Common Weakness Enumeration

CWE-1284

Allowed

Improper Validation of Specified Quantity in Input

Abstraction: Base · Status: Incomplete

The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

493 vulnerabilities reference this CWE, most recent first.

GHSA-X5QV-8W36-GXH4

Vulnerability from github – Published: 2024-02-21 18:31 – Updated: 2024-03-06 18:30
VLAI
Details

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1714"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-21T17:15:09Z",
    "severity": "HIGH"
  },
  "details": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.",
  "id": "GHSA-x5qv-8w36-gxh4",
  "modified": "2024-03-06T18:30:37Z",
  "published": "2024-02-21T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1714"
    },
    {
      "type": "WEB",
      "url": "https://www.sailpoint.com/security-advisories/sailpoint-identityiq-access-request-for-entitlement-values-with-leading-trailing-whitespace-cve-2024-1714"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X9MR-W23G-RXQ7

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8047"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T08:16:22Z",
    "severity": "HIGH"
  },
  "details": "The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.",
  "id": "GHSA-x9mr-w23g-rxq7",
  "modified": "2026-05-26T13:30:55Z",
  "published": "2026-05-26T13:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8047"
    },
    {
      "type": "WEB",
      "url": "https://www.certvde.com/en/advisories/VDE-2026-057"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X9WG-93QJ-QHG4

Vulnerability from github – Published: 2022-12-26 03:30 – Updated: 2023-01-04 03:30
VLAI
Details

OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-37312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-26T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OX App Suite through 7.10.6 has Uncontrolled Resource Consumption via a large request body containing a redirect URL to the deferrer servlet.",
  "id": "GHSA-x9wg-93qj-qhg4",
  "modified": "2023-01-04T03:30:32Z",
  "published": "2022-12-26T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37312"
    },
    {
      "type": "WEB",
      "url": "https://open-xchange.com"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2022/Nov/18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFPH-VQ69-5WW2

Vulnerability from github – Published: 2026-03-19 18:31 – Updated: 2026-03-19 18:31
VLAI
Details

Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-19T18:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Improper Validation of Specified Quantity in Input (CWE-1284) in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation (CAPEC-130). The vulnerability allows an authenticated user to send a specially crafted Timelion expression that overwrites internal series data properties with an excessively large quantity value.",
  "id": "GHSA-xfph-vq69-5ww2",
  "modified": "2026-03-19T18:31:19Z",
  "published": "2026-03-19T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26940"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/kibana-8-19-13-9-2-7-9-3-2-security-update-esa-2026-20/385535"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG8P-34W2-J49J

Vulnerability from github – Published: 2022-09-16 17:41 – Updated: 2022-09-16 17:41
VLAI
Summary
linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`
Details

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability impacts all the initialization functions on the Heap and LockedHeap types, including Heap::new, Heap::init, Heap::init_from_slice, and LockedHeap::new. It also affects multiple uses of the Heap::extend method.

Initialization Functions

The heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to out-of-bound writes when a heap was initialized with a size smaller than 3 * size_of::<usize> because of metadata write operations.

Heap::extend

This vulnerability impacts three specific uses of the Heap::extend method:

  • When calling Heap::extend with a size smaller than two usizes (e.g., 16 on x86_64), the size was erroneously rounded up to the minimum size, which could result in an out-of-bounds write.
  • Calling Heap::extend on an empty heap tried to construct a heap starting at address 0, which is also an out-of-bounds write.
  • One specific way to trigger this accidentally is to call Heap::new (or a similar constructor) with a heap size that is smaller than two usizes. This was treated as an empty heap as well.
  • Calling Heap::extend on a heap whose size is not a multiple of the size of two usizes resulted in unaligned writes. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).

Patches

Has the problem been patched? What versions should users upgrade to?

We published a patch in version 0.10.2 and recommend all users to upgrade to it. This patch release includes the following changes:

  • The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between 2 * size_of::<usize> and 3 * size_of::<usize>.
  • The extend method now panics when trying to extend an unitialized heap.
  • Extend calls with a size smaller than size_of::<usize>() * 2 are now buffered internally and not added to the list directly. The buffered region will be merged with future extend calls.
  • The size() method now returns the usable size of the heap, which might be slightly smaller than the top() - bottom() difference because of alignment constraints.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To avoid this issue, ensure that the heap is only initialized with a size larger than 3 * size_of::<usize> and that the Heap::extend method is only called with sizes larger than 2 * size_of::<usize>(). Also, ensure that the total heap size is (and stays) a multiple of 2 * size_of::<usize>().

For more information

If you have any questions or comments about this advisory: * Open an issue in this repository * Email @phil-opp at security@phil-opp.com

Acknowledgements

This issue was responsibly reported by Evan Richter at ForAllSecure and found with Mayhem and cargo fuzz.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.10.1"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "linked_list_allocator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-1284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:41:33Z",
    "nvd_published_at": "2022-09-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis vulnerability impacts all the initialization functions on the `Heap` and `LockedHeap` types, including `Heap::new`, `Heap::init`, `Heap::init_from_slice`, and `LockedHeap::new`. It also affects multiple uses of the `Heap::extend` method.\n\n### Initialization Functions\n\nThe heap initialization methods were missing a minimum size check for the given heap size argument. This could lead to **_out-of-bound writes_** when a heap was initialized with a size smaller than `3 * size_of::\u003cusize\u003e` because of metadata write operations.\n\n### `Heap::extend`\n\nThis vulnerability impacts three specific uses of the `Heap::extend` method:\n\n- When calling `Heap::extend` with a size smaller than two `usize`s (e.g., 16 on `x86_64`), the size was erroneously rounded up to the minimum size, which could result in an **_out-of-bounds write_**.\n- Calling `Heap::extend` on an empty heap tried to construct a heap starting at address 0, which is also an **_out-of-bounds write_**.\n  - One specific way to trigger this accidentally is to call `Heap::new` (or a similar constructor) with a heap size that is smaller than two `usize`s. This was treated as an empty heap as well.\n- Calling `Heap::extend` on a heap whose size is not a multiple of the size of two `usize`s resulted in _unaligned writes_. It also left the heap in an unexpected state, which might lead to subsequent issues. We did not find a way to exploit this undefined behavior yet (apart from DoS on platforms that fault on unaligned writes).\n\n## Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nWe published a patch in version `0.10.2` and recommend all users to upgrade to it. This patch release includes the following changes:\n\n- The initialization functions now panic if the given size is not large enough to store the necessary metadata. Depending on the alignment of the heap bottom pointer, the minimum size is between `2 * size_of::\u003cusize\u003e` and `3 * size_of::\u003cusize\u003e`.\n- The `extend` method now panics when trying to extend an unitialized heap.\n- Extend calls with a size smaller than `size_of::\u003cusize\u003e() * 2` are now buffered internally and not added to the list directly. The buffered region will be merged with future `extend` calls.\n- The `size()` method now returns the _usable_ size of the heap, which might be slightly smaller than the `top() - bottom()` difference because of alignment constraints.\n\n## Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nTo avoid this issue, ensure that the heap is only initialized with a size larger than `3 * size_of::\u003cusize\u003e` and that the `Heap::extend` method is only called with sizes larger than `2 * size_of::\u003cusize\u003e()`. Also, ensure that the total heap size is (and stays) a multiple of `2 * size_of::\u003cusize\u003e()`.\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in this repository\n* Email @phil-opp at [security@phil-opp.com](mailto:security@phil-opp.com)\n\n## Acknowledgements\n\nThis issue was responsibly reported by Evan Richter at ForAllSecure and found with [Mayhem](https://forallsecure.com/mayhem-for-code) and [cargo fuzz](https://github.com/rust-fuzz/cargo-fuzz).",
  "id": "GHSA-xg8p-34w2-j49j",
  "modified": "2022-09-16T17:41:33Z",
  "published": "2022-09-16T17:41:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rust-osdev/linked-list-allocator/security/advisories/GHSA-xg8p-34w2-j49j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-osdev/linked-list-allocator/commit/013b0758643943e8df5b17bbb495460ff47e8bbf"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xg8p-34w2-j49j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rust-osdev/linked-list-allocator"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0063.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "linked_list_allocator vulnerable to out-of-bound writes on `Heap` initialization and `Heap::extend`"
}

GHSA-XGH5-7GP7-7MG3

Vulnerability from github – Published: 2025-07-30 03:30 – Updated: 2025-07-30 03:30
VLAI
Details

Tesla Wall Connector Content-Length Header Improper Input Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Tesla Wall Connector devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of the HTTP Content-Length header. The issue results from the lack of proper validation of user-supplied data, which can result in memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26300.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-30T01:15:26Z",
    "severity": "HIGH"
  },
  "details": "Tesla Wall Connector Content-Length Header Improper Input Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Tesla Wall Connector devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the parsing of the HTTP Content-Length header. The issue results from the lack of proper validation of user-supplied data, which can result in memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26300.",
  "id": "GHSA-xgh5-7gp7-7mg3",
  "modified": "2025-07-30T03:30:35Z",
  "published": "2025-07-30T03:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8320"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-711"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XH69-987W-HRP8

Vulnerability from github – Published: 2025-07-15 14:37 – Updated: 2025-07-15 22:56
VLAI
Summary
resolv vulnerable to DoS via insufficient DNS domain name length validation
Details

A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.

Details

The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

Affected Version

The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier

Credits

Thanks to Manu for discovering this issue.

History

Originally published at 2025-07-08 07:00:00 (UTC)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "resolv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "resolv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "resolv"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-15T14:37:08Z",
    "nvd_published_at": "2025-07-12T04:15:46Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.\n\n## Details\nThe vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.\n\nAn attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting\nlength of the name.\n\nThis resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.\n\n## Affected Version\nThe vulnerability affects the resolv gem bundled with the following Ruby series:\n* Ruby 3.2 series: resolv version 0.2.2 and earlier\n* Ruby 3.3 series: resolv version 0.3.0\n* Ruby 3.4 series: resolv version 0.6.1 and earlier\n\n## Credits\nThanks to Manu for discovering this issue.\n\n## History\nOriginally published at 2025-07-08 07:00:00 (UTC)",
  "id": "GHSA-xh69-987w-hrp8",
  "modified": "2025-07-15T22:56:19Z",
  "published": "2025-07-15T14:37:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/resolv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "resolv vulnerable to DoS via insufficient DNS domain name length validation"
}

GHSA-XM68-4V8H-H9RF

Vulnerability from github – Published: 2022-05-02 03:55 – Updated: 2025-01-21 18:31
VLAI
Details

** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. NOTE: the vendor disputes the significance of this report, stating that "This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-4488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-01-13T20:30:00Z",
    "severity": "MODERATE"
  },
  "details": "** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window\u0027s title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.  NOTE: the vendor disputes the significance of this report, stating that \"This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely.\"",
  "id": "GHSA-xm68-4v8h-h9rf",
  "modified": "2025-01-21T18:31:00Z",
  "published": "2022-05-02T03:55:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-4488"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/508830/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/37713"
    },
    {
      "type": "WEB",
      "url": "http://www.ush.it/team/ush/hack_httpd_escape/adv.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XMGF-HQ76-4VX2

Vulnerability from github – Published: 2026-04-22 21:20 – Updated: 2026-04-27 16:41
VLAI
Summary
rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
Details

The *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openssl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.10.78"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41677"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-1284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T21:20:04Z",
    "nvd_published_at": "2026-04-24T18:16:29Z",
    "severity": "LOW"
  },
  "details": "The `*_from_pem_callback` APIs did not validate the length returned by the user\u0027s callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.",
  "id": "GHSA-xmgf-hq76-4vx2",
  "modified": "2026-04-27T16:41:58Z",
  "published": "2026-04-22T21:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-openssl/rust-openssl/pull/2605"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rust-openssl/rust-openssl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length"
}

GHSA-XMPC-X94Q-554F

Vulnerability from github – Published: 2022-12-13 21:30 – Updated: 2026-04-08 21:31
VLAI
Details

The demon image annotation plugin for WordPress is vulnerable to improper input validation in versions up to, and including 5.0. This is due to the plugin improperly validating the number of characters supplied during an annotation despite there being a setting to limit the number characters input. This means that unauthenticated attackers can bypass the length restrictions and input more characters than allowed via the settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-13T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "The demon image annotation plugin for WordPress is vulnerable to improper input validation in versions up to, and including 5.0. This is due to the plugin improperly validating the number of characters supplied during an annotation despite there being a setting to limit the number characters input. This means that unauthenticated attackers can bypass the length restrictions and input more characters than allowed via the settings.",
  "id": "GHSA-xmpc-x94q-554f",
  "modified": "2026-04-08T21:31:46Z",
  "published": "2022-12-13T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4171"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2830349%40demon-image-annotation\u0026new=2830349%40demon-image-annotation\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac5549ec-f931-4b13-b5f9-0d6f3e53aae4"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac5549ec-f931-4b13-b5f9-0d6f3e53aae4?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

No CAPEC attack patterns related to this CWE.