Common Weakness Enumeration

CWE-349

Allowed

Acceptance of Extraneous Untrusted Data With Trusted Data

Abstraction: Base · Status: Draft

The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.

76 vulnerabilities reference this CWE, most recent first.

CVE-2019-9535 (GCVE-0-2019-9535)

Vulnerability from cvelistv5 – Published: 2019-10-09 19:15 – Updated: 2024-09-17 02:11
VLAI
Title
iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution
Summary
A vulnerability exists in the way that iTerm2 integrates with tmux's control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim's computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
iTerm2 iTerm2 Affected: 3.3.5 , ≤ 3.3.5 (custom)
Create a notification for this product.
Date Public
2019-10-09 00:00
Credits
Thanks to Stefan Grönke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T21:54:44.484Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "VU#763073",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://kb.cert.org/vuls/id/763073/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/iterm2-discuss/57k_AuLdQa4"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iTerm2",
          "vendor": "iTerm2",
          "versions": [
            {
              "lessThanOrEqual": "3.3.5",
              "status": "affected",
              "version": "3.3.5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Stefan Gr\u00f6nke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability."
        }
      ],
      "datePublic": "2019-10-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability exists in the way that iTerm2 integrates with tmux\u0027s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim\u0027s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-09T19:15:44.000Z",
        "orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
        "shortName": "certcc"
      },
      "references": [
        {
          "name": "VU#763073",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://kb.cert.org/vuls/id/763073/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/forum/#%21topic/iterm2-discuss/57k_AuLdQa4"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution",
      "workarounds": [
        {
          "lang": "en",
          "value": "Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.8"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "DATE_PUBLIC": "2019-10-09T04:00:00.000Z",
          "ID": "CVE-2019-9535",
          "STATE": "PUBLIC",
          "TITLE": "iTerm2, up to and including version 3.3.5, with tmux integration is vulnerable to remote command execution"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "iTerm2",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "3.3.5",
                            "version_value": "3.3.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "iTerm2"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Stefan Gr\u00f6nke and Fabian Freyer of Radically Open Security for finding this vulnerability, the Mozilla Open Source Support (MOSS) project for supporting the audit, and George Nachman of iTerm2 for developing the fix, and all parties for coordinating this vulnerability."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability exists in the way that iTerm2 integrates with tmux\u0027s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5. This vulnerability may allow an attacker to execute arbitrary commands on their victim\u0027s computer by providing malicious output to the terminal. It could be exploited using command-line utilities that print attacker-controlled content."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.8"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-349"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "VU#763073",
              "refsource": "CERT-VN",
              "url": "https://kb.cert.org/vuls/id/763073/"
            },
            {
              "name": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/",
              "refsource": "MISC",
              "url": "https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
    "assignerShortName": "certcc",
    "cveId": "CVE-2019-9535",
    "datePublished": "2019-10-09T19:15:44.101Z",
    "dateReserved": "2019-03-01T00:00:00.000Z",
    "dateUpdated": "2024-09-17T02:11:00.076Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-1131 (GCVE-0-2018-1131)

Vulnerability from cvelistv5 – Published: 2018-05-15 13:00 – Updated: 2024-09-16 23:16
VLAI
Summary
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
Severity
No CVSS data available.
CWE
Assigner
References
URL Tags
https://bugzilla.redhat.com/show_bug.cgi?id=1576492 x_refsource_CONFIRM
http://www.securityfocus.com/bid/104218 vdb-entryx_refsource_BID
https://access.redhat.com/errata/RHSA-2018:1833 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3892 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat, Inc. infinispan Affected: 9.0.3.Final
Affected: 9.1.7.Final
Affected: 8.2.10.Final
Affected: 9.2.2.Final
Affected: 9.3.0.Alpha1
Create a notification for this product.
Date Public
2018-05-14 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:51:48.906Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
          },
          {
            "name": "104218",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104218"
          },
          {
            "name": "RHSA-2018:1833",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:1833"
          },
          {
            "name": "RHSA-2019:3892",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:3892"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "infinispan",
          "vendor": "Red Hat, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "9.0.3.Final"
            },
            {
              "status": "affected",
              "version": "9.1.7.Final"
            },
            {
              "status": "affected",
              "version": "8.2.10.Final"
            },
            {
              "status": "affected",
              "version": "9.2.2.Final"
            },
            {
              "status": "affected",
              "version": "9.3.0.Alpha1"
            }
          ]
        }
      ],
      "datePublic": "2018-05-14T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-14T23:07:11.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
        },
        {
          "name": "104218",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104218"
        },
        {
          "name": "RHSA-2018:1833",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:1833"
        },
        {
          "name": "RHSA-2019:3892",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:3892"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "DATE_PUBLIC": "2018-05-14T00:00:00",
          "ID": "CVE-2018-1131",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "infinispan",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.0.3.Final"
                          },
                          {
                            "version_value": "9.1.7.Final"
                          },
                          {
                            "version_value": "8.2.10.Final"
                          },
                          {
                            "version_value": "9.2.2.Final"
                          },
                          {
                            "version_value": "9.3.0.Alpha1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat, Inc."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-349"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1576492"
            },
            {
              "name": "104218",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104218"
            },
            {
              "name": "RHSA-2018:1833",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:1833"
            },
            {
              "name": "RHSA-2019:3892",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:3892"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2018-1131",
    "datePublished": "2018-05-15T13:00:00.000Z",
    "dateReserved": "2017-12-04T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:16:45.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2HM8-9847-Q7GC

Vulnerability from github – Published: 2025-07-16 15:32 – Updated: 2025-07-16 15:32
VLAI
Details

A named caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-40776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-16T14:15:25Z",
    "severity": "HIGH"
  },
  "details": "A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack.\nThis issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1.",
  "id": "GHSA-2hm8-9847-q7gc",
  "modified": "2025-07-16T15:32:32Z",
  "published": "2025-07-16T15:32:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40776"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2025-40776"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3G8H-86W9-WVMQ

Vulnerability from github – Published: 2026-05-11 16:12 – Updated: 2026-05-14 20:35
VLAI
Summary
Next.js's Middleware / Proxy redirects can be cache-poisoned
Details

Impact

Next.js uses the x-nextjs-data request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.

When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients.

If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged.

Affected scenarios

This affects applications that: - use middleware or proxy redirects - are deployed behind a caching CDN or reverse proxy - allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests

Fix

The fix stops trusting x-nextjs-data by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.

Workarounds

Before upgrading, users can reduce risk by: - configuring the CDN or reverse proxy to vary its cache key on x-nextjs-data for affected responses

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.2.0"
            },
            {
              "fixed": "15.5.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0"
            },
            {
              "fixed": "16.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:12:07Z",
    "nvd_published_at": "2026-05-13T16:16:58Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nNext.js uses the `x-nextjs-data` request header for internal data requests. On affected versions, an external client could send this header on a normal request to a path handled by middleware that returns a redirect.\n\nWhen that happened, the middleware/proxy could treat the request as a data request and replace the standard `Location` redirect header with the internal `x-nextjs-redirect` header. Browsers do not follow `x-nextjs-redirect`, so the response became an unusable redirect for normal clients.\n\nIf the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a `Location` header, causing a denial of service for that redirect path until the cache entry expired or was purged.\n\n### Affected scenarios\n\nThis affects applications that:\n- use middleware or proxy redirects\n- are deployed behind a caching CDN or reverse proxy\n- allow 3xx responses on those paths to be cached without differentiating internal data requests from normal requests\n\n### Fix\n\nThe fix stops trusting `x-nextjs-data` by itself for middleware redirect handling. A request is now treated as an internal data request only when it is validated as such by internal routing state, preserving legitimate data-request redirect behavior while preventing external header injection from changing normal redirect responses.\n\n### Workarounds\n\nBefore upgrading, users can reduce risk by:\n- configuring the CDN or reverse proxy to vary its cache key on `x-nextjs-data` for affected responses",
  "id": "GHSA-3g8h-86w9-wvmq",
  "modified": "2026-05-14T20:35:56Z",
  "published": "2026-05-11T16:12:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3g8h-86w9-wvmq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44572"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vercel/next.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v15.5.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/next.js/releases/tag/v16.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Next.js\u0027s Middleware / Proxy redirects can be cache-poisoned"
}

GHSA-4GWR-F7FQ-56WC

Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2023-02-02 21:33
VLAI
Details

A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-26T15:15:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.",
  "id": "GHSA-4gwr-f7fq-56wc",
  "modified": "2023-02-02T21:33:41Z",
  "published": "2022-05-24T17:18:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10751"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2020/04/30/5"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4699"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4698"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4413-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4412-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4391-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4390-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4389-1"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg@mail.gmail.com"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/selinux/CACT4Y+b8HiV6KFuAPysZD=5hmyO4QisgxCKi4DHU3CfMPSP=yg%40mail.gmail.com"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/06/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ffaaf57a7c42f35424d9aece1a5af6"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10751"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1839634"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2020-10751"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:4609"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:4431"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:4062"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:4060"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/05/27/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QGF-3M3Q-8XM4

Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 18:31
VLAI
Details

In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-68269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T16:16:06Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH",
  "id": "GHSA-4qgf-3m3q-8xm4",
  "modified": "2025-12-16T18:31:33Z",
  "published": "2025-12-16T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68269"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59Q3-MH2G-PPQ7

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:15:43Z",
    "severity": "MODERATE"
  },
  "details": "Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "id": "GHSA-59q3-mh2g-ppq7",
  "modified": "2025-07-08T18:31:45Z",
  "published": "2025-07-08T18:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48804"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48804"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MHJ-93X4-VF9F

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41120"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T14:16:39Z",
    "severity": "CRITICAL"
  },
  "details": "Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution.",
  "id": "GHSA-5mhj-93x4-vf9f",
  "modified": "2026-06-25T15:32:00Z",
  "published": "2026-06-25T15:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41120"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-in/000465356/dsa-2026-225?msockid=3021cac2195069ed3194ddad186a68f9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XR6-XHWW-33M4

Vulnerability from github – Published: 2024-11-25 15:26 – Updated: 2024-11-25 15:26
VLAI
Summary
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
Details

Summary

In versions of dawidd6/action-download-artifact before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.

Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false to disable searching forks for artifacts.

Details

GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.

Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):

  1. Repository alice/foo runs build.yml, producing build.exe
  2. Repository alice/foo runs publish.yml, which uses action-download-artifact@v5 to retrieve the latest build.exe from build.yml

To compromise publish.yml in this scenario, Mallory forks alice/foo to mallory/foo, and then modifies build.yml to produce a compromised build.exe. Mallory can then repeatedly trigger their copy of build.yml to ensure that their compromised build.exe is always the latest artifact, meaning that Alice's publish.yml will retrieve it.

Additional details on this vulnerability can be found in this blog post from 2022:

  • https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust

Impact

This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5 or older and do not disable allow_forks: true, which is the default.

If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push or pull_request_target).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "dawidd6/action-download-artifact"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-25T15:26:43Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIn versions of `dawidd6/action-download-artifact` before v6, a repository\u0027s forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.\n\nUsers should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set `allow_forks: false` to disable searching forks for artifacts.\n\n### Details\n\nGitHub\u0027s artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the \"latest\" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream. \n\nBecause any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):\n\n1. Repository `alice/foo` runs `build.yml`, producing `build.exe`\n2. Repository `alice/foo` runs `publish.yml`, which uses `action-download-artifact@v5` to retrieve the latest `build.exe` from `build.yml`\n\nTo compromise `publish.yml` in this scenario, Mallory forks `alice/foo` to `mallory/foo`, and then modifies `build.yml` to produce a compromised `build.exe`. Mallory can then repeatedly trigger their copy of `build.yml` to ensure that their compromised `build.exe` is always the latest artifact, meaning that Alice\u0027s `publish.yml` will retrieve it.\n\nAdditional details on this vulnerability can be found in this blog post from 2022:\n\n* https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust\n\n### Impact\n\nThis vulnerability impacts all repositories on GitHub that use `action-download-artifacts@v5` or older and do **not** disable `allow_forks: true`, which is the default.\n\nIf a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as `push` or `pull_request_target`).\n",
  "id": "GHSA-5xr6-xhww-33m4",
  "modified": "2024-11-25T15:26:43Z",
  "published": "2024-11-25T15:26:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dawidd6/action-download-artifact/security/advisories/GHSA-5xr6-xhww-33m4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dawidd6/action-download-artifact/commit/bf251b5aa9c2f7eeb574a96ee720e24f801b7c11"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dawidd6/action-download-artifact"
    },
    {
      "type": "WEB",
      "url": "https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Artifact poisoning vulnerability in action-download-artifact v5 and earlier"
}

GHSA-6W73-X38P-26G5

Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2025-12-01 03:30
VLAI
Details

NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11411"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-349"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-22T13:15:29Z",
    "severity": "MODERATE"
  },
  "details": "NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver\u0027s knowledge of the zone\u0027s name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.",
  "id": "GHSA-6w73-x38p-26g5",
  "modified": "2025-12-01T03:30:25Z",
  "published": "2025-10-22T15:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11411"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/11/26/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-141: Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-75: Manipulating Writeable Configuration Files

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.