CWE-1282
AllowedAssumed-Immutable Data is Stored in Writable Memory
Abstraction: Base · Status: Incomplete
Immutable data, such as a first-stage bootloader, device identifiers, and "write-once" configuration settings are stored in writable memory that can be re-programmed or updated in the field.
16 vulnerabilities reference this CWE, most recent first.
GHSA-7W2M-F6QV-243X
Vulnerability from github – Published: 2023-01-07 00:30 – Updated: 2023-01-12 21:30The bootloader in the Nokia ASIK AirScale system module (versions 474021A.101 and 474021A.102) loads public keys for firmware verification signature. If an attacker modifies the flash contents to corrupt the keys, secure boot could be permanently disabled on a given device.
{
"affected": [],
"aliases": [
"CVE-2022-2483"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-06T22:15:00Z",
"severity": "HIGH"
},
"details": "The bootloader in the Nokia ASIK AirScale system module (versions 474021A.101 and 474021A.102) loads public keys for firmware verification signature. If an attacker modifies the flash contents to corrupt the keys, secure boot could be permanently disabled on a given device.",
"id": "GHSA-7w2m-f6qv-243x",
"modified": "2023-01-12T21:30:25Z",
"published": "2023-01-07T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2483"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-307-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CMWQ-378R-4XWR
Vulnerability from github – Published: 2026-03-22 15:31 – Updated: 2026-03-22 15:31Axessh 4.2 contains a denial of service vulnerability in the logging configuration that allows local attackers to crash the application by supplying an excessively long string in the log file name field. Attackers can enable session logging, paste a buffer of 500 or more characters into the log file name parameter, and trigger a crash when establishing a telnet connection.
{
"affected": [],
"aliases": [
"CVE-2019-25590"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T14:16:24Z",
"severity": "MODERATE"
},
"details": "Axessh 4.2 contains a denial of service vulnerability in the logging configuration that allows local attackers to crash the application by supplying an excessively long string in the log file name field. Attackers can enable session logging, paste a buffer of 500 or more characters into the log file name parameter, and trigger a crash when establishing a telnet connection.",
"id": "GHSA-cmwq-378r-4xwr",
"modified": "2026-03-22T15:31:28Z",
"published": "2026-03-22T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25590"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46858"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/axessh-denial-of-service-via-log-file-name"
},
{
"type": "WEB",
"url": "http://www.labf.com"
},
{
"type": "WEB",
"url": "http://www.labf.com/download/axessh.exe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GP26-36X8-P39M
Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 'A' characters in the SMTP Server field and trigger a crash by clicking the Test button.
{
"affected": [],
"aliases": [
"CVE-2018-25229"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T12:16:16Z",
"severity": "MODERATE"
},
"details": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the SMTP configuration interface that allows local attackers to crash the application by supplying an oversized string. Attackers can input a buffer of 257 \u0027A\u0027 characters in the SMTP Server field and trigger a crash by clicking the Test button.",
"id": "GHSA-gp26-36x8-p39m",
"modified": "2026-03-30T12:32:27Z",
"published": "2026-03-30T12:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25229"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46422"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-smtp"
},
{
"type": "WEB",
"url": "http://bpftpserver.com"
},
{
"type": "WEB",
"url": "http://bpftpserver.com/products/bpftpserver/windows/download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H3GG-HH2W-3WMP
Vulnerability from github – Published: 2026-03-22 03:30 – Updated: 2026-03-22 03:30BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked.
{
"affected": [],
"aliases": [
"CVE-2019-25588"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T01:16:57Z",
"severity": "MODERATE"
},
"details": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the DNS Address field that allows local attackers to crash the application by supplying an excessively long string. Attackers can enable the DNS Address option in the Firewall settings and paste a buffer of 700 bytes to trigger a crash when the Test function is invoked.",
"id": "GHSA-h3gg-hh2w-3wmp",
"modified": "2026-03-22T03:30:25Z",
"published": "2026-03-22T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25588"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46875"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-denial-of-service-via-dns-address"
},
{
"type": "WEB",
"url": "http://bpftpserver.com"
},
{
"type": "WEB",
"url": "http://bpftpserver.com/products/bpftpserver/windows/download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P42H-J8RX-5JC2
Vulnerability from github – Published: 2026-03-22 03:30 – Updated: 2026-03-22 03:30BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.
{
"affected": [],
"aliases": [
"CVE-2019-25587"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T01:16:56Z",
"severity": "MODERATE"
},
"details": "BulletProof FTP Server 2019.0.0.50 contains a denial of service vulnerability in the Storage-Path configuration parameter that allows local attackers to crash the application by supplying an excessively long string value. Attackers can enable the Override Storage-Path setting and paste a buffer of 500 bytes or more to trigger an application crash when saving the configuration.",
"id": "GHSA-p42h-j8rx-5jc2",
"modified": "2026-03-22T03:30:25Z",
"published": "2026-03-22T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25587"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46876"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bulletproof-ftp-server-storage-path-denial-of-service"
},
{
"type": "WEB",
"url": "http://bpftpserver.com"
},
{
"type": "WEB",
"url": "http://bpftpserver.com/products/bpftpserver/windows/download"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-V7QM-FPRQ-FG6P
Vulnerability from github – Published: 2026-03-22 03:30 – Updated: 2026-03-22 03:30RarmaRadio 2.72.3 contains a denial of service vulnerability in the Username field that allows local attackers to crash the application by submitting excessively long input. Attackers can paste a buffer of 5000 bytes into the Username field via Settings > Network to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2019-25583"
],
"database_specific": {
"cwe_ids": [
"CWE-1282"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T01:16:56Z",
"severity": "MODERATE"
},
"details": "RarmaRadio 2.72.3 contains a denial of service vulnerability in the Username field that allows local attackers to crash the application by submitting excessively long input. Attackers can paste a buffer of 5000 bytes into the Username field via Settings \u003e Network to trigger an application crash.",
"id": "GHSA-v7qm-fprq-fg6p",
"modified": "2026-03-22T03:30:25Z",
"published": "2026-03-22T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25583"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46900"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rarmaradio-username-field-denial-of-service"
},
{
"type": "WEB",
"url": "http://www.raimersoft.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
All immutable code or data should be programmed into ROM or write-once memory.
CAPEC-458: Flash Memory Attacks
An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.
CAPEC-679: Exploitation of Improperly Configured or Implemented Memory Protections
An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.