CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-2C7V-9W46-2RMW
Vulnerability from github – Published: 2026-05-04 18:30 – Updated: 2026-06-30 03:36An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()
{
"affected": [],
"aliases": [
"CVE-2025-70071"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T16:16:01Z",
"severity": "MODERATE"
},
"details": "An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray()",
"id": "GHSA-2c7v-9w46-2rmw",
"modified": "2026-06-30T03:36:29Z",
"published": "2026-05-04T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70071"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-70071"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2465675"
},
{
"type": "WEB",
"url": "https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-70071.json"
},
{
"type": "WEB",
"url": "http://assimp.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2CX4-58J3-2JR5
Vulnerability from github – Published: 2026-01-16 21:30 – Updated: 2026-01-16 21:30DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10.
{
"affected": [],
"aliases": [
"CVE-2021-47818"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-16T19:16:06Z",
"severity": "MODERATE"
},
"details": "DupTerminator 1.4.5639.37199 contains a denial of service vulnerability that allows attackers to crash the application by inputting a long character string in the Excluded text box. Attackers can generate a payload of 8000 repeated characters to trigger the application to stop working on Windows 10.",
"id": "GHSA-2cx4-58j3-2jr5",
"modified": "2026-01-16T21:30:36Z",
"published": "2026-01-16T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47818"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/dupterminator"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49917"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dupterminator-denial-of-service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2FHG-MFW9-PX88
Vulnerability from github – Published: 2026-03-21 15:33 – Updated: 2026-03-21 15:33Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the 'Select or enter a program' field during program alert configuration to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2019-25551"
],
"database_specific": {
"cwe_ids": [
"CWE-1282",
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-21T13:16:17Z",
"severity": "MODERATE"
},
"details": "Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the \u0027Select or enter a program\u0027 field during program alert configuration to trigger an application crash.",
"id": "GHSA-2fhg-mfw9-px88",
"modified": "2026-03-21T15:33:23Z",
"published": "2026-03-21T15:33:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25551"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46860"
},
{
"type": "WEB",
"url": "https://www.sandboxie.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sandboxie-denial-of-service-via-program-alerts-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2G6F-P97F-GP43
Vulnerability from github – Published: 2026-05-04 21:30 – Updated: 2026-05-04 21:30Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
{
"affected": [],
"aliases": [
"CVE-2026-25863"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T19:16:02Z",
"severity": "HIGH"
},
"details": "Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.",
"id": "GHSA-2g6f-p97f-gp43",
"modified": "2026-05-04T21:30:24Z",
"published": "2026-05-04T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25863"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/cf7-conditional-fields/#developers"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2H6C-J3GF-XP9R
Vulnerability from github – Published: 2023-02-10 19:52 – Updated: 2023-02-10 19:52Impact
When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics.
This happen when the size is a not a multiple of 8 or is negative.
There were already a note in the NewBitfield documentation:
``` Panics if size is not a multiple of 8. ````
But it incomplete and missing from FromBytes's documentation.
This has been replaced by returning an (Bitfield, error) and returning a non nil error if the size is wrong.
Patches
- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579
Workarounds
- Ensure
size%8 == 0 && size >= 0yourself before callingNewBitfieldorFromBytes
References
- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipfs/go-bitfield"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-23626"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-10T19:52:45Z",
"nvd_published_at": "2023-02-09T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\n\nThis happen when the `size` is a not a multiple of `8` or is negative.\nThere were already a note in the `NewBitfield` documentation:\n\u003e ```\n\u003e Panics if size is not a multiple of 8.\n\u003e ````\n\nBut it incomplete and missing from `FromBytes`\u0027s documentation.\n\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\n\n### Patches\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\n\n### Workarounds\n- Ensure `size%8 == 0 \u0026\u0026 size \u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\n\n### References\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\n",
"id": "GHSA-2h6c-j3gf-xp9r",
"modified": "2023-02-10T19:52:45Z",
"published": "2023-02-10T19:52:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23626"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579"
},
{
"type": "PACKAGE",
"url": "https://github.com/ipfs/go-bitfield"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2023-1558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "IPFS go-bitfield vulnerable to DoS via malformed size arguments"
}
GHSA-2MJ3-6GRC-PX38
Vulnerability from github – Published: 2025-12-19 00:31 – Updated: 2025-12-19 21:04Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats/v7"
},
"ranges": [
{
"events": [
{
"introduced": "7.7.0"
},
{
"fixed": "8.19.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats/v7"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats/v7"
},
"ranges": [
{
"events": [
{
"introduced": "9.2.0"
},
{
"fixed": "9.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0-alpha2.0.20251204214633-dd3af18220bf"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68383"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-19T21:04:09Z",
"nvd_published_at": "2025-12-18T22:16:02Z",
"severity": "MODERATE"
},
"details": "Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) in Filebeat Syslog parser and the Libbeat Dissect processor can allow a user to trigger a Buffer Overflow (CAPEC-100) and cause a denial of service (panic/crash) of the Filebeat process via either a malformed Syslog message or a malicious tokenizer pattern in the Dissect configuration.",
"id": "GHSA-2mj3-6grc-px38",
"modified": "2025-12-19T21:04:09Z",
"published": "2025-12-19T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68383"
},
{
"type": "WEB",
"url": "https://github.com/elastic/beats/commit/27a168fb1c598d4a16748e9a7382bc0d197335a5"
},
{
"type": "WEB",
"url": "https://github.com/elastic/beats/commit/2f971a057eea68e057b47829950cd8c26805df30"
},
{
"type": "WEB",
"url": "https://github.com/elastic/beats/commit/339fa3f887a14c91e0c955b50a3b8819393bd632"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/filebeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-32/384180"
},
{
"type": "PACKAGE",
"url": "https://github.com/elastic/elasticsearch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Filebeat Beats has Buffer Overflow via Malformed Syslog Message or Malicious Tokenizer Pattern in Dissect Configuration"
}
GHSA-2PRH-76MQ-H4GX
Vulnerability from github – Published: 2022-11-11 12:00 – Updated: 2022-11-16 12:00DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.
{
"affected": [],
"aliases": [
"CVE-2022-36938"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-125",
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-11T00:15:00Z",
"severity": "CRITICAL"
},
"details": "DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file.",
"id": "GHSA-2prh-76mq-h4gx",
"modified": "2022-11-16T12:00:20Z",
"published": "2022-11-11T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36938"
},
{
"type": "WEB",
"url": "https://github.com/facebook/redex/commit/3b44c640346b77bfb7ef36e2413688dd460288d2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2PW7-G86G-76Q7
Vulnerability from github – Published: 2026-05-27 00:31 – Updated: 2026-07-15 15:32A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.
{
"affected": [],
"aliases": [
"CVE-2026-42013"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T22:16:42Z",
"severity": "HIGH"
},
"details": "A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.",
"id": "GHSA-2pw7-g86g-76q7",
"modified": "2026-07-15T15:32:42Z",
"published": "2026-05-27T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42013"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13274"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20611"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20612"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20613"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26319"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26409"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29197"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30004"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:32962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33125"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-42013"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467448"
},
{
"type": "WEB",
"url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2R7G-MF5H-9GCW
Vulnerability from github – Published: 2022-05-01 23:40 – Updated: 2025-04-09 03:55Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does not properly validate the option length field in Pragmatic General Multicast (PGM) packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted PGM packet, aka the "PGM Invalid Length Vulnerability."
{
"affected": [],
"aliases": [
"CVE-2008-1440"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-06-12T02:32:00Z",
"severity": "HIGH"
},
"details": "Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does not properly validate the option length field in Pragmatic General Multicast (PGM) packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted PGM packet, aka the \"PGM Invalid Length Vulnerability.\"",
"id": "GHSA-2r7g-mf5h-9gcw",
"modified": "2025-04-09T03:55:23Z",
"published": "2022-05-01T23:40:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1440"
},
{
"type": "WEB",
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-036"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5473"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:5473"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/30587"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1020230"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/29508"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA08-162B.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1783"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2RHX-838F-X5JW
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31Improper input validation in Power Management Firmware (PMFW) may allow an attacker with privileges to send a malformed input for the "set temperature input selection" command, potentially resulting in a loss of integrity and/or availability.
{
"affected": [],
"aliases": [
"CVE-2023-31310"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T17:15:20Z",
"severity": "MODERATE"
},
"details": "Improper input validation in Power Management Firmware (PMFW) may allow an attacker with privileges to send a malformed input for the \"set temperature input selection\" command, potentially resulting in a loss of integrity and/or availability.",
"id": "GHSA-2rhx-838f-x5jw",
"modified": "2024-08-13T18:31:15Z",
"published": "2024-08-13T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31310"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6005.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.