Common Weakness Enumeration

CWE-392

Allowed

Missing Report of Error Condition

Abstraction: Base · Status: Draft

The product encounters an error but does not provide a status code or return value to indicate that an error has occurred.

25 vulnerabilities reference this CWE, most recent first.

CVE-2023-42444 (GCVE-0-2023-42444)

Vulnerability from cvelistv5 – Published: 2023-09-19 14:47 – Updated: 2024-09-24 20:46
VLAI
Title
phonenumber panics on parsing crafted RF3966 inputs
Summary
phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-248 - Uncaught Exception
  • CWE-392 - Missing Report of Error Condition
  • CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
Impacted products
Vendor Product Version
whisperfish rust-phonenumber Affected: < 0.2.5+8.11.3
Affected: >= 0.3.0, < 0.3.3+8.3.19
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:23:38.765Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"
          },
          {
            "name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"
          },
          {
            "name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-42444",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T20:46:29.902328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T20:46:54.422Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rust-phonenumber",
          "vendor": "whisperfish",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.5+8.11.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.3.0, \u003c 0.3.3+8.3.19"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions `0.3.3+8.13.9` and `0.2.5+8.11.3`, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of `rust-phonenumber`, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string `.;phone-context=`. Versions `0.3.3+8.13.9` and `0.2.5+8.11.3` contain a patch for this issue. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-392",
              "description": "CWE-392: Missing Report of Error Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1284",
              "description": "CWE-1284: Improper Validation of Specified Quantity in Input",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-19T14:47:22.026Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-whhr-7f2w-qqj2"
        },
        {
          "name": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/whisperfish/rust-phonenumber/commit/2dd44be94539c051b4dee55d1d9d349bd7bedde6"
        },
        {
          "name": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/whisperfish/rust-phonenumber/commit/bea8e732b9cada617ede5cf51663dba183747f71"
        }
      ],
      "source": {
        "advisory": "GHSA-whhr-7f2w-qqj2",
        "discovery": "UNKNOWN"
      },
      "title": "phonenumber panics on parsing crafted RF3966 inputs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-42444",
    "datePublished": "2023-09-19T14:47:22.026Z",
    "dateReserved": "2023-09-08T20:57:45.572Z",
    "dateUpdated": "2024-09-24T20:46:54.422Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-2342 (GCVE-0-2017-2342)

Vulnerability from cvelistv5 – Published: 2017-07-14 14:00 – Updated: 2024-09-16 16:27
VLAI
Title
SRX Series: MACsec failure to report errors
Summary
MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series does not report errors when a secure link can not be established. It falls back to an unencrypted link. This can happen when MACsec is configured on ports that are not capable of MACsec or when a secure link can not be established. This can mislead customers into believing that a link is secure. On SRX 300 series devices, prior to 15.1X49-D100, MACsec was only supported on control and fabric ports of SRX340 and SRX345 devices. SRX300 and and SRX320 did not have any MACsec capable ports. Configuring MACsec on ports that were not MACsec capable would have resulted in this issue. Affected releases are Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series.
CWE
  • CWE-392 - Missing Report of Error Condition
Assigner
References
URL Tags
https://kb.juniper.net/JSA10790 x_refsource_CONFIRM
http://www.securitytracker.com/id/1038890 vdb-entryx_refsource_SECTRACK
Impacted products
Vendor Product Version
Juniper Networks Junos OS Affected: 15.1X49 prior to 15.1X49-D100
Create a notification for this product.
Date Public
2017-07-12 00:00
Credits
Eric Haszlakiewicz and Thor Simon of Two Sigma Investments, LP
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T13:48:05.262Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA10790"
          },
          {
            "name": "1038890",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1038890"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "SRX300 series"
          ],
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "status": "affected",
              "version": "15.1X49 prior to 15.1X49-D100"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Eric Haszlakiewicz and Thor Simon of Two Sigma Investments, LP"
        }
      ],
      "datePublic": "2017-07-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series does not report errors when a secure link can not be established. It falls back to an unencrypted link. This can happen when MACsec is configured on ports that are not capable of MACsec or when a secure link can not be established. This can mislead customers into believing that a link is secure. On SRX 300 series devices, prior to 15.1X49-D100, MACsec was only supported on control and fabric ports of SRX340 and SRX345 devices. SRX300 and and SRX320 did not have any MACsec capable ports. Configuring MACsec on ports that were not MACsec capable would have resulted in this issue. Affected releases are Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-392",
              "description": "CWE-392: Missing Report of Error Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-15T09:57:01.000Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.juniper.net/JSA10790"
        },
        {
          "name": "1038890",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1038890"
        }
      ],
      "title": "SRX Series: MACsec failure to report errors",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no viable workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts."
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2017-07-12T09:00",
          "ID": "CVE-2017-2342",
          "STATE": "PUBLIC",
          "TITLE": "SRX Series: MACsec failure to report errors"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos OS",
                      "version": {
                        "version_data": [
                          {
                            "platform": "SRX300 series",
                            "version_value": "15.1X49 prior to 15.1X49-D100"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          "Eric Haszlakiewicz and Thor Simon of Two Sigma Investments, LP"
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series does not report errors when a secure link can not be established. It falls back to an unencrypted link. This can happen when MACsec is configured on ports that are not capable of MACsec or when a secure link can not be established. This can mislead customers into believing that a link is secure. On SRX 300 series devices, prior to 15.1X49-D100, MACsec was only supported on control and fabric ports of SRX340 and SRX345 devices. SRX300 and and SRX320 did not have any MACsec capable ports. Configuring MACsec on ports that were not MACsec capable would have resulted in this issue. Affected releases are Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series."
            }
          ]
        },
        "exploit": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.",
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-392: Missing Report of Error Condition"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.juniper.net/JSA10790",
              "refsource": "CONFIRM",
              "url": "https://kb.juniper.net/JSA10790"
            },
            {
              "name": "1038890",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1038890"
            }
          ]
        },
        "solution": "The following software releases have been updated to resolve this specific issue:15.1X49-D100 and all subsequent releases.\n\nThis issue is being tracked as PR 1244795 and 1261983  and are visible on the Customer Support website.",
        "work_around": [
          {
            "lang": "en",
            "value": "There are no viable workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2017-2342",
    "datePublished": "2017-07-14T14:00:00.000Z",
    "dateReserved": "2016-12-01T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:27:33.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-434V-X5QV-PMH6

Vulnerability from github – Published: 2026-03-26 17:58 – Updated: 2026-03-26 17:58
VLAI
Summary
libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure
Details

The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.

Impact

This bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.

Mitigation

Instead of silently continuing with an all-zero signing key, starting from version 0.0.7 key generation will error in the case of 100 failed attempts at sampling a valid key.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ed25519"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1240",
      "CWE-331",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T17:58:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found.  If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secret key.\n\n## Impact\nThis bug only occurs in the event of a catastrophic failure of the CSPRNG, but would allow anyone to forge signatures under the resulting static signing key.\n\n## Mitigation\nInstead of silently continuing with an all-zero signing key, starting from version `0.0.7` key generation will error in the case of 100 failed attempts at sampling a valid key.",
  "id": "GHSA-434v-x5qv-pmh6",
  "modified": "2026-03-26T17:58:55Z",
  "published": "2026-03-26T17:58:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1349"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cryspen/libcrux"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0075.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure"
}

GHSA-79V4-65XG-PQ4G

Vulnerability from github – Published: 2025-02-11 18:06 – Updated: 2025-02-12 18:20
VLAI
Summary
Vulnerable OpenSSL included in cryptography wheels
Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.0.0"
            },
            {
              "fixed": "44.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-12797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T18:06:42Z",
    "nvd_published_at": "2025-02-11T16:15:38Z",
    "severity": "LOW"
  },
  "details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
  "id": "GHSA-79v4-65xg-pq4g",
  "modified": "2025-02-12T18:20:06Z",
  "published": "2025-02-11T18:06:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-79v4-65xg-pq4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20250211.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vulnerable OpenSSL included in cryptography wheels"
}

GHSA-9J3X-W929-5CH3

Vulnerability from github – Published: 2025-09-15 21:30 – Updated: 2025-09-15 21:30
VLAI
Details

The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString<255> object is created with StringTooLarge set to Throw.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T19:15:36Z",
    "severity": "LOW"
  },
  "details": "The OCPP implementation in libocpp before 0.26.2 allows a denial of service (EVerest crash) via JSON input larger than 255 characters, because a CiString\u003c255\u003e object is created with StringTooLarge set to Throw.",
  "id": "GHSA-9j3x-w929-5ch3",
  "modified": "2025-09-15T21:30:56Z",
  "published": "2025-09-15T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EVerest/everest-core/issues/1152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EVerest/libocpp/pull/1052"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EVerest/everest-core/commit/253432ae7458ad0445f68f9d716086090c2be49c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EVerest/libocpp/commit/fb391b4ff16a0a07150e5a8eebf0856fb6623cbe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EVerest/libocpp/compare/v0.26.1...v0.26.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2JV-35GJ-WG4V

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series does not report errors when a secure link can not be established. It falls back to an unencrypted link. This can happen when MACsec is configured on ports that are not capable of MACsec or when a secure link can not be established. This can mislead customers into believing that a link is secure. On SRX 300 series devices, prior to 15.1X49-D100, MACsec was only supported on control and fabric ports of SRX340 and SRX345 devices. SRX300 and and SRX320 did not have any MACsec capable ports. Configuring MACsec on ports that were not MACsec capable would have resulted in this issue. Affected releases are Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "HIGH"
  },
  "details": "MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series does not report errors when a secure link can not be established. It falls back to an unencrypted link. This can happen when MACsec is configured on ports that are not capable of MACsec or when a secure link can not be established. This can mislead customers into believing that a link is secure. On SRX 300 series devices, prior to 15.1X49-D100, MACsec was only supported on control and fabric ports of SRX340 and SRX345 devices. SRX300 and and SRX320 did not have any MACsec capable ports. Configuring MACsec on ports that were not MACsec capable would have resulted in this issue. Affected releases are Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D100 on SRX300 series.",
  "id": "GHSA-c2jv-35gj-wg4v",
  "modified": "2022-05-13T01:36:58Z",
  "published": "2022-05-13T01:36:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2342"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10790"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038890"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CXVP-82CQ-57H2

Vulnerability from github – Published: 2023-09-21 17:10 – Updated: 2023-09-21 17:10
VLAI
Summary
blurhash panics on parsing crafted inputs
Details

Impact

The blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.

In a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include: - UTF-8 compliant strings containing multi-byte UTF-8 characters

Patches

The patches will be released under version 0.2.0, which requires user intervention because of slight API churn.

Workarounds

n.a.

References

n.a.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "blurhash"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.1"
            },
            {
              "fixed": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-42447"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T17:10:22Z",
    "nvd_published_at": "2023-09-19T15:15:57Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe blurhash parsing code may panic due to multiple panic-guarded out-of-bounds accesses on untrusted input.\n\nIn a typical deployment, this may get triggered by feeding a maliciously crafted blurhashes over the network. These may include:\n- UTF-8 compliant strings containing multi-byte UTF-8 characters\n\n### Patches\nThe patches will be released under version 0.2.0, which requires user intervention because of slight API churn.\n\n### Workarounds\nn.a.\n\n### References\nn.a.\n",
  "id": "GHSA-cxvp-82cq-57h2",
  "modified": "2023-09-21T17:10:22Z",
  "published": "2023-09-21T17:10:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/blurhash-rs/security/advisories/GHSA-cxvp-82cq-57h2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42447"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/whisperfish/blurhash-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/blurhash-rs/releases/tag/v0.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "blurhash panics on parsing crafted inputs"
}

GHSA-MJW4-JJ88-V687

Vulnerability from github – Published: 2024-07-09 14:13 – Updated: 2024-11-18 16:26
VLAI
Summary
panic on parsing crafted phonenumber inputs
Details

Impact

The phonenumber parsing code may panic due to a reachable assert! guard on the phonenumber string.

In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the "number" part potentially parses as a number larger than 2^56.

Since f69abee1/0.3.4/#52.

0.2.x series is not affected.

Patches

Upgrade to 0.3.6 or higher.

Workarounds

n/a

References

Whereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: +dwPAA;phone-context=AA.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "phonenumber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.4"
            },
            {
              "fixed": "0.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-248",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-09T14:13:48Z",
    "nvd_published_at": "2024-07-09T15:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe phonenumber parsing code may panic due to a reachable `assert!` guard on the phonenumber string.\n\nIn a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56.\n\nSince f69abee1/0.3.4/#52.\n\n0.2.x series is not affected.\n\n### Patches\nUpgrade to 0.3.6 or higher.\n\n### Workarounds\nn/a\n\n### References\nWhereas https://github.com/whisperfish/rust-phonenumber/issues/69 did not provide an example code path, property testing found a few: `+dwPAA;phone-context=AA`.\n",
  "id": "GHSA-mjw4-jj88-v687",
  "modified": "2024-11-18T16:26:50Z",
  "published": "2024-07-09T14:13:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/issues/69"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/pull/52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/whisperfish/rust-phonenumber"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0369.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "panic on parsing crafted phonenumber inputs"
}

GHSA-PCM4-9FQW-4W8H

Vulnerability from github – Published: 2026-03-04 18:31 – Updated: 2026-03-04 18:31
VLAI
Details

Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.

This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-20005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-04T17:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Multiple Cisco products are affected by a vulnerability in the Snort 3 Detection Engine that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart, resulting in an interruption of packet inspection.\n\n This vulnerability is due to incomplete parsing of the SSL handshake ingress packets. An attacker could exploit this vulnerability by sending crafted SSL handshake packets. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when the Snort 3 Detection Engine restarts unexpectedly.",
  "id": "GHSA-pcm4-9fqw-4w8h",
  "modified": "2026-03-04T18:31:53Z",
  "published": "2026-03-04T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20005"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-multi-dos-XFWkWSwz"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7VH-7QJC-WCJC

Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2023-12-12 12:30
VLAI
Details

A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The REST API of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the API. The server will automatically restart.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-392"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T12:15:15Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 2). The REST API of affected devices does not check the length of parameters in certain conditions. This allows a malicious admin to crash the server by sending a crafted request to the API. The server will automatically restart.",
  "id": "GHSA-r7vh-7qjc-wcjc",
  "modified": "2023-12-12T12:30:54Z",
  "published": "2023-12-12T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48430"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-077170.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.