CWE-657
DiscouragedViolation of Secure Design Principles
Abstraction: Class · Status: Draft
The product violates well-established principles for secure design.
35 vulnerabilities reference this CWE, most recent first.
GHSA-CQJV-5R3C-4HMG
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Violation of Secure Design Principles issue was discovered in Schneider Electric Modicon Modbus Protocol. The Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2017-6032"
],
"database_specific": {
"cwe_ids": [
"CWE-358",
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-30T03:29:00Z",
"severity": "MODERATE"
},
"details": "A Violation of Secure Design Principles issue was discovered in Schneider Electric Modicon Modbus Protocol. The Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.",
"id": "GHSA-cqjv-5r3c-4hmg",
"modified": "2022-05-13T01:36:35Z",
"published": "2022-05-13T01:36:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6032"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-101-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97562"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F3MQ-99JR-WW4R
Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2023-06-13 16:55Affected versions of this crate have the following issues:
-
PtrimplementsSendandSyncfor all types, this can lead to data races by sending non-thread safe types across threads. -
Ptr::getviolates mutable alias rules by returning multiple mutable references to the same object. -
Ptr::writeuses non-atomic writes to the underlying pointer. This means that when used across threads it can lead to data races.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cgc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36467"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T21:11:39Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "MODERATE"
},
"details": "Affected versions of this crate have the following issues:\n\n1. `Ptr` implements `Send` and `Sync` for all types, this can lead to data\n races by sending non-thread safe types across threads.\n\n2. `Ptr::get` violates mutable alias rules by returning multiple mutable\n references to the same object.\n\n3. `Ptr::write` uses non-atomic writes to the underlying pointer. This means\n that when used across threads it can lead to data races.\n",
"id": "GHSA-f3mq-99jr-ww4r",
"modified": "2023-06-13T16:55:13Z",
"published": "2021-08-25T20:56:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36467"
},
{
"type": "WEB",
"url": "https://github.com/playXE/cgc/issues/5"
},
{
"type": "PACKAGE",
"url": "https://github.com/playXE/cgc"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/cgc/RUSTSEC-2020-0148.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0148.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Multiple soundness issues in cgc"
}
GHSA-F95R-2GGC-W963
Vulnerability from github – Published: 2025-05-14 09:30 – Updated: 2025-05-14 09:30Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation.
The ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (Referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (Referred to as authorization server in RFC 6749).
{
"affected": [],
"aliases": [
"CVE-2025-0020"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T08:15:33Z",
"severity": "HIGH"
},
"details": "Violation of Secure Design Principles, Hidden Functionality, Incorrect Provision of Specified Functionality vulnerability in ArcGIS (Authentication) allows Privilege Abuse, Manipulating Hidden Fields, Configuration/Environment Manipulation.\n\nThe ArcGIS client_credentials OAuth 2.0 API implementation does not adhere to the RFC/standards; This hidden (known and by-design, but undocumented) functionality enables a requestor (Referred to as client in RFC 6749) to request an, undocumented, custom token expiration from ArcGIS (Referred to as authorization server in RFC 6749).",
"id": "GHSA-f95r-2ggc-w963",
"modified": "2025-05-14T09:30:25Z",
"published": "2025-05-14T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0020"
},
{
"type": "WEB",
"url": "https://developers.arcgis.com/documentation/security-and-authentication"
},
{
"type": "WEB",
"url": "https://www.vulsec.org/advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-FRW8-Q26X-VV93
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. An unauthenticated attacker could leverage this vulnerability to edit or delete recordings on the Connect environment. Exploitation of this issue requires user interaction in that a victim must publish a link of a Connect recording.
{
"affected": [],
"aliases": [
"CVE-2021-36061"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the \u0027pbMode\u0027 parameter. An unauthenticated attacker could leverage this vulnerability to edit or delete recordings on the Connect environment. Exploitation of this issue requires user interaction in that a victim must publish a link of a Connect recording.",
"id": "GHSA-frw8-q26x-vv93",
"modified": "2022-05-24T19:12:44Z",
"published": "2022-05-24T19:12:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36061"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/connect/apsb21-66.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HMF6-8VMC-33G5
Vulnerability from github – Published: 2025-02-06 15:32 – Updated: 2025-02-06 15:32Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2024-57957"
],
"database_specific": {
"cwe_ids": [
"CWE-532",
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T13:15:39Z",
"severity": "MODERATE"
},
"details": "Vulnerability of improper log information control in the UI framework module\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-hmf6-8vmc-33g5",
"modified": "2025-02-06T15:32:52Z",
"published": "2025-02-06T15:32:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57957"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2025/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J69F-2MQM-RH7P
Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-20 00:00Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the cross-origin attack target domain. Exploitation requires user interaction in which the victim needs to access a crafted PDF file on an attacker's server.
{
"affected": [],
"aliases": [
"CVE-2022-28244"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T18:15:00Z",
"severity": "MODERATE"
},
"details": "Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the cross-origin attack target domain. Exploitation requires user interaction in which the victim needs to access a crafted PDF file on an attacker\u0027s server.",
"id": "GHSA-j69f-2mqm-rh7p",
"modified": "2022-05-20T00:00:20Z",
"published": "2022-05-12T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28244"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JRF8-CMGG-GV2M
Vulnerability from github – Published: 2021-08-25 20:53 – Updated: 2023-06-13 20:29native_cpuid::cpuid_count() exposes the unsafe __cpuid_count() intrinsic from core::arch::x86 or core::arch::x86_64 as a safe function, and uses it internally, without checking the safety requirement:
- The CPU the program is currently running on supports the function being called.
CPUID is available in most, but not all, x86/x86_64 environments. The crate compiles only on these architectures, so others are unaffected. This issue is mitigated by the fact that affected programs are expected to crash deterministically every time.
The flaw has been fixed in v9.0.0, by intentionally breaking compilation when targeting SGX or 32-bit x86 without SSE. This covers all affected CPUs.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "raw-cpuid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26307"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-657"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:02:32Z",
"nvd_published_at": "2021-01-29T03:15:00Z",
"severity": "MODERATE"
},
"details": "native_cpuid::cpuid_count() exposes the unsafe __cpuid_count() intrinsic from core::arch::x86 or core::arch::x86_64 as a safe function, and uses it internally, without checking the safety requirement:\n\n* The CPU the program is currently running on supports the function being called.\n\nCPUID is available in most, but not all, x86/x86_64 environments. The crate compiles only on these architectures, so others are unaffected. This issue is mitigated by the fact that affected programs are expected to crash deterministically every time.\n\nThe flaw has been fixed in v9.0.0, by intentionally breaking compilation when targeting SGX or 32-bit x86 without SSE. This covers all affected CPUs.",
"id": "GHSA-jrf8-cmgg-gv2m",
"modified": "2023-06-13T20:29:54Z",
"published": "2021-08-25T20:53:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26307"
},
{
"type": "WEB",
"url": "https://github.com/gz/rust-cpuid/issues/40"
},
{
"type": "WEB",
"url": "https://github.com/gz/rust-cpuid/issues/41"
},
{
"type": "WEB",
"url": "https://github.com/RustSec/advisory-db/pull/614"
},
{
"type": "WEB",
"url": "https://github.com/gz/rust-cpuid/commit/91b676eecd01f2163e2984215e2c0ac89e30ce75"
},
{
"type": "PACKAGE",
"url": "https://github.com/gz/rust-cpuid"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Error on unsupported architectures in raw-cpuid"
}
GHSA-MJ5P-5FC7-225V
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:52A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ devices. This could lead to an adversary being able to modify the control fields of the boot image leading to an incorrect secure boot behavior.
{
"affected": [],
"aliases": [
"CVE-2019-5478"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-657"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ devices. This could lead to an adversary being able to modify the control fields of the boot image leading to an incorrect secure boot behavior.",
"id": "GHSA-mj5p-5fc7-225v",
"modified": "2024-04-04T01:52:45Z",
"published": "2022-05-24T16:55:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5478"
},
{
"type": "WEB",
"url": "https://github.com/inversepath/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2019-0001-Xilinx_ZU+-Encrypt_Only_Secure_Boot_bypass.txt"
},
{
"type": "WEB",
"url": "https://www.xilinx.com/support/answers/72588.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP6R-FGW2-RXFX
Vulnerability from github – Published: 2021-08-25 20:53 – Updated: 2023-06-13 22:28The function xcb::xproto::GetPropertyReply::value() returns a slice of type T where T is an unconstrained type parameter. The raw bytes received from the X11 server are interpreted as the requested type. The users of the xcb crate are advised to only call this function with the intended types. These are u8, u16, and u32.
This issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "xcb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26956"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T17:35:46Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The function xcb::xproto::GetPropertyReply::value() returns a slice of type T where T is an unconstrained type parameter. The raw bytes received from the X11 server are interpreted as the requested type. The users of the xcb crate are advised to only call this function with the intended types. These are u8, u16, and u32.\n\nThis issue is tracked here: https://github.com/rust-x-bindings/rust-xcb/issues/95",
"id": "GHSA-mp6r-fgw2-rxfx",
"modified": "2023-06-13T22:28:51Z",
"published": "2021-08-25T20:53:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26956"
},
{
"type": "WEB",
"url": "https://github.com/RustSec/advisory-db/issues/653"
},
{
"type": "WEB",
"url": "https://github.com/rust-x-bindings/rust-xcb/issues/95"
},
{
"type": "PACKAGE",
"url": "https://github.com/rtbo/rust-xcb"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0019.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary return types in xcb"
}
GHSA-PWHF-7427-9VV2
Vulnerability from github – Published: 2021-08-25 20:56 – Updated: 2023-06-13 16:46Multiple soundness issues in Ptr in cgc
Affected versions of this crate have the following issues:
-
PtrimplementsSendandSyncfor all types, this can lead to data races by sending non-thread safe types across threads. -
Ptr::getviolates mutable alias rules by returning multiple mutable references to the same object. -
Ptr::writeuses non-atomic writes to the underlying pointer. This means that when used across threads it can lead to data races.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cgc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36468"
],
"database_specific": {
"cwe_ids": [
"CWE-657"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T20:39:03Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "MODERATE"
},
"details": "# Multiple soundness issues in `Ptr` in cgc\n\nAffected versions of this crate have the following issues:\n\n1. `Ptr` implements `Send` and `Sync` for all types, this can lead to data\n races by sending non-thread safe types across threads.\n\n2. `Ptr::get` violates mutable alias rules by returning multiple mutable\n references to the same object.\n\n3. `Ptr::write` uses non-atomic writes to the underlying pointer. This means\n that when used across threads it can lead to data races.",
"id": "GHSA-pwhf-7427-9vv2",
"modified": "2023-06-13T16:46:48Z",
"published": "2021-08-25T20:56:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36468"
},
{
"type": "WEB",
"url": "https://github.com/playXE/cgc/issues/5"
},
{
"type": "PACKAGE",
"url": "https://github.com/playXE/cgc"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/cgc/RUSTSEC-2020-0148.md"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0148.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Non-atomic writes in cgc"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.