Common Weakness Enumeration

CWE-343

Allowed

Predictable Value Range from Previous Values

Abstraction: Base · Status: Draft

The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated.

10 vulnerabilities reference this CWE, most recent first.

CVE-2026-33221 (GCVE-0-2026-33221)

Vulnerability from cvelistv5 – Published: 2026-03-20 23:00 – Updated: 2026-03-25 13:44
VLAI
Title
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Summary
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-345 - Insufficient Verification of Data Authenticity
  • CWE-343 - Predictable Value Range from Previous Values
Assigner
Impacted products
Vendor Product Version
nhost nhost Affected: < 0.12.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33221",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T13:44:34.920197Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T13:44:43.741Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nhost",
          "vendor": "nhost",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service\u0027s file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-343",
              "description": "CWE-343: Predictable Value Range from Previous Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T23:00:18.342Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"
        },
        {
          "name": "https://github.com/nhost/nhost/pull/4018",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nhost/nhost/pull/4018"
        },
        {
          "name": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"
        },
        {
          "name": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0"
        }
      ],
      "source": {
        "advisory": "GHSA-g9f6-9775-hffm",
        "discovery": "UNKNOWN"
      },
      "title": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33221",
    "datePublished": "2026-03-20T23:00:18.342Z",
    "dateReserved": "2026-03-17T23:23:58.314Z",
    "dateUpdated": "2026-03-25T13:44:43.741Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32694 (GCVE-0-2026-32694)

Vulnerability from cvelistv5 – Published: 2026-03-18 12:55 – Updated: 2026-03-18 13:40
VLAI
Title
Insecure Direct Object Reference attack via predictable secret ID in Juju
Summary
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-343 - Predictable value range from previous values
  • CWE-639 - Authorization bypass through User-Controlled key
Assigner
References
URL Tags
https://github.com/juju/juju/security/advisories/… vendor-advisoryvdb-entry
Impacted products
Vendor Product Version
Canonical Juju Affected: 3.0.0 , < 3.6.19 (semver)
Create a notification for this product.
Credits
Dima Tisnek
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32694",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T13:39:10.787656Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T13:40:33.981Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/juju/",
          "defaultStatus": "unaffected",
          "packageName": "juju",
          "platforms": [
            "Linux"
          ],
          "product": "Juju",
          "repo": "https://github.com/juju/juju",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "3.6.19",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dima Tisnek"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-59",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-59: Session Credential Falsification through Prediction"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-343",
              "description": "CWE-343 Predictable value range from previous values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization bypass through User-Controlled key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T12:55:42.948Z",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "vdb-entry"
          ],
          "url": "https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Insecure Direct Object Reference attack via predictable secret ID in Juju"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2026-32694",
    "datePublished": "2026-03-18T12:55:42.948Z",
    "dateReserved": "2026-03-13T12:53:34.544Z",
    "dateUpdated": "2026-03-18T13:40:33.981Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2017-7901 (GCVE-0-2017-7901)

Vulnerability from cvelistv5 – Published: 2017-06-30 02:35 – Updated: 2024-08-05 16:19
VLAI
Summary
A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400 Affected: Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400
Date Public
2017-06-29 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.159Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1038546",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038546"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400"
            }
          ]
        }
      ],
      "datePublic": "2017-06-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-343",
              "description": "CWE-343",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-07T09:57:01.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "1038546",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038546"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-7901",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Rockwell Automation Allen-Bradley MicroLogix 1100 and 1400"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-343"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1038546",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038546"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-7901",
    "datePublished": "2017-06-30T02:35:00.000Z",
    "dateReserved": "2017-04-18T00:00:00.000Z",
    "dateUpdated": "2024-08-05T16:19:29.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-6030 (GCVE-0-2017-6030)

Vulnerability from cvelistv5 – Published: 2017-06-30 02:35 – Updated: 2026-06-04 21:40
VLAI
Title
Schneider Electric Modicon PLCs Predictable Value Range from Previous Values
Summary
A predictable value range from previous values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Date Public
2017-06-29 00:00
Credits
David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc. reported the identified vulnerabilities.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:18:49.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
          },
          {
            "name": "97254",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97254"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2017-6030",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-29T13:20:18.684514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-29T13:22:59.394Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Modicon M221",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "lessThan": "1.5.0.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Modicon M241",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "lessThan": "4.0.5.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Modicon M251",
          "vendor": "Schneider Electric",
          "versions": [
            {
              "lessThan": "4.0.5.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "David Formby and Raheem Beyah of Georgia Tech and Fortiphyd Logic, Inc. reported the identified vulnerabilities."
        }
      ],
      "datePublic": "2017-06-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA predictable value range from previous values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.\u003c/p\u003e"
            }
          ],
          "value": "A predictable value range from previous values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-343",
              "description": "CWE-343",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T21:40:02.867Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
        },
        {
          "name": "97254",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97254"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2017/icsa-17-089-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSchneider Electric has released new firmware versions to address the predictable value range from previous values vulnerability and the use of insufficiently random values vulnerability, which are available through Schneider Electric\u2019s software update tool, SoMachine, Version 4.2, and SoMachineBasic, Version 1.5. Schneider Electric has not released a product to address the insufficiently protected credentials vulnerability; however, Schneider Electric has provided compensating controls to reduce the risk of exploitation.\u003c/p\u003e\u003cp\u003eSoMachineBasic, Version 1.5, is available at the following location:\u003c/p\u003e\u003cp\u003ehttp://www.schneider-electric.fr/fr/download/document/SOMBASAP15SOFT/\u0026nbsp;\u003c/p\u003e\u003cp\u003eSchneider Electric has provided the following compensating controls to reduce the risk of exploitation of the insufficiently protected credentials vulnerability:\u003c/p\u003e\u003cul\u003e\u003cli\u003eVerify that the hardware and software infrastructure that the PLCs are integrated into (along with all organizational measures and rules covering access to the infrastructure) consider the results of the hazard and risk analysis, and are implemented according to best practices and standards such as ISA/IEC 62443.\u003c/li\u003e\u003cli\u003eLimit traffic on the local network with managed switches\u003c/li\u003e\u003cli\u003eWhere possible, avoid using Wi-Fi networks, but when Wi-Fi is essential, use only secure communications (such as WPA2 encryption)\u003c/li\u003e\u003cli\u003eDo not grant [network] access to unknown computers\u003c/li\u003e\u003cli\u003eWhen remote access is essential, use secure methods such as Virtual Private Networks (VPNs), and ensure the remote access solution(s), as well as the remote computer(s) are kept up-to-date with the latest security patches.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eSchneider Electric has released Security Notifications SEVD-2017-075-01, SEVD-2017-075-02, and SEVD-2017-075-03, which provide additional information about the identified vulnerabilities, mitigations, and compensating controls:\u003c/p\u003e\u003cp\u003e\u003ca href=\"http://www.schneider-electric.com/en/download/document/SEVD-2017-075-01/\"\u003ehttp://www.schneider-electric.com/en/download/document/SEVD-2017-075-01/\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"http://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/\"\u003ehttp://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u003ca href=\"http://www.schneider-electric.com/en/download/document/SEVD-2017-075-03/\"\u003ehttp://www.schneider-electric.com/en/download/document/SEVD-2017-075-03/\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "Schneider Electric has released new firmware versions to address the predictable value range from previous values vulnerability and the use of insufficiently random values vulnerability, which are available through Schneider Electric\u2019s software update tool, SoMachine, Version 4.2, and SoMachineBasic, Version 1.5. Schneider Electric has not released a product to address the insufficiently protected credentials vulnerability; however, Schneider Electric has provided compensating controls to reduce the risk of exploitation.\n\n\n\nSoMachineBasic, Version 1.5, is available at the following location:\n\n\n\nhttp://www.schneider-electric.fr/fr/download/document/SOMBASAP15SOFT/\u00a0\n\n\n\nSchneider Electric has provided the following compensating controls to reduce the risk of exploitation of the insufficiently protected credentials vulnerability:\n\n  *  Verify that the hardware and software infrastructure that the PLCs are integrated into (along with all organizational measures and rules covering access to the infrastructure) consider the results of the hazard and risk analysis, and are implemented according to best practices and standards such as ISA/IEC 62443.\n  *  Limit traffic on the local network with managed switches\n  *  Where possible, avoid using Wi-Fi networks, but when Wi-Fi is essential, use only secure communications (such as WPA2 encryption)\n  *  Do not grant [network] access to unknown computers\n  *  When remote access is essential, use secure methods such as Virtual Private Networks (VPNs), and ensure the remote access solution(s), as well as the remote computer(s) are kept up-to-date with the latest security patches.\n\n\n\n\nSchneider Electric has released Security Notifications SEVD-2017-075-01, SEVD-2017-075-02, and SEVD-2017-075-03, which provide additional information about the identified vulnerabilities, mitigations, and compensating controls:\n\n\n\n http://www.schneider-electric.com/en/download/document/SEVD-2017-075-01/ \n\n\n\n http://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/ \n\n\n\n http://www.schneider-electric.com/en/download/document/SEVD-2017-075-03/"
        }
      ],
      "source": {
        "advisory": "ICSA-17-089-02",
        "discovery": "EXTERNAL"
      },
      "title": "Schneider Electric Modicon PLCs Predictable Value Range from Previous Values",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-6030",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Schneider Electric Modicon PLCs",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Schneider Electric Modicon PLCs"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-343"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
            },
            {
              "name": "97254",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97254"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-6030",
    "datePublished": "2017-06-30T02:35:00.000Z",
    "dateReserved": "2017-02-16T00:00:00.000Z",
    "dateUpdated": "2026-06-04T21:40:02.867Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2014-5409 (GCVE-0-2014-5409)

Vulnerability from cvelistv5 – Published: 2015-03-14 01:00 – Updated: 2025-11-03 18:58
VLAI
Title
GE Hydran M2 Predictable Value Range from Previous Values
Summary
The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.
Severity
No CVSS data available.
CWE
Assigner
Impacted products
Vendor Product Version
GE Hydran M2, containing the 17046 Ethernet option Affected: 0 , < October 2014 (custom)
Create a notification for this product.
Date Public
2015-03-10 06:00
Credits
Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.209Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-041-02"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Hydran M2, containing the 17046 Ethernet option",
          "vendor": "GE",
          "versions": [
            {
              "lessThan": "October 2014",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech"
        }
      ],
      "datePublic": "2015-03-10T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.\u003c/p\u003e"
            }
          ],
          "value": "The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-343",
              "description": "CWE-343",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-03T18:58:26.900Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-041-02"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-041-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "GE Digital Energy has released a new version of the Ethernet option, \nwhich resolves the identified vulnerability in newly released Hydran M2 \ndevices. The update changes the sequence algorithm, which makes it \nimprobable that a TCP sequence attack could succeed. The version of \nEthernet card that implements this improvement is \n94450214LFMT100SEM-L.R3-CL.\n\n\u003cbr\u003e"
            }
          ],
          "value": "GE Digital Energy has released a new version of the Ethernet option, \nwhich resolves the identified vulnerability in newly released Hydran M2 \ndevices. The update changes the sequence algorithm, which makes it \nimprobable that a TCP sequence attack could succeed. The version of \nEthernet card that implements this improvement is \n94450214LFMT100SEM-L.R3-CL."
        }
      ],
      "source": {
        "advisory": "ICSA-15-041-02",
        "discovery": "EXTERNAL"
      },
      "title": "GE Hydran M2 Predictable Value Range from Previous Values",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere is no method to update Hydran M2 devices released prior to \nOctober 2014. GE Digital Energy recommends that utilities using older \nversions of the Hydran M2 device implement network security defensive \nmeasures, to include the following:\u003c/p\u003e\n\u003cp\u003e\u2022 \u0026nbsp; \u0026nbsp; Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring.\u003c/p\u003e\n\u003cp\u003e\u2022 \u0026nbsp; \u0026nbsp; Minimize network exposure to all other control system devices. \nControl system devices should not directly face the Internet or business\n networks.\u003c/p\u003e\n\u003cp\u003e\u2022 \u0026nbsp; \u0026nbsp; Locate control system networks and devices behind properly \nconfigured firewalls, and isolate them from the business network.\u003c/p\u003e\n\u003cp\u003e\u2022 \u0026nbsp; \u0026nbsp; When remote access is required, use secure methods, such as \nVirtual Private Networks (VPNs), recognizing that VPNs may have \nvulnerabilities and should be updated to the most current version \navailable. Also recognize that VPN is only as secure as the connected \ndevices.\u003c/p\u003e\n\u003cp\u003eGE Digital Energy\u2019s Product Bulletin is available in at the following location, with a user account:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://libraries.ge.com/download?fileid=642886573101\u0026amp;entity_id=31955841101\u0026amp;sid=101\"\u003ehttp://libraries.ge.com/download?fileid=642886573101\u0026amp;entity_id=31955841101\u0026amp;sid=101\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "There is no method to update Hydran M2 devices released prior to \nOctober 2014. GE Digital Energy recommends that utilities using older \nversions of the Hydran M2 device implement network security defensive \nmeasures, to include the following:\n\n\n\u2022 \u00a0 \u00a0 Place the Hydran M2 inside the control system network security perimeter with access controls and monitoring.\n\n\n\u2022 \u00a0 \u00a0 Minimize network exposure to all other control system devices. \nControl system devices should not directly face the Internet or business\n networks.\n\n\n\u2022 \u00a0 \u00a0 Locate control system networks and devices behind properly \nconfigured firewalls, and isolate them from the business network.\n\n\n\u2022 \u00a0 \u00a0 When remote access is required, use secure methods, such as \nVirtual Private Networks (VPNs), recognizing that VPNs may have \nvulnerabilities and should be updated to the most current version \navailable. Also recognize that VPN is only as secure as the connected \ndevices.\n\n\nGE Digital Energy\u2019s Product Bulletin is available in at the following location, with a user account:\n\n\n http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5409",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-041-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-041-02"
            },
            {
              "name": "http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101",
              "refsource": "MISC",
              "url": "http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5409",
    "datePublished": "2015-03-14T01:00:00.000Z",
    "dateReserved": "2014-08-22T00:00:00.000Z",
    "dateUpdated": "2025-11-03T18:58:26.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-5CJ2-RQQF-HX9P

Vulnerability from github – Published: 2026-03-19 17:43 – Updated: 2026-03-19 17:43
VLAI
Summary
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
Details

Summary

Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads.

Details

A Juju application can create a secret and grant it to another integrated application (grantee).

When they do so, the secret owner has to communicate the secret id to the grantee.

The grantee, having received the secret id can load the secret content and perform operations on behalf of the secret owner.

However, today the grantee has no way to determine which granted secret belongs to which owner.

Instead the grantee relies on: - being able to read the secret by id (secret was in fact granted, by some entity) - secret id was received over a relation (the remote end of the relation is presumed to be secret owner)

Additionally, secret IDs are XID, which are predictable, here two secrets created by two distinct apps in the same K8s model close in time:

d34vsl7mp25c76301hs0
time (UTC): 2025-09-17 00:18:28 (Unix 1758068308)
machine: f6c88a
pid: 50072
counter: 6294648

d34vslfmp25c76301hsg
time (UTC): 2025-09-17 00:18:29 (Unix 1758068309)
machine: f6c88a
pid: 50072
counter: 6294649

PoC

This allows for an IDOR attack where: - actors: - a Good application (the owner of the Victim), - an Evil application, and - a Provider application (the Confused Deputy) - relations: Good --- Provider, Evil --- Provider - secrets: Good and Evil create Secrets, granting them to the Provider and communicate Secret IDs with the Provider. - semantics: the Provider performs some operation on behalf of the Good/Evil using the Secret. - weakness 1: Evil can guess the Secret ID that Good granted and communicated to Provider. - weakness 2: Juju doesn't provide the Provider application the facility to verify the provenance of the Secret IDs. - exploit: Evil passes Good's secret id to Provider. - bypass: Provider performs evil operation with Good's Secret ID on behalf of Evil.

Evil could benefit by: - exfiltrating Good's Secret via reflection. - reading or mutating Good's resources accessible via *Good's Secret.

Impact

This requires a complex setup.

Not all shared secrets are used like above, so an actual exploit requires a very specific relation interface, specific semantics of the data in the databag, and an administrator having a reasonable need to deploy two apps (one evil, one good) related to the same (third) provider app.

If exploited, it can be very hard to determine what went wrong after the fact.

Suggested remediation

1. Longer, random secret IDs

For example, if the secret id was extended with a 128-bit nonce, guessing a sibling secret ID would be infeasible, and an attack of this style would require another weakness (e.g. secret IDs exposed in logs)

2. Grantee secret API

Today, an app is not allowed to call secret-info-get on the granted secret. Additionally, granted secrets are not included in the secret-ids output.

Suppose that the Provider could run these hook tools:

(provider/0)> secret-ids
my-own-secret-123

(provider/0)> secret-ids --grants
good-secret-id-42
evil-secret-id-43

(provider/0)> secret-info-get good-secret-id-42
good-secret-id-42:
  revision: 1
  label: ""
  owner: good
  grant-relation-id: 12
  rotation: never

The Provider would then able to validate the secret ID it's about to use against: - the relation in which the secret ID has been passed (good relation 12 or evil relation 14) - the application or unit name of the secret owner (good or evil)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/juju/juju"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20221021155847-35c560704ee2"
            },
            {
              "fixed": "0.0.0-20260319091847-d06919eb03ec"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32694"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-343"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:43:47Z",
    "nvd_published_at": "2026-03-18T14:16:40Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nPredictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads.\n\n### Details\n\nA Juju application can create a secret and grant it to another integrated application (grantee).\n\nWhen they do so, the secret owner has to communicate the secret id to the grantee.\n\nThe grantee, having received the secret id can load the secret content and perform operations on behalf of the secret owner.\n\nHowever, today the grantee has no way to determine which granted secret belongs to which owner.\n\nInstead the grantee relies on:\n- being able to read the secret by id (secret was in fact granted, by some entity)\n- secret id was received over a relation (the remote end of the relation is presumed to be secret owner)\n\nAdditionally, secret IDs are XID, which are predictable, here two secrets created by two distinct apps in the same K8s model close in time:\n```\nd34vsl7mp25c76301hs0\ntime (UTC): 2025-09-17 00:18:28 (Unix 1758068308)\nmachine: f6c88a\npid: 50072\ncounter: 6294648\n\nd34vslfmp25c76301hsg\ntime (UTC): 2025-09-17 00:18:29 (Unix 1758068309)\nmachine: f6c88a\npid: 50072\ncounter: 6294649\n```\n\n### PoC\n\nThis allows for an IDOR attack where:\n- actors:\n  - a **Good** application (the owner of the _Victim_),\n  - an **Evil** application, and\n  - a **Provider** application (the _Confused Deputy_)\n- relations: **Good** --- **Provider**, **Evil** --- **Provider**\n- secrets: **Good** and **Evil** create _Secrets_, granting them to the **Provider** and communicate _Secret IDs_ with the **Provider**.\n- semantics: the **Provider** performs some operation on behalf of the **Good**/**Evil** using the _Secret_.\n- weakness 1: **Evil** can guess the _Secret ID_ that **Good** granted and communicated to **Provider**.\n- weakness 2: _Juju_ doesn\u0027t provide the **Provider** application the facility to verify the provenance of the _Secret IDs_.\n- exploit: **Evil** passes **Good**\u0027s secret id to **Provider**.\n- bypass: **Provider** performs _evil_ operation with **Good**\u0027s _Secret ID_ on behalf of **Evil**.\n\n**Evil** could benefit by:\n- exfiltrating **Good**\u0027s _Secret_ via reflection.\n- reading or mutating **Good**\u0027s resources accessible via **Good*\u0027s _Secret_.\n\n### Impact\n\nThis requires a complex setup.\n\nNot all shared secrets are used like above, so an actual exploit requires a very specific relation interface, specific semantics of the data in the databag, and an administrator having a reasonable need to deploy two apps (one evil, one good) related to the same (third) provider app.\n\nIf exploited, it can be very hard to determine what went wrong after the fact.\n\n### Suggested remediation\n\n#### 1. Longer, random secret IDs\n\nFor example, if the secret id was extended with a 128-bit nonce, guessing a sibling secret ID would be infeasible, and an attack of this style would require another weakness (e.g. secret IDs exposed in logs)\n\n#### 2. Grantee secret API\n\nToday, an app is not allowed to call `secret-info-get` on the granted secret.\nAdditionally, granted secrets are not included in the `secret-ids` output.\n\nSuppose that the Provider could run these hook tools:\n```command\n(provider/0)\u003e secret-ids\nmy-own-secret-123\n\n(provider/0)\u003e secret-ids --grants\ngood-secret-id-42\nevil-secret-id-43\n\n(provider/0)\u003e secret-info-get good-secret-id-42\ngood-secret-id-42:\n  revision: 1\n  label: \"\"\n  owner: good\n  grant-relation-id: 12\n  rotation: never\n```\n\nThe Provider would then able to validate the secret ID it\u0027s about to use against:\n- the relation in which the secret ID has been passed (good relation 12 or evil relation 14)\n- the application or unit name of the secret owner (good or evil)",
  "id": "GHSA-5cj2-rqqf-hx9p",
  "modified": "2026-03-19T17:43:47Z",
  "published": "2026-03-19T17:43:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/juju/juju/security/advisories/GHSA-5cj2-rqqf-hx9p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32694"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juju/juju/commit/d06919eb03ec68156818bcc304b5fe1c39a8f9e9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juju/juju"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets"
}

GHSA-9MHW-MX58-2JCH

Vulnerability from github – Published: 2022-05-17 02:34 – Updated: 2022-05-17 02:34
VLAI
Details

A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7901"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-343"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Predictable Value Range from Previous Values issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. Insufficiently random TCP initial sequence numbers are generated, which may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections, resulting in a denial of service for the target device.",
  "id": "GHSA-9mhw-mx58-2jch",
  "modified": "2022-05-17T02:34:08Z",
  "published": "2022-05-17T02:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7901"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-04"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038546"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9F6-9775-HFFM

Vulnerability from github – Published: 2026-03-18 20:21 – Updated: 2026-06-09 11:52
VLAI
Summary
Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload
Details

Summary

The storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.

Affected Component

  • Service: services/storage
  • File: services/storage/controller/upload_files.go
  • Function: getMultipartFile (lines 48-70)

Root Cause

In getMultipartFile, if the client provides a non-empty Content-Type header that isn't application/octet-stream, the function returns it as-is without performing content-based detection:

contentType := file.header.Header.Get("Content-Type")
if contentType != "" && contentType != "application/octet-stream" {
    return fileContent, contentType, nil // skip detection entirely
}

// mimetype.DetectReader only reached if client sends no Content-Type
// or sends application/octet-stream
mt, err := mimetype.DetectReader(fileContent)

Impact

Incorrect MIME type in file metadata. The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.

Suggested Fix

Always detect MIME type from file content using mimetype.DetectReader, ignoring the client-provided Content-Type header entirely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nhost/nhost"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260318074820-c4bd53f042d7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-343",
      "CWE-345",
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T20:21:37Z",
    "nvd_published_at": "2026-03-20T23:16:46Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe storage service\u0027s file upload handler trusts the client-provided `Content-Type` header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.\n\n## Affected Component\n\n- **Service**: `services/storage`\n- **File**: `services/storage/controller/upload_files.go`\n- **Function**: `getMultipartFile` (lines 48-70)\n\n## Root Cause\n\nIn `getMultipartFile`, if the client provides a non-empty `Content-Type` header that isn\u0027t `application/octet-stream`, the function returns it as-is without performing content-based detection:\n\n```go\ncontentType := file.header.Header.Get(\"Content-Type\")\nif contentType != \"\" \u0026\u0026 contentType != \"application/octet-stream\" {\n    return fileContent, contentType, nil // skip detection entirely\n}\n\n// mimetype.DetectReader only reached if client sends no Content-Type\n// or sends application/octet-stream\nmt, err := mimetype.DetectReader(fileContent)\n```\n\n## Impact\n\n**Incorrect MIME type in file metadata.** The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.\n\n## Suggested Fix\n\nAlways detect MIME type from file content using `mimetype.DetectReader`, ignoring the client-provided `Content-Type` header entirely.",
  "id": "GHSA-g9f6-9775-hffm",
  "modified": "2026-06-09T11:52:21Z",
  "published": "2026-03-18T20:21:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33221"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/pull/4018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nhost/nhost"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/releases/tag/storage%400.12.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/releases/tag/storage@0.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload"
}

GHSA-W3R9-MWPJ-G2C7

Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2026-06-05 00:31
VLAI
Details

A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-6030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331",
      "CWE-343"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-30T03:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections.",
  "id": "GHSA-w3r9-mwpj-g2c7",
  "modified": "2026-06-05T00:31:34Z",
  "published": "2022-05-13T01:04:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2017/icsa-17-089-02.json"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-089-02"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W7HR-2CW5-QQGQ

Vulnerability from github – Published: 2022-05-17 04:14 – Updated: 2025-11-03 21:30
VLAI
Details

The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-5409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-343"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-03-14T01:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.",
  "id": "GHSA-w7hr-2cw5-qqgq",
  "modified": "2025-11-03T21:30:28Z",
  "published": "2022-05-17T04:14:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-041-02.json"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-041-02"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-041-02"
    },
    {
      "type": "WEB",
      "url": "http://libraries.ge.com/download?fileid=642886573101\u0026entity_id=31955841101\u0026sid=101"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation

Increase the entropy used to seed a PRNG.

Mitigation MIT-2
Architecture and Design Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").

Mitigation MIT-50
Implementation

Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

No CAPEC attack patterns related to this CWE.