CWE-232
AllowedImproper Handling of Undefined Values
Abstraction: Variant · Status: Draft
The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name.
19 vulnerabilities reference this CWE, most recent first.
CVE-2021-3718 (GCVE-0-2021-3718)
Vulnerability from cvelistv5 – Published: 2021-11-12 22:05 – Updated: 2024-08-03 17:01- CWE-232 - Improper Handling of Undefined Values
| URL | Tags |
|---|---|
| https://support.lenovo.com/us/en/product_security… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Lenovo | ThinkPad BIOS |
Affected:
various
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.300Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ThinkPad BIOS",
"vendor": "Lenovo",
"versions": [
{
"status": "affected",
"version": "various"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-232",
"description": "CWE-232 Improper Handling of Undefined Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-12T22:05:34.000Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
}
],
"solutions": [
{
"lang": "en",
"value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
}
],
"source": {
"advisory": "LEN-72619",
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"ID": "CVE-2021-3718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ThinkPad BIOS",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "various"
}
]
}
}
]
},
"vendor_name": "Lenovo"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lenovo thanks Zoltan Harmarth for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability was reported in some ThinkPad models that could cause a system to crash when the Enhanced Biometrics setting is enabled in BIOS."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-232 Improper Handling of Undefined Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.lenovo.com/us/en/product_security/LEN-72619",
"refsource": "MISC",
"url": "https://support.lenovo.com/us/en/product_security/LEN-72619"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update system firmware to the version (or newer) indicated for your model in the Product Impact section in LEN-72619."
}
],
"source": {
"advisory": "LEN-72619",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2021-3718",
"datePublished": "2021-11-12T22:05:34.000Z",
"dateReserved": "2021-08-18T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:01:08.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-6JMW-6MXW-W4JC
Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-09-11 18:45NLnet Labs’ bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "bcder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-39914"
],
"database_specific": {
"cwe_ids": [
"CWE-228",
"CWE-232"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-14T16:41:57Z",
"nvd_published_at": "2023-09-13T15:15:07Z",
"severity": "HIGH"
},
"details": "NLnet Labs\u2019 bcder library up to and including version 0.7.2 panics while decoding certain invalid input data rather than rejecting the data with an error. This can affect both the actual decoding stage as well as accessing content of types that utilized delayed decoding.",
"id": "GHSA-6jmw-6mxw-w4jc",
"modified": "2024-09-11T18:45:42Z",
"published": "2023-09-13T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39914"
},
{
"type": "WEB",
"url": "https://github.com/NLnetLabs/bcder/commit/4da91c3fd853e3d466d8581cf1d82b7f3255de56"
},
{
"type": "PACKAGE",
"url": "https://github.com/NLnetLabs/bcder"
},
{
"type": "WEB",
"url": "https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2023-0062.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "BER/CER/DER decoder panics on invalid input"
}
GHSA-FFCC-CQG6-6F7V
Vulnerability from github – Published: 2025-05-07 18:30 – Updated: 2025-05-07 18:30A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid IKEv1 VPN credentials to exploit this vulnerability.
This vulnerability is due to improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is handed off to the hardware cryptographic accelerator of an affected device. An attacker could exploit this vulnerability by sending crafted IKEv1 messages to the affected device. A successful exploit could allow the attacker to cause the device to reload.
{
"affected": [],
"aliases": [
"CVE-2025-20192"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T18:15:39Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid IKEv1 VPN credentials to exploit this vulnerability.\n\n This vulnerability is due to improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is handed off to the hardware cryptographic accelerator of an affected device. An attacker could exploit this vulnerability by sending crafted IKEv1 messages to the affected device. A successful exploit could allow the attacker to cause the device to reload.",
"id": "GHSA-ffcc-cqg6-6f7v",
"modified": "2025-05-07T18:30:49Z",
"published": "2025-05-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20192"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-ikev1-dos-XHk3HzFC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQGX-HGVF-F75F
Vulnerability from github – Published: 2025-05-21 15:30 – Updated: 2025-05-23 15:31When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
{
"affected": [],
"aliases": [
"CVE-2025-40775"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T13:16:02Z",
"severity": "HIGH"
},
"details": "When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure.\nThis issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.",
"id": "GHSA-gqgx-hgvf-f75f",
"modified": "2025-05-23T15:31:08Z",
"published": "2025-05-21T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40775"
},
{
"type": "WEB",
"url": "https://kb.isc.org/docs/cve-2025-40775"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250523-0001"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/05/21/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJ6P-3PC9-WF5M
Vulnerability from github – Published: 2023-05-30 18:30 – Updated: 2026-06-11 14:17A remote attacker can trigger a denial of service in the socket.remoteAddress variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "proxy"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2968"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-06T01:52:50Z",
"nvd_published_at": "2023-05-30T18:15:09Z",
"severity": "HIGH"
},
"details": "A remote attacker can trigger a denial of service in the `socket.remoteAddress` variable, by sending a crafted HTTP request. Usage of the undefined variable raises a TypeError exception.",
"id": "GHSA-mj6p-3pc9-wf5m",
"modified": "2026-06-11T14:17:07Z",
"published": "2023-05-30T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2968"
},
{
"type": "WEB",
"url": "https://github.com/TooTallNate/proxy-agents/pull/178"
},
{
"type": "WEB",
"url": "https://github.com/TooTallNate/proxy-agents/commit/25e0c931390eb8f41c5ceaca72820de9198ece39"
},
{
"type": "PACKAGE",
"url": "https://github.com/TooTallNate/proxy-agents"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/undefined-variable-usage-in-proxy-leads-to-remote-denial-of-service-xray-520917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "proxy denial of service vulnerability"
}
GHSA-PV7Q-J2WH-2HH7
Vulnerability from github – Published: 2023-07-14 18:31 – Updated: 2024-04-04 06:08An Improper Handling of Undefined Values vulnerability in the periodic packet management daemon (PPMD) of Juniper Networks Junos OS on MX Series(except MPC10, MPC11 and LC9600) allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).
When a malformed CFM packet is received, it leads to an FPC crash. Continued receipt of these packets causes a sustained denial of service. This vulnerability occurs only when CFM has been configured on the interface.
This issue affects Juniper Networks Junos OS: versions prior to 19.1R3-S10 on MX Series; 19.2 versions prior to 19.2R3-S7 on MX Series; 19.3 versions prior to 19.3R3-S8 on MX Series; 19.4 versions prior to 19.4R3-S12 on MX Series; 20.1 version 20.1R1 and later versions on MX Series; 20.2 versions prior to 20.2R3-S8 on MX Series; 20.3 version 20.3R1 and later versions on MX Series; 20.4 versions prior to 20.4R3-S7 on MX Series; 21.1 versions prior to 21.1R3-S5 on MX Series; 21.2 versions prior to 21.2R3-S5 on MX Series; 21.3 versions prior to 21.3R3-S4 on MX Series; 21.4 versions prior to 21.4R3-S4 on MX Series; 22.1 versions prior to 22.1R3-S3 on MX Series; 22.2 versions prior to 22.2R3-S1 on MX Series; 22.3 versions prior to 22.3R3 on MX Series; 22.4 versions prior to 22.4R1-S2, 22.4R2 on MX Series.
{
"affected": [],
"aliases": [
"CVE-2023-36848"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-14T18:15:10Z",
"severity": "MODERATE"
},
"details": "An Improper Handling of Undefined Values vulnerability in the periodic packet management daemon (PPMD) of Juniper Networks Junos OS on MX Series(except MPC10, MPC11 and LC9600) allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).\n\nWhen a malformed CFM packet is received, it leads to an FPC crash. Continued receipt of these packets causes a sustained denial of service. This vulnerability occurs only when CFM has been configured on the interface.\n\nThis issue affects Juniper Networks Junos OS:\nversions prior to 19.1R3-S10 on MX Series;\n19.2 versions prior to 19.2R3-S7 on MX Series;\n19.3 versions prior to 19.3R3-S8 on MX Series;\n19.4 versions prior to 19.4R3-S12 on MX Series;\n20.1 version 20.1R1 and later versions on MX Series;\n20.2 versions prior to 20.2R3-S8 on MX Series;\n20.3 version 20.3R1 and later versions on MX Series;\n20.4 versions prior to 20.4R3-S7 on MX Series;\n21.1 versions prior to 21.1R3-S5 on MX Series;\n21.2 versions prior to 21.2R3-S5 on MX Series;\n21.3 versions prior to 21.3R3-S4 on MX Series;\n21.4 versions prior to 21.4R3-S4 on MX Series;\n22.1 versions prior to 22.1R3-S3 on MX Series;\n22.2 versions prior to 22.2R3-S1 on MX Series;\n22.3 versions prior to 22.3R3 on MX Series;\n22.4 versions prior to 22.4R1-S2, 22.4R2 on MX Series.\n",
"id": "GHSA-pv7q-j2wh-2hh7",
"modified": "2024-04-04T06:08:57Z",
"published": "2023-07-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36848"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA71659"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPMF-XFG7-Q3GP
Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust. This vulnerability is due to improper validation of software packages. An attacker could exploit this vulnerability by placing a crafted file into a specific location on an affected device. A successful exploit could allow the attacker to execute persistent code on the underlying operating system. Because this vulnerability allows an attacker to bypass a major security feature of a device, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.
{
"affected": [],
"aliases": [
"CVE-2025-20314"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T18:15:35Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust.\nThis vulnerability is due to improper validation of software packages. An attacker could exploit this vulnerability by placing a crafted file into a specific location on an affected device. A successful exploit could allow the attacker to execute persistent code on the underlying operating system.\nBecause this vulnerability allows an attacker to bypass a major security feature of a device, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High.",
"id": "GHSA-wpmf-xfg7-q3gp",
"modified": "2025-09-24T18:30:31Z",
"published": "2025-09-24T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20314"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secboot-UqFD8AvC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHPP-8GQ6-3HF5
Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-09-11 18:30NLnet Labs’ Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.
{
"affected": [],
"aliases": [
"CVE-2023-39915"
],
"database_specific": {
"cwe_ids": [
"CWE-228",
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T15:15:07Z",
"severity": "HIGH"
},
"details": "NLnet Labs\u2019 Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.",
"id": "GHSA-xhpp-8gq6-3hf5",
"modified": "2024-09-11T18:30:59Z",
"published": "2023-09-13T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39915"
},
{
"type": "WEB",
"url": "https://nlnetlabs.nl/downloads/routinator/CVE-2023-39915.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XXJ5-MHW2-JGP8
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2025-10-30 21:30A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers. This vulnerability is due to insufficient validation of dial strings at Foreign Exchange Office (FXO) interfaces. An attacker could exploit this vulnerability by sending a malformed dial string to an affected device via either the ISDN protocol or SIP. A successful exploit could allow the attacker to conduct toll fraud, resulting in unexpected financial impact to affected customers.
{
"affected": [],
"aliases": [
"CVE-2021-34705"
],
"database_specific": {
"cwe_ids": [
"CWE-232"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T03:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers. This vulnerability is due to insufficient validation of dial strings at Foreign Exchange Office (FXO) interfaces. An attacker could exploit this vulnerability by sending a malformed dial string to an affected device via either the ISDN protocol or SIP. A successful exploit could allow the attacker to conduct toll fraud, resulting in unexpected financial impact to affected customers.",
"id": "GHSA-xxj5-mhw2-jgp8",
"modified": "2025-10-30T21:30:33Z",
"published": "2022-05-24T19:15:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34705"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxo-pattern-bypass-jUXgygYv"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.