Common Weakness Enumeration

CWE-440

Allowed

Expected Behavior Violation

Abstraction: Base · Status: Draft

A feature, API, or function does not perform according to its specification.

79 vulnerabilities reference this CWE, most recent first.

GHSA-7G9J-G5JG-3VV3

Vulnerability from github – Published: 2024-01-24 20:53 – Updated: 2025-07-28 15:56
VLAI
Summary
Unauthenticated Nonce Increment in snow
Details

Impact

There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with the ability to inject packets into the channel Noise is talking over, this allows a denial-of-service type attack which could prevent communication as it causes the sending and receiving side to be expecting different nonce values than would arrive.

Note that this only affects those who are using the stateful TransportState, not those using StatelessTransportState.

Patches

This has been patched in version 0.9.5, and all users are recommended to update.

References

There will be a more formal report of this in the near future.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "snow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-58265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-24T20:53:48Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nThere was a logic bug where unauthenticated payloads could still cause a nonce increment in snow\u0027s internal state. For an attacker with the ability to inject packets into the channel Noise is talking over, this allows a denial-of-service type attack which could prevent communication as it causes the sending and receiving side to be expecting different nonce values than would arrive.\n\nNote that this only affects those who are using the stateful `TransportState`, not those using `StatelessTransportState`.\n\n### Patches\nThis has been patched in version 0.9.5, and all users are recommended to update.\n\n### References\nThere will be a more formal report of this in the near future.",
  "id": "GHSA-7g9j-g5jg-3vv3",
  "modified": "2025-07-28T15:56:29Z",
  "published": "2024-01-24T20:53:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mcginty/snow/security/advisories/GHSA-7g9j-g5jg-3vv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcginty/snow/commit/12e8ae55547ae297d5f70599e5c884ea891303eb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mcginty/snow"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated Nonce Increment in snow"
}

GHSA-8MRM-R7H3-C3HJ

Vulnerability from github – Published: 2024-07-20 06:30 – Updated: 2024-09-13 19:34
VLAI
Summary
LoLLMS vulnerable to Expected Behavior Violation
Details

A path traversal vulnerability exists in the apply_settings function of parisneo/lollms versions prior to 9.5.1. The sanitize_path function does not adequately secure the discussion_db_name parameter, allowing attackers to manipulate the path and potentially write to important system folders.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lollms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-13T19:34:25Z",
    "nvd_published_at": "2024-07-20T04:15:05Z",
    "severity": "HIGH"
  },
  "details": "A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.",
  "id": "GHSA-8mrm-r7h3-c3hj",
  "modified": "2024-09-13T19:34:25Z",
  "published": "2024-07-20T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parisneo/lollms"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "LoLLMS vulnerable to Expected Behavior Violation"
}

GHSA-8VPF-2WHM-FFFJ

Vulnerability from github – Published: 2026-06-19 03:31 – Updated: 2026-06-19 03:31
VLAI
Details

Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T03:16:15Z",
    "severity": "HIGH"
  },
  "details": "Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop.",
  "id": "GHSA-8vpf-2whm-fffj",
  "modified": "2026-06-19T03:31:27Z",
  "published": "2026-06-19T03:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8806"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU97140216"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-06"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2026-003_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9HG2-395J-83RM

Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2024-04-18 17:11
VLAI
Summary
Expected Behavior Violation in Apache Tomcat
Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.0.M18"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-coyote"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0.M1"
            },
            {
              "fixed": "9.0.0.M19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.5.12"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-coyote"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.0.0.M18"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0.M1"
            },
            {
              "fixed": "9.0.0.M19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.5.12"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T13:44:41Z",
    "nvd_published_at": "2017-04-17T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.",
  "id": "GHSA-9hg2-395j-83rm",
  "modified": "2024-04-18T17:11:18Z",
  "published": "2022-05-13T01:46:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180614-0001"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201705-09"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Expected Behavior Violation in Apache Tomcat"
}

GHSA-9HXF-PPJV-W6RQ

Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2025-08-13 15:00
VLAI
Summary
gRPC connection termination issue
Details

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.grpc:grpc-protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "grpcio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "grpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.grpc:grpc-protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "grpcio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "grpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:56:31Z",
    "nvd_published_at": "2023-06-09T11:15:09Z",
    "severity": "MODERATE"
  },
  "details": "gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in\u00a0https://github.com/grpc/grpc/pull/32309.",
  "id": "GHSA-9hxf-ppjv-w6rq",
  "modified": "2025-08-13T15:00:12Z",
  "published": "2023-07-06T21:15:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/pull/32309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/commit/29d8beee0ac2555773b2a2dda5601c74a95d6c10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/releases/tag/v1.53.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/releases/tag/v1.54.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32732.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37IDNVY5AWVH7JDMM2SDTL24ZPPZJNSY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VWE44J5FG7THHL7XVEVTNIGEYBNKJBLL"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "gRPC connection termination issue"
}

GHSA-9QFW-F49W-5JG7

Vulnerability from github – Published: 2022-10-17 12:00 – Updated: 2022-10-17 12:00
VLAI
Details

WAGO Series PFC100/PFC200, Series Touch Panel 600, Compact Controller CC100 and Edge Controller in multiple versions are prone to a loss of MAC-Address-Filtering after reboot. This may allow an remote attacker to circumvent the reach the network that should be protected by the MAC address filter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "WAGO Series PFC100/PFC200, Series Touch Panel 600, Compact Controller CC100 and Edge Controller in multiple versions are prone to a loss of MAC-Address-Filtering after reboot. This may allow an remote attacker to circumvent the reach the network that should be protected by the MAC address filter.",
  "id": "GHSA-9qfw-f49w-5jg7",
  "modified": "2022-10-17T12:00:27Z",
  "published": "2022-10-17T12:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3281"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-042"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CFGP-2977-2FMM

Vulnerability from github – Published: 2023-07-05 19:12 – Updated: 2025-08-13 14:56
VLAI
Summary
Connection confusion in gRPC
Details

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.grpc:grpc-protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "grpcio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "grpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.53.0"
            },
            {
              "fixed": "1.53.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "grpcio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "grpc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.grpc:grpc-protobuf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.54.0"
            },
            {
              "fixed": "1.54.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32731"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-05T20:26:48Z",
    "nvd_published_at": "2023-06-09T11:15:09Z",
    "severity": "HIGH"
  },
  "details": "When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration.",
  "id": "GHSA-cfgp-2977-2fmm",
  "modified": "2025-08-13T14:56:11Z",
  "published": "2023-07-05T19:12:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/issues/33463"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/pull/32309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/pull/33005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/commit/29d8beee0ac2555773b2a2dda5601c74a95d6c10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/releases/tag/v1.53.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/releases/tag/v1.54.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Connection confusion in gRPC"
}

GHSA-FQF6-GXHH-2XHW

Vulnerability from github – Published: 2026-07-07 19:36 – Updated: 2026-07-07 19:36
VLAI
Summary
uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)
Details

determine_backup_mode in src/uucore/src/lib/features/backup_control.rs only checks --backup/-b and returns BackupMode::None when only --suffix is given. GNU enables backup mode when --suffix is used alone (defaulting to existing/numbered, or $VERSION_CONTROL). Affects cp, install, mv, ln which share this code.

# uutils: no backup created
$ coreutils cp --suffix=.bak src dest      # dest.bak NOT created
# GNU: dest.bak created
$ cp --suffix=.bak src dest

Impact: users/scripts relying on --suffix to back up a file before overwrite get silent data loss; breaks GNU compatibility across four utilities. Recommendation: enable backup mode when --suffix is present.

Note: this is primarily a GNU-compatibility/data-safety divergence rather than a classic exploitable vulnerability — review whether it warrants a CVE.

Remediation: Acknowledged by Canonical; fixed in PR #9741 (uucore: use --suffix to enable backup mode), commit 939ab037a, merged 2025-12-21. determine_backup_mode now has a --suffix-alone branch that resolves the mode from $VERSION_CONTROL (defaulting to existing). Released in uucore 0.6.0 and later (vulnerable: < 0.6.0). Regression tests added in the same file: test_backup_mode_suffix_without_backup_option and test_backup_mode_suffix_without_backup_option_with_env_var.


Reported by Zellic in the uutils coreutils Program Security Assessment (prepared for Canonical, Jan 20 2026), audited commit 3a07ffc5a9bd4c283e75afa548ba1f1957bad242. Finding 3.7. Credit: Zellic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "uucore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-440",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-07T19:36:17Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "`determine_backup_mode` in `src/uucore/src/lib/features/backup_control.rs` only checks `--backup`/`-b` and returns `BackupMode::None` when only `--suffix` is given. GNU enables backup mode when `--suffix` is used alone (defaulting to existing/numbered, or `$VERSION_CONTROL`). Affects `cp`, `install`, `mv`, `ln` which share this code.\n\n```\n# uutils: no backup created\n$ coreutils cp --suffix=.bak src dest      # dest.bak NOT created\n# GNU: dest.bak created\n$ cp --suffix=.bak src dest\n```\n\n**Impact:** users/scripts relying on `--suffix` to back up a file before overwrite get silent data loss; breaks GNU compatibility across four utilities. Recommendation: enable backup mode when `--suffix` is present.\n\n_Note: this is primarily a GNU-compatibility/data-safety divergence rather than a classic exploitable vulnerability \u2014 review whether it warrants a CVE._\n\n**Remediation:** Acknowledged by Canonical; fixed in PR #9741 (`uucore: use --suffix to enable backup mode`), commit `939ab037a`, merged 2025-12-21. `determine_backup_mode` now has a `--suffix`-alone branch that resolves the mode from `$VERSION_CONTROL` (defaulting to `existing`). Released in **uucore 0.6.0** and later (vulnerable: `\u003c 0.6.0`). Regression tests added in the same file: `test_backup_mode_suffix_without_backup_option` and `test_backup_mode_suffix_without_backup_option_with_env_var`.\n\n---\n_Reported by Zellic in the *uutils coreutils Program Security Assessment* (prepared for Canonical, Jan 20 2026), audited commit `3a07ffc5a9bd4c283e75afa548ba1f1957bad242`. Finding 3.7. Credit: Zellic._",
  "id": "GHSA-fqf6-gxhh-2xhw",
  "modified": "2026-07-07T19:36:17Z",
  "published": "2026-07-07T19:36:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/security/advisories/GHSA-fqf6-gxhh-2xhw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uutils/coreutils/pull/9741"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/uutils/coreutils"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)"
}

GHSA-FVF4-JV3J-73MQ

Vulnerability from github – Published: 2023-05-12 21:30 – Updated: 2025-11-04 18:30
VLAI
Details

A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-12T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.",
  "id": "GHSA-fvf4-jv3j-73mq",
  "modified": "2025-11-04T18:30:40Z",
  "published": "2023-05-12T21:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2088"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/bugs/2004555"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2023-003.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHWG-GPP4-W4X3

Vulnerability from github – Published: 2024-08-06 12:30 – Updated: 2025-07-22 21:31
VLAI
Details

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values.

This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.

Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T11:16:07Z",
    "severity": "MODERATE"
  },
  "details": "It\u0027s possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It\u0027s also possible to use this vulnerability to leak other clients HTTP header keys, but not values.\n\nThis occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table.\n\nPlease update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4.",
  "id": "GHSA-ghwg-gpp4-w4x3",
  "modified": "2025-07-22T21:31:14Z",
  "published": "2024-08-06T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc/issues/36245"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.