Common Weakness Enumeration

CWE-402

Allowed-with-Review

Transmission of Private Resources into a New Sphere ('Resource Leak')

Abstraction: Class · Status: Draft

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

44 vulnerabilities reference this CWE, most recent first.

GHSA-7VR7-CGHH-CH63

Vulnerability from github – Published: 2023-06-20 16:45 – Updated: 2023-06-20 16:45
VLAI
Summary
XWiki Platform may retrieve email addresses of all users
Details

Impact

The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated: - the rest response was also containing the mail unobfuscated - user were able to filter and sort on the unobfuscated (allowing to infer the mail content)

The consequence was the possibility to retrieve the email addresses of all users even when obfuscated.

See https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps.

Patches

This has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1.

Workarounds

The workaround is to modify the page XWiki.LiveTableResultsMacros following this patch.

References

https://jira.xwiki.org/browse/XWIKI-20333

For more information

If you have any questions or comments about this advisory:

Attribution

This vulnerability has been reported on Intigriti by @floerer

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-livetable-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5-milestone-1"
            },
            {
              "fixed": "14.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-livetable-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-20T16:45:32Z",
    "nvd_published_at": "2023-06-23T17:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated:\n- the rest response was also containing the mail unobfuscated\n- user were able to filter and sort on the unobfuscated (allowing to infer the mail content)\n\nThe consequence was the possibility to retrieve the email addresses of all users even when obfuscated.\n\nSee https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps.\n\n### Patches\nThis has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1.\n\n### Workarounds\nThe workaround is to modify the page `XWiki.LiveTableResultsMacros` following this [patch](https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a).\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-20333\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n*    Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n*    Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability has been reported on Intigriti by @floerer",
  "id": "GHSA-7vr7-cghh-ch63",
  "modified": "2023-06-20T16:45:32Z",
  "published": "2023-06-20T16:45:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20333"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform may retrieve email addresses of all users "
}

GHSA-89XC-2H7R-QC62

Vulnerability from github – Published: 2025-01-15 18:30 – Updated: 2025-12-15 21:30
VLAI
Details

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-15T18:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Windows, 64 bit, ARM allows Directory Indexing, Resource Leak Exposure.This issue affects CrafterCMS: from 4.0.0 before 4.0.8, from 4.1.0 before 4.1.6.",
  "id": "GHSA-89xc-2h7r-qc62",
  "modified": "2025-12-15T21:30:27Z",
  "published": "2025-01-15T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0502"
    },
    {
      "type": "WEB",
      "url": "https://craftercms.com/docs/current/security/advisory.html#cv-2025011501"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:L/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9J38-893W-VVH9

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-07T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.",
  "id": "GHSA-9j38-893w-vvh9",
  "modified": "2022-05-13T01:36:11Z",
  "published": "2022-05-13T01:36:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8442"
    },
    {
      "type": "WEB",
      "url": "https://www.elastic.co/community/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RC7-JMVV-4FHR

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2025-11-12 09:30
VLAI
Details

A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another users password hash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions \u003c V2.6.6), SICAM GridEdge Essential Intel (All versions \u003c V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions \u003c V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions \u003c V2.6.6). The affected software discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another users password hash.",
  "id": "GHSA-9rc7-jmvv-4fhr",
  "modified": "2025-11-12T09:30:26Z",
  "published": "2022-06-15T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30231"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-631336.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-631336.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CQMW-QRQR-V255

Vulnerability from github – Published: 2025-04-05 21:30 – Updated: 2025-04-05 21:30
VLAI
Details

In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-05T21:15:40Z",
    "severity": "MODERATE"
  },
  "details": "In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API.",
  "id": "GHSA-cqmw-qrqr-v255",
  "modified": "2025-04-05T21:30:23Z",
  "published": "2025-04-05T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32360"
    },
    {
      "type": "WEB",
      "url": "https://zammad.com/en/advisories/zaa-2025-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FH4C-98RX-VXVW

Vulnerability from github – Published: 2025-12-01 18:30 – Updated: 2025-12-01 18:30
VLAI
Details

Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-01T16:15:49Z",
    "severity": "MODERATE"
  },
  "details": "Due to a firewall misconfiguration, Kerlink devices running KerOS prior to 5.12 incorrectly accept specially crafted UDP packets. This allows an attacker to bypass the firewall and access UDP-based services that would otherwise be protected.",
  "id": "GHSA-fh4c-98rx-vxvw",
  "modified": "2025-12-01T18:30:37Z",
  "published": "2025-12-01T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32388"
    },
    {
      "type": "WEB",
      "url": "https://keros.docs.kerlink.com/security/security_advisories_kerOS5"
    },
    {
      "type": "WEB",
      "url": "https://www.bdosecurity.de/en-gb/advisories/cve-2024-32388"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9W4-PRF3-M25G

Vulnerability from github – Published: 2023-07-27 19:28 – Updated: 2024-03-18 19:55
VLAI
Summary
Obfuscated email addresses should not be sorted
Details

Impact

The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails.

See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps.

Patches

This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1.

Workarounds

The workaround is to modify the page XWiki.LiveTableResultsMacros following this patch.

References

  • https://jira.xwiki.org/browse/XWIKI-20601
  • https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-livetable-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.5-milestone-1"
            },
            {
              "fixed": "14.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-livetable-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0"
            },
            {
              "fixed": "15.3-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38509"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-27T19:28:45Z",
    "nvd_published_at": "2023-11-07T04:17:20Z",
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nThe mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails.\n\nSee https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps.\n\n## Patches\n\nThis has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1.\n\n## Workarounds\n\nThe workaround is to modify the page XWiki.LiveTableResultsMacros following this [patch](https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c).\n\n## References\n\n- https://jira.xwiki.org/browse/XWIKI-20601\n- https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n-    Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n-    Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-g9w4-prf3-m25g",
  "modified": "2024-03-18T19:55:38Z",
  "published": "2023-07-27T19:28:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38509"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Obfuscated email addresses should not be sorted"
}

GHSA-J9WR-49VQ-RM5G

Vulnerability from github – Published: 2021-04-19 14:46 – Updated: 2021-10-08 21:24
VLAI
Summary
Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Details

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

  • https://vaadin.com/security/cve-2021-31407
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "14.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "19.0.0"
            },
            {
              "fixed": "19.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "19.0.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:12:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Vulnerability in OSGi integration in `com.vaadin:flow-server` versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.\n\n- https://vaadin.com/security/cve-2021-31407",
  "id": "GHSA-j9wr-49vq-rm5g",
  "modified": "2021-10-08T21:24:54Z",
  "published": "2021-04-19T14:46:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform/security/advisories/GHSA-j9wr-49vq-rm5g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/platform"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2021-31407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19"
}

GHSA-JQFC-9Q34-PRHG

Vulnerability from github – Published: 2025-11-30 03:30 – Updated: 2025-12-02 00:30
VLAI
Summary
trytond allows remote attackers to obtain sensitive trace-back (server setup) information
Details

Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.5.0"
            },
            {
              "fixed": "7.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.4.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "trytond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.70"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-02T00:30:16Z",
    "nvd_published_at": "2025-11-30T03:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back (server setup) information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.",
  "id": "GHSA-jqfc-9q34-prhg",
  "modified": "2025-12-02T00:30:16Z",
  "published": "2025-11-30T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66422"
    },
    {
      "type": "WEB",
      "url": "https://discuss.tryton.org/t/security-release-for-issue-14354/8950"
    },
    {
      "type": "WEB",
      "url": "https://foss.heptapod.net/tryton/tryton/-/issues/14354"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tryton/trytond"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "trytond allows remote attackers to obtain sensitive trace-back (server setup) information"
}

GHSA-MMC5-HGPC-M8Q5

Vulnerability from github – Published: 2024-01-02 21:30 – Updated: 2024-04-25 18:30
VLAI
Details

A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401",
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-02T19:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A memory leak problem was found in ctnetlink_create_conntrack in net/netfilter/nf_conntrack_netlink.c in the Linux Kernel. This issue may allow a local attacker with CAP_NET_ADMIN privileges to cause a denial of service (DoS) attack due to a refcount overflow.",
  "id": "GHSA-mmc5-hgpc-m8q5",
  "modified": "2024-04-25T18:30:38Z",
  "published": "2024-01-02T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7192"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0723"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0725"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1250"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1306"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1367"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1382"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1404"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2006"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2008"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-7192"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256279"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=ac4893980bbe79ce383daf9a0885666a30fe4c83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.