"
}
GHSA-JVPP-7888-2HGR
Vulnerability from github – Published: 2025-04-27 03:30 – Updated: 2025-04-27 03:30NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS).
{
"affected": [],
"aliases": [
"CVE-2025-46673"
],
"database_specific": {
"cwe_ids": [
"CWE-913"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-27T01:15:44Z",
"severity": "MODERATE"
},
"details": "NASA CryptoLib before 1.3.2 does not check whether the SA is in an operational state before use, possibly leading to a bypass of the Space Data Link Security protocol (SDLS).",
"id": "GHSA-jvpp-7888-2hgr",
"modified": "2025-04-27T03:30:22Z",
"published": "2025-04-27T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46673"
},
{
"type": "WEB",
"url": "https://github.com/nasa/CryptoLib/pull/286"
},
{
"type": "WEB",
"url": "https://github.com/nasa/CryptoLib/pull/306"
},
{
"type": "WEB",
"url": "https://github.com/nasa/CryptoLib/compare/v1.3.0...v1.3.1"
},
{
"type": "WEB",
"url": "https://github.com/nasa/CryptoLib/compare/v1.3.1...v1.3.2"
},
{
"type": "WEB",
"url": "https://securitybynature.fr/post/hacking-cryptolib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Input Validation
For any externally-influenced input, check the input against an allowlist of acceptable values.
Mitigation
Strategy: Refactoring
Refactor the code so that it does not need to be dynamically managed.
No CAPEC attack patterns related to this CWE.