Common Weakness Enumeration

CWE-696

Allowed-with-Review

Incorrect Behavior Order

Abstraction: Class · Status: Incomplete

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.

70 vulnerabilities reference this CWE, most recent first.

CVE-2023-23576 (GCVE-0-2023-23576)

Vulnerability from cvelistv5 – Published: 2023-12-18 21:59 – Updated: 2024-08-02 10:35
VLAI
Summary
Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. This issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.
CWE
  • CWE-696 - Incorrect Behavior Order
Assigner
Impacted products
Vendor Product Version
Gallagher Command Centre Server Affected: 0 , ≤ 8.50 (custom)
Affected: 8.90 , < 8.90.1620 (MR2) (custom)
Affected: 8.80 , < 8.80.1369 (MR3) (custom)
Affected: 8.70 , < 8.70.2375 (MR5) (custom)
Affected: 8.60 , < 8.60.2550 (MR7) (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:35:33.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Command Centre Server",
          "vendor": "Gallagher",
          "versions": [
            {
              "lessThanOrEqual": "8.50",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.90.1620 (MR2)",
              "status": "affected",
              "version": "8.90",
              "versionType": "custom"
            },
            {
              "lessThan": "8.80.1369 (MR3)",
              "status": "affected",
              "version": "8.80",
              "versionType": "custom"
            },
            {
              "lessThan": "8.70.2375 (MR5)",
              "status": "affected",
              "version": "8.70",
              "versionType": "custom"
            },
            {
              "lessThan": "8.60.2550 (MR7)",
              "status": "affected",
              "version": "8.60",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \n\nThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696: Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-18T21:59:38.164Z",
        "orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
        "shortName": "Gallagher"
      },
      "references": [
        {
          "url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
    "assignerShortName": "Gallagher",
    "cveId": "CVE-2023-23576",
    "datePublished": "2023-12-18T21:59:38.164Z",
    "dateReserved": "2023-02-03T20:38:05.225Z",
    "dateUpdated": "2024-08-02T10:35:33.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-47688 (GCVE-0-2021-47688)

Vulnerability from cvelistv5 – Published: 2025-06-23 00:00 – Updated: 2025-06-24 18:07
VLAI
Summary
In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-696 - Incorrect Behavior Order
Assigner
Impacted products
Vendor Product Version
WhiteBeam WhiteBeam Affected: 0.2.0 , < 0.2.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47688",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-24T13:46:49.271297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-24T18:07:21.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "WhiteBeam",
          "vendor": "WhiteBeam",
          "versions": [
            {
              "lessThan": "0.2.2",
              "status": "affected",
              "version": "0.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696 Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-23T19:49:24.458Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-3f8r-9483-pfxj"
        },
        {
          "url": "https://github.com/WhiteBeamSec/WhiteBeam/security/policy"
        },
        {
          "url": "https://github.com/WhiteBeamSec/WhiteBeam/pull/22"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-47688",
    "datePublished": "2025-06-23T00:00:00.000Z",
    "dateReserved": "2025-06-23T00:00:00.000Z",
    "dateUpdated": "2025-06-24T18:07:21.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-31379 (GCVE-0-2021-31379)

Vulnerability from cvelistv5 – Published: 2021-10-19 18:17 – Updated: 2024-09-16 22:56
VLAI
Title
Junos OS: MX Series: MPC 7/8/9/10/11 cards with MAP-E: PFE halts when an attacker sends malformed IPv4 or IPv6 traffic inside the MAP-E tunnel.
Summary
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC ["FPC ID" # e.g. "0"] PFE #{PFE ID # e.g. "1"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1> show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1.
CWE
  • CWE-696 - Incorrect Behavior Order
  • Denial of Service (DoS)
Assigner
References
Impacted products
Vendor Product Version
Juniper Networks Junos OS Unaffected: unspecified , < 17.2R1 (custom)
Affected: 17.2R1 , < 17.2* (custom)
Affected: 17.3 , < 17.3R3-S9 (custom)
Affected: 17.4 , < 17.4R2-S12, 17.4R3-S3 (custom)
Affected: 18.1 , < 18.1R3-S11 (custom)
Affected: 18.2 , < 18.2R2-S6, 18.2R3-S3 (custom)
Affected: 18.3 , < 18.3R2-S4, 18.3R3-S1 (custom)
Affected: 18.4 , < 18.4R1-S8, 18.4R2-S5, 18.4R3 (custom)
Affected: 19.1 , < 19.1R1-S6, 19.1R2-S2, 19.1R3 (custom)
Affected: 19.2 , < 19.2R1-S5, 19.2R2 (custom)
Affected: 19.3 , < 19.3R2-S5, 19.3R3 (custom)
Create a notification for this product.
Date Public
2021-10-13 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:55:53.818Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA11247"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "MX Series"
          ],
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "17.2R1",
              "status": "unaffected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "17.2*",
              "status": "affected",
              "version": "17.2R1",
              "versionType": "custom"
            },
            {
              "lessThan": "17.3R3-S9",
              "status": "affected",
              "version": "17.3",
              "versionType": "custom"
            },
            {
              "lessThan": "17.4R2-S12, 17.4R3-S3",
              "status": "affected",
              "version": "17.4",
              "versionType": "custom"
            },
            {
              "lessThan": "18.1R3-S11",
              "status": "affected",
              "version": "18.1",
              "versionType": "custom"
            },
            {
              "lessThan": "18.2R2-S6, 18.2R3-S3",
              "status": "affected",
              "version": "18.2",
              "versionType": "custom"
            },
            {
              "lessThan": "18.3R2-S4, 18.3R3-S1",
              "status": "affected",
              "version": "18.3",
              "versionType": "custom"
            },
            {
              "lessThan": "18.4R1-S8, 18.4R2-S5, 18.4R3",
              "status": "affected",
              "version": "18.4",
              "versionType": "custom"
            },
            {
              "lessThan": "19.1R1-S6, 19.1R2-S2, 19.1R3",
              "status": "affected",
              "version": "19.1",
              "versionType": "custom"
            },
            {
              "lessThan": "19.2R1-S5, 19.2R2",
              "status": "affected",
              "version": "19.2",
              "versionType": "custom"
            },
            {
              "lessThan": "19.3R2-S5, 19.3R3",
              "status": "affected",
              "version": "19.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "The following minimal configuration is necessary: \n\n  [chassis fpc \u003cfpc-number\u003e pic \u003cpic-number\u003e inline-services bandwidth \u003cbandwidth\u003e]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet6]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e service-domain inside]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet6]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e service-domain outside]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e version03]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e softwire-address \u003cIPv6-Address\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ipv4-prefix \u003cIPv4-Prefix\u003e mape-prefix \u003cIPv6-Prefix\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ea-bits-len \u003c0..48\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-off[set \u003c0..16\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-length \u003c0..16\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e mtu-ipv6 \u003c1280..9192\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e v4-reassembly]\n  [services softwire rule \u003cmape-rule-name\u003e match-direction input term \u003cterm-name\u003e then map-e \u003cmape-instance-name\u003e]\n  [services service-set \u003cservice-set-name\u003e softwire-rules \u003cmape-rule-name\u003e]\n  [services service-set \u003cservice-set-name\u003e next-hop-service inside-service-interface \u003csi-interface-name.inside-logical-unit\u003e outside-service-interface \u003csi-interface-name.outside-logical-unit\u003e]"
        }
      ],
      "datePublic": "2021-10-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC [\"FPC ID\" # e.g. \"0\"] PFE #{PFE ID # e.g. \"1\"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1\u003e show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696 Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "Denial of Service (DoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-19T18:17:19.000Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.juniper.net/JSA11247"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "The following software releases have been updated to resolve this specific issue: 17.3R3-S9, 17.4R2-S12, 17.4R3-S3, 18.1R3-S11, 18.2R2-S6, 18.2R3-S3, 18.3R2-S4, 18.3R3-S1, 18.4R1-S8, 18.4R2-S5, 18.4R3, 19.1R1-S6, 19.1R2-S2, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S5, 19.3R3, 19.4R1, and all subsequent releases."
        }
      ],
      "source": {
        "advisory": "JSA11247",
        "defect": [
          "1468454"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Junos OS: MX Series: MPC 7/8/9/10/11 cards with MAP-E: PFE halts when an attacker sends malformed IPv4 or IPv6 traffic inside the MAP-E tunnel.",
      "workarounds": [
        {
          "lang": "en",
          "value": "To work around this issue customers can either:\n\n1. Disable Mapping of Address and port - Encapsulation (MAP-E) as an inline service on MX Series routers that use MPC and MIC interfaces.\n\nor\n\n2. Determine where the MAP-E v4 or v6 reassembly exists, review the following hierarchies and disable the \"v4-reassembly;\" and \"v6-reassembly;\" options where they exist:\n\n  [services softwire softwire-concentrator]\n  [services softwires softwire-types]\n  [security softwires]\n\nand the following syntaxes: \n\n  map-e name {\n      v4-reassembly;      \u003c\u003c\u003c\u003c\u003c  DISABLE the v4-reassembly option.\n      v6-reassembly;      \u003c\u003c\u003c\u003c\u003c  DISABLE the v6-reassembly option.\n  }"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2021-10-13T16:00:00.000Z",
          "ID": "CVE-2021-31379",
          "STATE": "PUBLIC",
          "TITLE": "Junos OS: MX Series: MPC 7/8/9/10/11 cards with MAP-E: PFE halts when an attacker sends malformed IPv4 or IPv6 traffic inside the MAP-E tunnel."
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos OS",
                      "version": {
                        "version_data": [
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003e=",
                            "version_name": "17.2",
                            "version_value": "17.2R1"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "17.3",
                            "version_value": "17.3R3-S9"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "17.4",
                            "version_value": "17.4R2-S12, 17.4R3-S3"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "18.1",
                            "version_value": "18.1R3-S11"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "18.2",
                            "version_value": "18.2R2-S6, 18.2R3-S3"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "18.3",
                            "version_value": "18.3R2-S4, 18.3R3-S1"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "18.4",
                            "version_value": "18.4R1-S8, 18.4R2-S5, 18.4R3"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "19.1",
                            "version_value": "19.1R1-S6, 19.1R2-S2, 19.1R3"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "19.2",
                            "version_value": "19.2R1-S5, 19.2R2"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "\u003c",
                            "version_name": "19.3",
                            "version_value": "19.3R2-S5, 19.3R3"
                          },
                          {
                            "platform": "MX Series",
                            "version_affected": "!\u003c",
                            "version_value": "17.2R1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "configuration": [
          {
            "lang": "en",
            "value": "The following minimal configuration is necessary: \n\n  [chassis fpc \u003cfpc-number\u003e pic \u003cpic-number\u003e inline-services bandwidth \u003cbandwidth\u003e]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet6]\n  [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e service-domain inside]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet6]\n  [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e service-domain outside]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e version03]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e softwire-address \u003cIPv6-Address\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ipv4-prefix \u003cIPv4-Prefix\u003e mape-prefix \u003cIPv6-Prefix\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ea-bits-len \u003c0..48\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-off[set \u003c0..16\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-length \u003c0..16\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e mtu-ipv6 \u003c1280..9192\u003e]\n  [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e v4-reassembly]\n  [services softwire rule \u003cmape-rule-name\u003e match-direction input term \u003cterm-name\u003e then map-e \u003cmape-instance-name\u003e]\n  [services service-set \u003cservice-set-name\u003e softwire-rules \u003cmape-rule-name\u003e]\n  [services service-set \u003cservice-set-name\u003e next-hop-service inside-service-interface \u003csi-interface-name.inside-logical-unit\u003e outside-service-interface \u003csi-interface-name.outside-logical-unit\u003e]"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC [\"FPC ID\" # e.g. \"0\"] PFE #{PFE ID # e.g. \"1\"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1\u003e show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-696 Incorrect Behavior Order"
                }
              ]
            },
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (DoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.juniper.net/JSA11247",
              "refsource": "CONFIRM",
              "url": "https://kb.juniper.net/JSA11247"
            },
            {
              "name": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html",
              "refsource": "MISC",
              "url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "The following software releases have been updated to resolve this specific issue: 17.3R3-S9, 17.4R2-S12, 17.4R3-S3, 18.1R3-S11, 18.2R2-S6, 18.2R3-S3, 18.3R2-S4, 18.3R3-S1, 18.4R1-S8, 18.4R2-S5, 18.4R3, 19.1R1-S6, 19.1R2-S2, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S5, 19.3R3, 19.4R1, and all subsequent releases."
          }
        ],
        "source": {
          "advisory": "JSA11247",
          "defect": [
            "1468454"
          ],
          "discovery": "INTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "To work around this issue customers can either:\n\n1. Disable Mapping of Address and port - Encapsulation (MAP-E) as an inline service on MX Series routers that use MPC and MIC interfaces.\n\nor\n\n2. Determine where the MAP-E v4 or v6 reassembly exists, review the following hierarchies and disable the \"v4-reassembly;\" and \"v6-reassembly;\" options where they exist:\n\n  [services softwire softwire-concentrator]\n  [services softwires softwire-types]\n  [security softwires]\n\nand the following syntaxes: \n\n  map-e name {\n      v4-reassembly;      \u003c\u003c\u003c\u003c\u003c  DISABLE the v4-reassembly option.\n      v6-reassembly;      \u003c\u003c\u003c\u003c\u003c  DISABLE the v6-reassembly option.\n  }"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2021-31379",
    "datePublished": "2021-10-19T18:17:19.849Z",
    "dateReserved": "2021-04-15T00:00:00.000Z",
    "dateUpdated": "2024-09-16T22:56:51.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-22569 (GCVE-0-2021-22569)

Vulnerability from cvelistv5 – Published: 2022-01-07 00:00 – Updated: 2025-04-21 13:57
VLAI
Title
Denial of Service of protobuf-java parsing procedure
Summary
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-696 - Incorrect Behavior Order
Assigner
Impacted products
Vendor Product Version
Google LLC protobuf-java Affected: unspecified , < 3.16.1 (custom)
Affected: unspecified , < 3.18.2 (custom)
Affected: unspecified , < 3.19.2 (custom)
Create a notification for this product.
Google LLC protobuf-kotlin Affected: unspecified , < 3.18.2 (custom)
Affected: unspecified , < 3.19.2 (custom)
Create a notification for this product.
Google LLC google-protobuf [JRuby Gem] Affected: unspecified , < 3.19.2 (custom)
Create a notification for this product.
Credits
OSS-Fuzz - https://github.com/google/oss-fuzz
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:44:14.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
          },
          {
            "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
          },
          {
            "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-22569",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T13:40:37.923955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T13:57:08.444Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "protobuf-java",
          "vendor": "Google LLC",
          "versions": [
            {
              "lessThan": "3.16.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "3.18.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "3.19.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "protobuf-kotlin",
          "vendor": "Google LLC",
          "versions": [
            {
              "lessThan": "3.18.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "3.19.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "google-protobuf [JRuby Gem]",
          "vendor": "Google LLC",
          "versions": [
            {
              "lessThan": "3.19.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "OSS-Fuzz - https://github.com/google/oss-fuzz"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696 Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-18T00:00:00.000Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
        },
        {
          "url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
        },
        {
          "name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
        },
        {
          "name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
          "tags": [
            "mailing-list"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Denial of Service of protobuf-java parsing procedure",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2021-22569",
    "datePublished": "2022-01-07T00:00:00.000Z",
    "dateReserved": "2021-01-05T00:00:00.000Z",
    "dateUpdated": "2025-04-21T13:57:08.444Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2J53-2C28-G9V2

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:19
VLAI
Summary
Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:19:08Z",
    "nvd_published_at": "2026-04-09T22:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.",
  "id": "GHSA-2j53-2c28-g9v2",
  "modified": "2026-04-10T20:19:08Z",
  "published": "2026-04-10T00:30:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35627"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement",
  "withdrawn": "2026-04-10T20:19:08Z"
}

GHSA-2RMV-PMJ6-727M

Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-11-03 21:33
VLAI
Details

Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20012"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T21:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect behavior order for some Intel(R) Core\u2122 Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.",
  "id": "GHSA-2rmv-pmj6-727m",
  "modified": "2025-11-03T21:33:53Z",
  "published": "2025-05-13T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20012"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3RQ5-2G8H-59HC

Vulnerability from github – Published: 2024-04-11 15:30 – Updated: 2024-06-26 03:31
VLAI
Summary
Potential DoS via the Tudoor mechanism in eventlet and dnspython
Details

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "eventlet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.35.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dnspython"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-12T21:25:53Z",
    "nvd_published_at": "2024-04-11T14:15:12Z",
    "severity": "MODERATE"
  },
  "details": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.",
  "id": "GHSA-3rq5-2g8h-59hc",
  "modified": "2024-06-26T03:31:48Z",
  "published": "2024-04-11T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventlet/eventlet/issues/913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rthalley/dnspython/issues/1045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventlet/eventlet/commit/51e3c4928d4938beb576eff34f3bf97e6e64e6b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eventlet/eventlet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240510-0001"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
    },
    {
      "type": "WEB",
      "url": "https://www.dnspython.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential DoS via the Tudoor mechanism in eventlet and dnspython"
}

GHSA-428Q-Q3VV-3FQ3

Vulnerability from github – Published: 2025-04-04 14:19 – Updated: 2025-08-29 21:08
VLAI
Summary
GraphQL grant on a property might be cached with different objects
Details

Original message:

I found an issue with security grants on on properties in the GraphQL ItemNormalizer:

If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.

There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.

Impact

It grants access to properties that it should not.

Workarounds

Override the ItemNormalizer.

Patched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha.1"
            },
            {
              "fixed": "4.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-alpha.1"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "api-platform/graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-alpha.1"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:19:42Z",
    "nvd_published_at": "2025-04-03T20:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Original message:\n\nI found an issue with security grants on on properties in the GraphQL ItemNormalizer:\n\nIf you use something like `#[ApiProperty(security: \u0027is_granted(\"PROPERTY_READ\", [object, property])\u0027)]` on a member of an entity, the grant gets cached and is only evaluated once, even if the `object` in question is a different one.\n\nThere is the `ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe()` method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164  \nand in its usage on line 90 it does indeed not create a cache key, but the `parent::normalize()` that is called afterwards still creates the cache key and causes the issue.\n\n### Impact\n\nIt grants access to properties that it should not.\n\n### Workarounds\n\nOverride the ItemNormalizer.\n\nPatched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
  "id": "GHSA-428q-q3vv-3fq3",
  "modified": "2025-08-29T21:08:09Z",
  "published": "2025-04-04T14:19:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/api-platform/core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GraphQL grant on a property might be cached with different objects"
}

GHSA-4G73-W726-53H3

Vulnerability from github – Published: 2026-05-14 03:32 – Updated: 2026-06-08 20:07
VLAI
Summary
OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices
Details

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ironic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "36.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T20:15:08Z",
    "nvd_published_at": "2026-05-14T02:17:21Z",
    "severity": "MODERATE"
  },
  "details": "In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.",
  "id": "GHSA-4g73-w726-53h3",
  "modified": "2026-06-08T20:07:39Z",
  "published": "2026-05-14T03:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44919"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ironic/+bug/2150332"
    },
    {
      "type": "PACKAGE",
      "url": "https://opendev.org/openstack/ironic"
    },
    {
      "type": "WEB",
      "url": "https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2026-013.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices"
}

GHSA-4V4G-726H-XVFV

Vulnerability from github – Published: 2021-04-19 14:59 – Updated: 2023-03-17 17:49
VLAI
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime
Details

Impact

AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).

Patches

A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4.

Users should upgrade to ^3.11.4.

Credits

Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jose-node-esm-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208",
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:00:41Z",
    "nvd_published_at": "2021-04-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n[AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).\n\n### Patches\n\nA patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `\u003e=3.11.4`.\n\nUsers should upgrade to `^3.11.4`.\n\n### Credits\nThanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.",
  "id": "GHSA-4v4g-726h-xvfv",
  "modified": "2023-03-17T17:49:46Z",
  "published": "2021-04-19T14:59:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29445"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/panva/jose"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/jose-node-esm-runtime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.