Common Weakness Enumeration

CWE-672

Allowed-with-Review

Operation on a Resource after Expiration or Release

Abstraction: Class · Status: Draft

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

120 vulnerabilities reference this CWE, most recent first.

GHSA-QR2H-7PWM-H393

Vulnerability from github – Published: 2024-09-19 16:08 – Updated: 2024-09-20 14:18
VLAI
Summary
ZITADEL's Service Users Deactivation not Working
Details

Impact

ZITADEL's user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources.

Patches

2.x versions are fixed on >= 2.62.1 2.61.x versions are fixed on >= 2.61.1 2.60.x versions are fixed on >= 2.60.2 2.59.x versions are fixed on >= 2.59.3 2.58.x versions are fixed on >= 2.58.5 2.57.x versions are fixed on >= 2.57.5 2.56.x versions are fixed on >= 2.56.6 2.55.x versions are fixed on >= 2.55.8 2.54.x versions are fixed on >= 2.54.10

Workarounds

Instead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized.

  • Revoke all existing authentication keys associated with the service account
  • Rotate the service account's password

Questions

If you have any questions or comments about this advisory, please email us at

security@zitadel.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.62.0"
            },
            {
              "fixed": "2.62.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.61.0"
            },
            {
              "fixed": "2.61.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.60.0"
            },
            {
              "fixed": "2.60.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.59.0"
            },
            {
              "fixed": "2.59.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.58.0"
            },
            {
              "fixed": "2.58.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.57.0"
            },
            {
              "fixed": "2.57.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.56.0"
            },
            {
              "fixed": "2.56.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.55.0"
            },
            {
              "fixed": "2.55.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.54.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T16:08:01Z",
    "nvd_published_at": "2024-09-20T00:15:03Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nZITADEL\u0027s user account deactivation mechanism did not work correctly with service accounts. Deactivated service accounts retained the ability to request tokens, which could lead to unauthorized access to applications and resources.\n\n### Patches\n\n2.x versions are fixed on \u003e= [2.62.1](https://github.com/zitadel/zitadel/releases/tag/v2.62.1)\n2.61.x versions are fixed on \u003e= [2.61.1](https://github.com/zitadel/zitadel/releases/tag/v2.61.1)\n2.60.x versions are fixed on \u003e= [2.60.2](https://github.com/zitadel/zitadel/releases/tag/v2.60.2)\n2.59.x versions are fixed on \u003e= [2.59.3](https://github.com/zitadel/zitadel/releases/tag/v2.59.3)\n2.58.x versions are fixed on \u003e= [2.58.5](https://github.com/zitadel/zitadel/releases/tag/v2.58.5)\n2.57.x versions are fixed on \u003e= [2.57.5](https://github.com/zitadel/zitadel/releases/tag/v2.57.5)\n2.56.x versions are fixed on \u003e= [2.56.6](https://github.com/zitadel/zitadel/releases/tag/v2.56.6)\n2.55.x versions are fixed on \u003e= [2.55.8](https://github.com/zitadel/zitadel/releases/tag/v2.55.8)\n2.54.x versions are fixed on \u003e= [2.54.10](https://github.com/zitadel/zitadel/releases/tag/v2.54.10)\n\n### Workarounds\nInstead of deactivating the service account, consider creating new credentials and replacing the old ones wherever they are used. This effectively prevents the deactivated service account from being utilized.\n\n- Revoke all existing authentication keys associated with the service account\n- Rotate the service account\u0027s password\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at \n\n[security@zitadel.com](mailto:security@zitadel.com)",
  "id": "GHSA-qr2h-7pwm-h393",
  "modified": "2024-09-20T14:18:22Z",
  "published": "2024-09-19T16:08:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-qr2h-7pwm-h393"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47000"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ZITADEL\u0027s Service Users Deactivation not Working "
}

GHSA-QW7Q-7PGR-V8PH

Vulnerability from github – Published: 2024-05-22 21:30 – Updated: 2024-05-22 21:30
VLAI
Details

IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token. IBM X-Force ID: 288175.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an authenticated user to obtain sensitive user information using an expired access token.  IBM X-Force ID:  288175.",
  "id": "GHSA-qw7q-7pgr-v8ph",
  "modified": "2024-05-22T21:30:35Z",
  "published": "2024-05-22T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31894"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/288175"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7154606"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QXRR-WRHX-J83R

Vulnerability from github – Published: 2022-12-10 00:30 – Updated: 2022-12-13 03:30
VLAI
Details

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-09T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.",
  "id": "GHSA-qxrr-wrhx-j83r",
  "modified": "2022-12-13T03:30:45Z",
  "published": "2022-12-10T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45292"
    },
    {
      "type": "WEB",
      "url": "https://dev.funkwhale.audio/funkwhale/funkwhale/-/issues/1952"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6CX-VW2Q-5GQG

Vulnerability from github – Published: 2026-01-02 18:30 – Updated: 2026-01-02 18:30
VLAI
Details

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-02T17:16:23Z",
    "severity": "HIGH"
  },
  "details": "In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.",
  "id": "GHSA-r6cx-vw2q-5gqg",
  "modified": "2026-01-02T18:30:55Z",
  "published": "2026-01-02T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69415"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R88F-774M-5RJ4

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00
VLAI
Details

A flaw was found in OpenStack. The application credential tokens can be used even after they have expired. This flaw allows an authenticated remote attacker to obtain access despite the defender's efforts to remove access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in OpenStack. The application credential tokens can be used even after they have expired. This flaw allows an authenticated remote attacker to obtain access despite the defender\u0027s efforts to remove access.",
  "id": "GHSA-r88f-774m-5rj4",
  "modified": "2022-09-08T00:00:30Z",
  "published": "2022-09-02T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2447"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-2447"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8W9-5WCG-VFJ7

Vulnerability from github – Published: 2024-03-04 20:44 – Updated: 2024-03-06 21:37
VLAI
Summary
Mio's tokens for named pipes may be delivered after deregistration
Details

Impact

When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.

For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.

The vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.

Affected versions

This vulnerability has been fixed in mio v0.8.11.

All versions of mio between v0.7.2 and v0.8.10 are vulnerable.

Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.

Workarounds

Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.

Technical details

When an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is deregistered, then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.

This vulnerability was originally reported in the Tokio issue tracker: tokio-rs/tokio#6369 This vulnerability was fixed in: tokio-rs/mio#1760 This vulnerability is also known as RUSTSEC-2024-0019.

Thank you to @rofoun and @radekvit for discovering and reporting this issue.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.8.10"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "mio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.2"
            },
            {
              "fixed": "0.8.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416",
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-04T20:44:35Z",
    "nvd_published_at": "2024-03-06T20:15:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens may be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability may result in a use-after-free.\n\nFor users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio.\n\nThe vulnerability is Windows-specific, and can only happen if you are using named pipes. Other IO resources are not affected.\n\n### Affected versions\nThis vulnerability has been fixed in mio v0.8.11.\n\nAll versions of mio between v0.7.2 and v0.8.10 are vulnerable.\n\nTokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.\n\n### Workarounds\nVulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.\n\n### Technical details\n\nWhen an IO resource registered with mio has a readiness event, mio delivers that readiness event to the user using a user-specified token. Mio guarantees that when an IO resource is [deregistered](https://docs.rs/mio/latest/mio/struct.Registry.html#method.deregister), then it will never return the token for that IO resource again. However, for named pipes on windows, mio may sometimes deliver the token for a named pipe even though the named pipe has been previously deregistered.\n\nThis vulnerability was originally reported in the Tokio issue tracker: [tokio-rs/tokio#6369](https://github.com/tokio-rs/tokio/issues/6369)\nThis vulnerability was fixed in: [tokio-rs/mio#1760](https://github.com/tokio-rs/mio/pull/1760)\nThis vulnerability is also known as [RUSTSEC-2024-0019](https://rustsec.org/advisories/RUSTSEC-2024-0019.html).\n\nThank you to @rofoun and @radekvit for discovering and reporting this issue.",
  "id": "GHSA-r8w9-5wcg-vfj7",
  "modified": "2024-03-06T21:37:37Z",
  "published": "2024-03-04T20:44:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tokio-rs/mio/security/advisories/GHSA-r8w9-5wcg-vfj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27308"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tokio-rs/tokio/issues/6369"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tokio-rs/mio/pull/1760"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tokio-rs/mio/commit/90d4fe00df870acd3d38f3dc4face9aacab8fbb9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tokio-rs/mio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mio\u0027s tokens for named pipes may be delivered after deregistration"
}

GHSA-RH37-88V6-QM47

Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2025-11-04 00:30
VLAI
Details

A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-415",
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-18T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.",
  "id": "GHSA-rh37-88v6-qm47",
  "modified": "2025-11-04T00:30:31Z",
  "published": "2022-04-19T00:00:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenSC/OpenSC/commit/f015746d"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28185"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2016083"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202209-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V8J2-5F9P-FMH4

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:31
VLAI
Summary
Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T15:31:00Z",
    "nvd_published_at": "2026-05-11T18:16:40Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-q8ff-7ffm-m3r9. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.",
  "id": "GHSA-v8j2-5f9p-fmh4",
  "modified": "2026-05-18T15:31:00Z",
  "published": "2026-05-11T18:31:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/36c4a372a0ad5dca8bfc0d93f7aab9c2f2de66fa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-webhook-route-secret-cache-not-invalidated-after-rotation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw\u0027s Webhooks SecretRef route secret remains valid after rotation/reload",
  "withdrawn": "2026-05-18T15:31:00Z"
}

GHSA-VC86-73MC-M266

Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-17 15:30
VLAI
Details

Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-11T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Premature release of resource during expected lifetime in the Intel(R) SGX SDK software may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-vc86-73mc-m266",
  "modified": "2022-11-17T15:30:24Z",
  "published": "2022-11-11T19:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27499"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00691.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VMC8-GGH9-8P8J

Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2022-11-10 12:01
VLAI
Details

TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-672"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-26T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-return, which occurs due to incorrect usage of stack memory in ZRLEDecoder. If decoding routine would throw an exception, ZRLEDecoder may try to access stack variable, which has been already freed during the process of stack unwinding. Exploitation of this vulnerability could potentially result into remote code execution. This attack appear to be exploitable via network connectivity.",
  "id": "GHSA-vmc8-ggh9-8p8j",
  "modified": "2022-11-10T12:01:17Z",
  "published": "2022-05-24T17:05:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CendioOssman/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2019/12/20/2"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00039.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.