Common Weakness Enumeration

CWE-610

Discouraged

Externally Controlled Reference to a Resource in Another Sphere

Abstraction: Class · Status: Draft

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

278 vulnerabilities reference this CWE, most recent first.

GHSA-F3XM-22X6-VG3G

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5823"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions \u003c= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation.",
  "id": "GHSA-f3xm-22x6-vg3g",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5823"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/720c23d755a4a955dcb0a54e8c200a2247a27f8b"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/ca361701-7d68-4df6-8da0-caad4b85b9ae"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F43R-CC68-GPX4

Vulnerability from github – Published: 2025-12-19 22:53 – Updated: 2026-06-06 00:36
VLAI
Summary
External Control of File Name or Path in Langflow
Details

Vulnerability Overview

If an arbitrary path is specified in the request body's fs_path, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is.

Vulnerable Code

  1. It receives the request body (flow), updates the DB, and then passes it to the file-writing sink.

    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L154-L168

    ```python @router.post("/", response_model=FlowRead, status_code=201) async def create_flow( *, session: DbSession, flow: FlowCreate, current_user: CurrentActiveUser, ): try: db_flow = await _new_flow(session=session, flow=flow, user_id=current_user.id) await session.commit() await session.refresh(db_flow)

        await _save_flow_to_fs(db_flow)
    
    except Exception as e:
    

    ```

  2. Applies authentication dependency (requires API Key/JWT) when accessing the endpoint.

    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/utils/core.py#L36-L38

    python CurrentActiveUser = Annotated[User, Depends(get_current_active_user)] CurrentActiveMCPUser = Annotated[User, Depends(get_current_active_user_mcp)] DbSession = Annotated[AsyncSession, Depends(get_session)]

  3. The client can directly specify the save path, including fs_path.

    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L66-L70

    ```python ): try: await _verify_fs_path(flow.fs_path)

        """Create a new flow."""
    

    ```

  4. It attempts to create the file (or the file, in the case of a path without a parent) directly without path validation.

    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L45-L49

    python async def _verify_fs_path(path: str | None) -> None: if path: path_ = Path(path) if not await path_.exists(): await path_.touch()

  5. Serializes the Flow object to JSON and writes it to the specified path in "w" mode (overwriting).

    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L52-L58

    python async def _save_flow_to_fs(flow: Flow) -> None: if flow.fs_path: async with async_open(flow.fs_path, "w") as f: try: await f.write(flow.model_dump_json()) except OSError: await logger.aexception("Failed to write flow %s to path %s", flow.name, flow.fs_path)

PoC Description

When an authenticated user passes an arbitrary path in fs_path, the Flow JSON is written to that path. Since /tmp is usually writable, it is easy to reproduce. In a production environment, writing to system-protected directories may fail depending on permissions.

PoC

  • Before Exploit

    image

  • After Exploit

    bash curl -sS -X POST "http://localhost:7860/api/v1/flows/" \ -H "Content-Type: application/json" \ -H "x-api-key: sk-8Kyzf9IQ-UEJ_OtSTaJq4eniMT9_JKgZ7__q8PNkoxc" \ -d '{"name":"poc-etc","data":{"nodes":[],"edges":[]},"fs_path":"/tmp/POC.txt"}'

    image

Impact

  • Authenticated Arbitrary File Write (within server permission scope): Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components.
  • Both absolute and relative paths are allowed, enabling base directory traversal. The risk of overwriting system files increases in environments with root privileges or weak mount/permission settings.
  • The file content is limited to Flow JSON, but the impact is severe if the target file is parsed by a JSON parser or is subject to subsequent processing.
  • In production environments, it is essential to enforce a save root, normalize paths, block symlink traversal, and minimize permissions.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-19T22:53:13Z",
    "nvd_published_at": "2025-12-19T18:15:51Z",
    "severity": "HIGH"
  },
  "details": "**Vulnerability Overview**\n\nIf an arbitrary path is specified in the request body\u0027s `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is.\n\n**Vulnerable Code**\n\n1. It receives the request body (flow), updates the DB, and then passes it to the file-writing sink.\n    \n    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L154-L168\n    \n    ```python\n    @router.post(\"/\", response_model=FlowRead, status_code=201)\n    async def create_flow(\n        *,\n        session: DbSession,\n        flow: FlowCreate,\n        current_user: CurrentActiveUser,\n    ):\n        try:\n            db_flow = await _new_flow(session=session, flow=flow, user_id=current_user.id)\n            await session.commit()\n            await session.refresh(db_flow)\n    \n            await _save_flow_to_fs(db_flow)\n    \n        except Exception as e:\n    ```\n    \n2. Applies authentication dependency (requires API Key/JWT) when accessing the endpoint.\n    \n    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/utils/core.py#L36-L38\n    \n    ```python\n    CurrentActiveUser = Annotated[User, Depends(get_current_active_user)]\n    CurrentActiveMCPUser = Annotated[User, Depends(get_current_active_user_mcp)]\n    DbSession = Annotated[AsyncSession, Depends(get_session)]\n    ```\n    \n3. The client can directly specify the save path, including `fs_path`.\n    \n    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L66-L70\n    \n    ```python\n    ):\n        try:\n            await _verify_fs_path(flow.fs_path)\n    \n            \"\"\"Create a new flow.\"\"\"\n    ```\n    \n4. It attempts to create the file (or *the* file, in the case of a path without a parent) directly without path validation.\n    \n    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L45-L49\n    \n    ```python\n    async def _verify_fs_path(path: str | None) -\u003e None:\n        if path:\n            path_ = Path(path)\n            if not await path_.exists():\n                await path_.touch()\n    ```\n    \n5. Serializes the Flow object to JSON and writes it to the specified path in \"w\" mode (overwriting).\n    \n    https://github.com/langflow-ai/langflow/blob/ac6e2d2eabeee28085f2739d79f7ce4205ca082c/src/backend/base/langflow/api/v1/flows.py#L52-L58\n    \n    ```python\n    async def _save_flow_to_fs(flow: Flow) -\u003e None:\n        if flow.fs_path:\n            async with async_open(flow.fs_path, \"w\") as f:\n                try:\n                    await f.write(flow.model_dump_json())\n                except OSError:\n                    await logger.aexception(\"Failed to write flow %s to path %s\", flow.name, flow.fs_path)\n    ```\n    \n\n**PoC Description**\n\nWhen an authenticated user passes an arbitrary path in `fs_path`, the Flow JSON is written to that path. Since `/tmp` is usually writable, it is easy to reproduce. In a production environment, writing to system-protected directories may fail depending on permissions.\n\n**PoC**\n\n- **Before Exploit**\n   \n\n    \u003cimg width=\"1918\" height=\"658\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fe3c2306-091d-4cb0-b4dc-c7fb63c03d8d\" /\u003e\n    \n- **After Exploit**\n    \n    ```bash\n    curl -sS -X POST \"http://localhost:7860/api/v1/flows/\" \\\n      -H \"Content-Type: application/json\" \\\n      -H \"x-api-key: sk-8Kyzf9IQ-UEJ_OtSTaJq4eniMT9_JKgZ7__q8PNkoxc\" \\\n      -d \u0027{\"name\":\"poc-etc\",\"data\":{\"nodes\":[],\"edges\":[]},\"fs_path\":\"/tmp/POC.txt\"}\u0027\n    ```\n    \n    \u003cimg width=\"1918\" height=\"742\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cc0b0c96-1c2d-4d56-b558-5ba97e0ec174\" /\u003e\n    \n\n### Impact\n\n- **Authenticated Arbitrary File Write (within server permission scope):** Risk of corrupting configuration/log/task files, disrupting application behavior, and tampering with files read by other components.\n- **Both absolute and relative paths are allowed, enabling base directory traversal.** The risk of overwriting system files increases in environments with root privileges or weak mount/permission settings.\n- **The file content is limited to Flow JSON,** but the impact is severe if the target file is parsed by a JSON parser or is subject to subsequent processing.\n- **In production environments, it is essential to enforce a save root, normalize paths, block symlink traversal, and minimize permissions.**",
  "id": "GHSA-f43r-cc68-gpx4",
  "modified": "2026-06-06T00:36:53Z",
  "published": "2025-12-19T22:53:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2025-125.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "External Control of File Name or Path in Langflow"
}

GHSA-F62F-HW25-5GJF

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-12 00:00
VLAI
Details

ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.",
  "id": "GHSA-f62f-hw25-5gjf",
  "modified": "2022-06-12T00:00:47Z",
  "published": "2022-06-03T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24241"
    },
    {
      "type": "WEB",
      "url": "https://www.aceware.com/forum/viewtopic.php?f=7\u0026t=481"
    },
    {
      "type": "WEB",
      "url": "http://aceware.com"
    },
    {
      "type": "WEB",
      "url": "http://aceweb.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F6VJ-43FG-42HG

Vulnerability from github – Published: 2022-08-23 00:00 – Updated: 2022-08-27 00:00
VLAI
Details

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-22T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the aVideoEncoderReceiveImage functionality of WWBN AVideo 11.6 and dev master commit 3f7c0364. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.",
  "id": "GHSA-f6vj-43fg-42hg",
  "modified": "2022-08-27T00:00:50Z",
  "published": "2022-08-23T00:00:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/blob/e04b1cd7062e16564157a82bae389eedd39fa088/updatedb/updateDb.v12.0.sql"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1549"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9JQ-JHVV-4XMW

Vulnerability from github – Published: 2023-04-12 15:30 – Updated: 2024-04-04 03:25
VLAI
Details

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-12T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.",
  "id": "GHSA-f9jq-jhvv-4xmw",
  "modified": "2024-04-04T03:25:22Z",
  "published": "2023-04-12T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22616"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge/SA-2023022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQQP-7V7W-5XHP

Vulnerability from github – Published: 2025-09-29 06:30 – Updated: 2025-09-29 06:30
VLAI
Details

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11140"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T04:15:40Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fqqp-7v7w-5xhp",
  "modified": "2025-09-29T06:30:27Z",
  "published": "2025-09-29T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11140"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FightingLzn9/vul/blob/main/%E6%97%B6%E7%A9%BA%E6%99%BA%E5%8F%8Berp-3.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.326217"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.326217"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.658090"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FQXX-3FHV-WCPR

Vulnerability from github – Published: 2023-08-09 09:30 – Updated: 2024-04-04 06:43
VLAI
Details

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges is able to gain limited read-access to the device-filesystem through a configuration dialog within the embedded Qt browser .

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37856"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-09T07:15:10Z",
    "severity": "MODERATE"
  },
  "details": "In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges is able to gain limited read-access to the device-filesystem through a configuration dialog within the embedded Qt browser .\n\n",
  "id": "GHSA-fqxx-3fhv-wcpr",
  "modified": "2024-04-04T06:43:28Z",
  "published": "2023-08-09T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37856"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2023-018"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRXJ-5J27-F8RF

Vulnerability from github – Published: 2021-04-20 16:44 – Updated: 2024-11-18 16:26
VLAI
Summary
Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible
Details

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0a1"
            },
            {
              "fixed": "2.7.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0a1"
            },
            {
              "fixed": "2.8.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.9.0a1"
            },
            {
              "fixed": "2.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14905"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-610",
      "CWE-668",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T14:41:23Z",
    "nvd_published_at": "2020-03-31T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible\u0027s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.",
  "id": "GHSA-frxj-5j27-f8rf",
  "modified": "2024-11-18T16:26:11Z",
  "published": "2021-04-20T16:44:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14905"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0216"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2020:0218"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-frxj-5j27-f8rf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-206.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible"
}

GHSA-G3MV-CM79-HCFR

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610",
      "CWE-73"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:33Z",
    "severity": "MODERATE"
  },
  "details": "Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability",
  "id": "GHSA-g3mv-cm79-hcfr",
  "modified": "2024-07-09T18:30:51Z",
  "published": "2024-07-09T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38049"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6RV-8J4C-V23P

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

In scheduleTimeoutLocked of NotificationRecord.java, there is a possible disclosure of a sensitive identifier via broadcasted intent due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175614289

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-610"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-14T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In scheduleTimeoutLocked of NotificationRecord.java, there is a possible disclosure of a sensitive identifier via broadcasted intent due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-175614289",
  "id": "GHSA-g6rv-8j4c-v23p",
  "modified": "2022-05-24T19:08:00Z",
  "published": "2022-05-24T19:08:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0599"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

CAPEC-219: XML Routing Detour Attacks

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.