CWE-696
Allowed-with-ReviewIncorrect Behavior Order
Abstraction: Class · Status: Incomplete
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.
70 vulnerabilities reference this CWE, most recent first.
CVE-2023-23576 (GCVE-0-2023-23576)
Vulnerability from cvelistv5 – Published: 2023-12-18 21:59 – Updated: 2024-08-02 10:35- CWE-696 - Incorrect Behavior Order
| Vendor | Product | Version | |
|---|---|---|---|
| Gallagher | Command Centre Server |
Affected:
0 , ≤ 8.50
(custom)
Affected: 8.90 , < 8.90.1620 (MR2) (custom) Affected: 8.80 , < 8.80.1369 (MR3) (custom) Affected: 8.70 , < 8.70.2375 (MR5) (custom) Affected: 8.60 , < 8.60.2550 (MR7) (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.566Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Command Centre Server",
"vendor": "Gallagher",
"versions": [
{
"lessThanOrEqual": "8.50",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.90.1620 (MR2)",
"status": "affected",
"version": "8.90",
"versionType": "custom"
},
{
"lessThan": "8.80.1369 (MR3)",
"status": "affected",
"version": "8.80",
"versionType": "custom"
},
{
"lessThan": "8.70.2375 (MR5)",
"status": "affected",
"version": "8.70",
"versionType": "custom"
},
{
"lessThan": "8.60.2550 (MR7)",
"status": "affected",
"version": "8.60",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \u003cbr\u003e\u003cbr\u003eThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\u003c/span\u003e\n\n"
}
],
"value": "\nIncorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. \n\nThis issue affects: Gallagher Command Centre: 8.90 prior to vEL8.90.1620 (MR2), 8.80 prior to vEL8.80.1369 (MR3), 8.70 prior to vEL8.70.2375 (MR5), 8.60 prior to vEL8.60.2550 (MR7), all versions of 8.50 and prior.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696: Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-18T21:59:38.164Z",
"orgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"shortName": "Gallagher"
},
"references": [
{
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-23576"
}
],
"source": {
"discovery": "INTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0c426f27-3ee1-4eff-be88-288d5a1822bc",
"assignerShortName": "Gallagher",
"cveId": "CVE-2023-23576",
"datePublished": "2023-12-18T21:59:38.164Z",
"dateReserved": "2023-02-03T20:38:05.225Z",
"dateUpdated": "2024-08-02T10:35:33.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47688 (GCVE-0-2021-47688)
Vulnerability from cvelistv5 – Published: 2025-06-23 00:00 – Updated: 2025-06-24 18:07- CWE-696 - Incorrect Behavior Order
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47688",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T13:46:49.271297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T18:07:21.177Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WhiteBeam",
"vendor": "WhiteBeam",
"versions": [
{
"lessThan": "0.2.2",
"status": "affected",
"version": "0.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T19:49:24.458Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-3f8r-9483-pfxj"
},
{
"url": "https://github.com/WhiteBeamSec/WhiteBeam/security/policy"
},
{
"url": "https://github.com/WhiteBeamSec/WhiteBeam/pull/22"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-47688",
"datePublished": "2025-06-23T00:00:00.000Z",
"dateReserved": "2025-06-23T00:00:00.000Z",
"dateUpdated": "2025-06-24T18:07:21.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-31379 (GCVE-0-2021-31379)
Vulnerability from cvelistv5 – Published: 2021-10-19 18:17 – Updated: 2024-09-16 22:56- CWE-696 - Incorrect Behavior Order
- Denial of Service (DoS)
| URL | Tags |
|---|---|
| https://kb.juniper.net/JSA11247 | x_refsource_CONFIRM |
| https://www.juniper.net/documentation/en_US/junos… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Juniper Networks | Junos OS |
Unaffected:
unspecified , < 17.2R1
(custom)
Affected: 17.2R1 , < 17.2* (custom) Affected: 17.3 , < 17.3R3-S9 (custom) Affected: 17.4 , < 17.4R2-S12, 17.4R3-S3 (custom) Affected: 18.1 , < 18.1R3-S11 (custom) Affected: 18.2 , < 18.2R2-S6, 18.2R3-S3 (custom) Affected: 18.3 , < 18.3R2-S4, 18.3R3-S1 (custom) Affected: 18.4 , < 18.4R1-S8, 18.4R2-S5, 18.4R3 (custom) Affected: 19.1 , < 19.1R1-S6, 19.1R2-S2, 19.1R3 (custom) Affected: 19.2 , < 19.2R1-S5, 19.2R2 (custom) Affected: 19.3 , < 19.3R2-S5, 19.3R3 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kb.juniper.net/JSA11247"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"MX Series"
],
"product": "Junos OS",
"vendor": "Juniper Networks",
"versions": [
{
"lessThan": "17.2R1",
"status": "unaffected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "17.2*",
"status": "affected",
"version": "17.2R1",
"versionType": "custom"
},
{
"lessThan": "17.3R3-S9",
"status": "affected",
"version": "17.3",
"versionType": "custom"
},
{
"lessThan": "17.4R2-S12, 17.4R3-S3",
"status": "affected",
"version": "17.4",
"versionType": "custom"
},
{
"lessThan": "18.1R3-S11",
"status": "affected",
"version": "18.1",
"versionType": "custom"
},
{
"lessThan": "18.2R2-S6, 18.2R3-S3",
"status": "affected",
"version": "18.2",
"versionType": "custom"
},
{
"lessThan": "18.3R2-S4, 18.3R3-S1",
"status": "affected",
"version": "18.3",
"versionType": "custom"
},
{
"lessThan": "18.4R1-S8, 18.4R2-S5, 18.4R3",
"status": "affected",
"version": "18.4",
"versionType": "custom"
},
{
"lessThan": "19.1R1-S6, 19.1R2-S2, 19.1R3",
"status": "affected",
"version": "19.1",
"versionType": "custom"
},
{
"lessThan": "19.2R1-S5, 19.2R2",
"status": "affected",
"version": "19.2",
"versionType": "custom"
},
{
"lessThan": "19.3R2-S5, 19.3R3",
"status": "affected",
"version": "19.3",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"value": "The following minimal configuration is necessary: \n\n [chassis fpc \u003cfpc-number\u003e pic \u003cpic-number\u003e inline-services bandwidth \u003cbandwidth\u003e]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet6]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e service-domain inside]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet6]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e service-domain outside]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e version03]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e softwire-address \u003cIPv6-Address\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ipv4-prefix \u003cIPv4-Prefix\u003e mape-prefix \u003cIPv6-Prefix\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ea-bits-len \u003c0..48\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-off[set \u003c0..16\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-length \u003c0..16\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e mtu-ipv6 \u003c1280..9192\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e v4-reassembly]\n [services softwire rule \u003cmape-rule-name\u003e match-direction input term \u003cterm-name\u003e then map-e \u003cmape-instance-name\u003e]\n [services service-set \u003cservice-set-name\u003e softwire-rules \u003cmape-rule-name\u003e]\n [services service-set \u003cservice-set-name\u003e next-hop-service inside-service-interface \u003csi-interface-name.inside-logical-unit\u003e outside-service-interface \u003csi-interface-name.outside-logical-unit\u003e]"
}
],
"datePublic": "2021-10-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC [\"FPC ID\" # e.g. \"0\"] PFE #{PFE ID # e.g. \"1\"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1\u003e show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1."
}
],
"exploits": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "Denial of Service (DoS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-19T18:17:19.000Z",
"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"shortName": "juniper"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kb.juniper.net/JSA11247"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
}
],
"solutions": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 17.3R3-S9, 17.4R2-S12, 17.4R3-S3, 18.1R3-S11, 18.2R2-S6, 18.2R3-S3, 18.3R2-S4, 18.3R3-S1, 18.4R1-S8, 18.4R2-S5, 18.4R3, 19.1R1-S6, 19.1R2-S2, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S5, 19.3R3, 19.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA11247",
"defect": [
"1468454"
],
"discovery": "INTERNAL"
},
"title": "Junos OS: MX Series: MPC 7/8/9/10/11 cards with MAP-E: PFE halts when an attacker sends malformed IPv4 or IPv6 traffic inside the MAP-E tunnel.",
"workarounds": [
{
"lang": "en",
"value": "To work around this issue customers can either:\n\n1. Disable Mapping of Address and port - Encapsulation (MAP-E) as an inline service on MX Series routers that use MPC and MIC interfaces.\n\nor\n\n2. Determine where the MAP-E v4 or v6 reassembly exists, review the following hierarchies and disable the \"v4-reassembly;\" and \"v6-reassembly;\" options where they exist:\n\n [services softwire softwire-concentrator]\n [services softwires softwire-types]\n [security softwires]\n\nand the following syntaxes: \n\n map-e name {\n v4-reassembly; \u003c\u003c\u003c\u003c\u003c DISABLE the v4-reassembly option.\n v6-reassembly; \u003c\u003c\u003c\u003c\u003c DISABLE the v6-reassembly option.\n }"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2021-10-13T16:00:00.000Z",
"ID": "CVE-2021-31379",
"STATE": "PUBLIC",
"TITLE": "Junos OS: MX Series: MPC 7/8/9/10/11 cards with MAP-E: PFE halts when an attacker sends malformed IPv4 or IPv6 traffic inside the MAP-E tunnel."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Junos OS",
"version": {
"version_data": [
{
"platform": "MX Series",
"version_affected": "\u003e=",
"version_name": "17.2",
"version_value": "17.2R1"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "17.3",
"version_value": "17.3R3-S9"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "17.4",
"version_value": "17.4R2-S12, 17.4R3-S3"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "18.1",
"version_value": "18.1R3-S11"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "18.2",
"version_value": "18.2R2-S6, 18.2R3-S3"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "18.3",
"version_value": "18.3R2-S4, 18.3R3-S1"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "18.4",
"version_value": "18.4R1-S8, 18.4R2-S5, 18.4R3"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "19.1",
"version_value": "19.1R1-S6, 19.1R2-S2, 19.1R3"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "19.2",
"version_value": "19.2R1-S5, 19.2R2"
},
{
"platform": "MX Series",
"version_affected": "\u003c",
"version_name": "19.3",
"version_value": "19.3R2-S5, 19.3R3"
},
{
"platform": "MX Series",
"version_affected": "!\u003c",
"version_value": "17.2R1"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"configuration": [
{
"lang": "en",
"value": "The following minimal configuration is necessary: \n\n [chassis fpc \u003cfpc-number\u003e pic \u003cpic-number\u003e inline-services bandwidth \u003cbandwidth\u003e]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e family inet6]\n [interfaces \u003csi-interface-name\u003e unit \u003cinside-logical-unit\u003e service-domain inside]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e family inet6]\n [interfaces \u003csi-interface-name\u003e unit \u003coutside-logical-unit\u003e service-domain outside]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e version03]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e softwire-address \u003cIPv6-Address\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ipv4-prefix \u003cIPv4-Prefix\u003e mape-prefix \u003cIPv6-Prefix\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e ea-bits-len \u003c0..48\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-off[set \u003c0..16\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e psid-length \u003c0..16\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e mtu-ipv6 \u003c1280..9192\u003e]\n [services softwire softwire-concentrator map-e \u003cmape-instance-name\u003e v4-reassembly]\n [services softwire rule \u003cmape-rule-name\u003e match-direction input term \u003cterm-name\u003e then map-e \u003cmape-instance-name\u003e]\n [services service-set \u003cservice-set-name\u003e softwire-rules \u003cmape-rule-name\u003e]\n [services service-set \u003cservice-set-name\u003e next-hop-service inside-service-interface \u003csi-interface-name.inside-logical-unit\u003e outside-service-interface \u003csi-interface-name.outside-logical-unit\u003e]"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these packets. Continued receipt and processing of these malformed IPv4 or IPv6 packets will create a sustained Denial of Service (DoS) condition. This issue only affects MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. An indicator of compromise is the output: FPC [\"FPC ID\" # e.g. \"0\"] PFE #{PFE ID # e.g. \"1\"] : Fabric Disabled Example: FPC 0 PFE #1 : Fabric Disabled when using the command: show chassis fabric fpcs An example of a healthy result of the command use would be: user@device-re1\u003e show chassis fabric fpcs Fabric management FPC state: FPC 0 PFE #0 Plane 0: Plane enabled Plane 1: Plane enabled Plane 2: Plane enabled Plane 3: Plane enabled Plane 4: Plane enabled Plane 5: Plane enabled Plane 6: Plane enabled Plane 7: Plane enabled This issue affects: Juniper Networks Junos OS on MX Series with MPC 7/8/9/10/11 cards, when MAP-E IP reassembly is enabled on these cards. 17.2 version 17.2R1 and later versions; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R1-S8, 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S5, 19.3R3. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R1."
}
]
},
"exploit": [
{
"lang": "en",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-696 Incorrect Behavior Order"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (DoS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA11247",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA11247"
},
{
"name": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html",
"refsource": "MISC",
"url": "https://www.juniper.net/documentation/en_US/junos/topics/topic-map/map-e-configuring.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "The following software releases have been updated to resolve this specific issue: 17.3R3-S9, 17.4R2-S12, 17.4R3-S3, 18.1R3-S11, 18.2R2-S6, 18.2R3-S3, 18.3R2-S4, 18.3R3-S1, 18.4R1-S8, 18.4R2-S5, 18.4R3, 19.1R1-S6, 19.1R2-S2, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S5, 19.3R3, 19.4R1, and all subsequent releases."
}
],
"source": {
"advisory": "JSA11247",
"defect": [
"1468454"
],
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "To work around this issue customers can either:\n\n1. Disable Mapping of Address and port - Encapsulation (MAP-E) as an inline service on MX Series routers that use MPC and MIC interfaces.\n\nor\n\n2. Determine where the MAP-E v4 or v6 reassembly exists, review the following hierarchies and disable the \"v4-reassembly;\" and \"v6-reassembly;\" options where they exist:\n\n [services softwire softwire-concentrator]\n [services softwires softwire-types]\n [security softwires]\n\nand the following syntaxes: \n\n map-e name {\n v4-reassembly; \u003c\u003c\u003c\u003c\u003c DISABLE the v4-reassembly option.\n v6-reassembly; \u003c\u003c\u003c\u003c\u003c DISABLE the v6-reassembly option.\n }"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
"assignerShortName": "juniper",
"cveId": "CVE-2021-31379",
"datePublished": "2021-10-19T18:17:19.849Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:51.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22569 (GCVE-0-2021-22569)
Vulnerability from cvelistv5 – Published: 2022-01-07 00:00 – Updated: 2025-04-21 13:57- CWE-696 - Incorrect Behavior Order
| Vendor | Product | Version | |
|---|---|---|---|
| Google LLC | protobuf-java |
Affected:
unspecified , < 3.16.1
(custom)
Affected: unspecified , < 3.18.2 (custom) Affected: unspecified , < 3.19.2 (custom) |
|
| Google LLC | protobuf-kotlin |
Affected:
unspecified , < 3.18.2
(custom)
Affected: unspecified , < 3.19.2 (custom) |
|
| Google LLC | google-protobuf [JRuby Gem] |
Affected:
unspecified , < 3.19.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:44:14.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
},
{
"tags": [
"x_transferred"
],
"url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
},
{
"name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
},
{
"name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22569",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:40:37.923955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:57:08.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "protobuf-java",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "3.16.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.19.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "protobuf-kotlin",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "3.18.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "3.19.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "google-protobuf [JRuby Gem]",
"vendor": "Google LLC",
"versions": [
{
"lessThan": "3.19.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "OSS-Fuzz - https://github.com/google/oss-fuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-696",
"description": "CWE-696 Incorrect Behavior Order",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-18T00:00:00.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330"
},
{
"url": "https://cloud.google.com/support/bulletins#gcp-2022-001"
},
{
"name": "[oss-security] 20220112 CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/4"
},
{
"name": "[oss-security] 20220112 Re: CVE-2021-22569: Protobuf Java, Kotlin, JRuby DoS",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/01/12/7"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "[debian-lts-announce] 20230418 [SECURITY] [DLA 3393-1] protobuf security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service of protobuf-java parsing procedure",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2021-22569",
"datePublished": "2022-01-07T00:00:00.000Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2025-04-21T13:57:08.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2J53-2C28-G9V2
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:19Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:19:08Z",
"nvd_published_at": "2026-04-09T22:16:31Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.",
"id": "GHSA-2j53-2c28-g9v2",
"modified": "2026-04-10T20:19:08Z",
"published": "2026-04-10T00:30:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35627"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement",
"withdrawn": "2026-04-10T20:19:08Z"
}
GHSA-2RMV-PMJ6-727M
Vulnerability from github – Published: 2025-05-13 21:30 – Updated: 2025-11-03 21:33Incorrect behavior order for some Intel(R) Core™ Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.
{
"affected": [],
"aliases": [
"CVE-2025-20012"
],
"database_specific": {
"cwe_ids": [
"CWE-696"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T21:16:03Z",
"severity": "MODERATE"
},
"details": "Incorrect behavior order for some Intel(R) Core\u2122 Ultra Processors may allow an unauthenticated user to potentially enable information disclosure via physical access.",
"id": "GHSA-2rmv-pmj6-727m",
"modified": "2025-11-03T21:33:53Z",
"published": "2025-05-13T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20012"
},
{
"type": "WEB",
"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01322.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3RQ5-2G8H-59HC
Vulnerability from github – Published: 2024-04-11 15:30 – Updated: 2024-06-26 03:31eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "eventlet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.35.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "dnspython"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29483"
],
"database_specific": {
"cwe_ids": [
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-12T21:25:53Z",
"nvd_published_at": "2024-04-11T14:15:12Z",
"severity": "MODERATE"
},
"details": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.",
"id": "GHSA-3rq5-2g8h-59hc",
"modified": "2024-06-26T03:31:48Z",
"published": "2024-04-11T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29483"
},
{
"type": "WEB",
"url": "https://github.com/eventlet/eventlet/issues/913"
},
{
"type": "WEB",
"url": "https://github.com/rthalley/dnspython/issues/1045"
},
{
"type": "WEB",
"url": "https://github.com/eventlet/eventlet/commit/51e3c4928d4938beb576eff34f3bf97e6e64e6b4"
},
{
"type": "WEB",
"url": "https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2"
},
{
"type": "PACKAGE",
"url": "https://github.com/eventlet/eventlet"
},
{
"type": "WEB",
"url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
},
{
"type": "WEB",
"url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240510-0001"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
},
{
"type": "WEB",
"url": "https://www.dnspython.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Potential DoS via the Tudoor mechanism in eventlet and dnspython"
}
GHSA-428Q-Q3VV-3FQ3
Vulnerability from github – Published: 2025-04-04 14:19 – Updated: 2025-08-29 21:08Original message:
I found an issue with security grants on on properties in the GraphQL ItemNormalizer:
If you use something like #[ApiProperty(security: 'is_granted("PROPERTY_READ", [object, property])')] on a member of an entity, the grant gets cached and is only evaluated once, even if the object in question is a different one.
There is the ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164
and in its usage on line 90 it does indeed not create a cache key, but the parent::normalize() that is called afterwards still creates the cache key and causes the issue.
Impact
It grants access to properties that it should not.
Workarounds
Override the ItemNormalizer.
Patched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha.1"
},
{
"fixed": "4.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha.1"
},
{
"fixed": "4.0.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-alpha.1"
},
{
"fixed": "4.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "api-platform/graphql"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0-alpha.1"
},
{
"fixed": "4.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-31485"
],
"database_specific": {
"cwe_ids": [
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-04T14:19:42Z",
"nvd_published_at": "2025-04-03T20:15:25Z",
"severity": "HIGH"
},
"details": "### Original message:\n\nI found an issue with security grants on on properties in the GraphQL ItemNormalizer:\n\nIf you use something like `#[ApiProperty(security: \u0027is_granted(\"PROPERTY_READ\", [object, property])\u0027)]` on a member of an entity, the grant gets cached and is only evaluated once, even if the `object` in question is a different one.\n\nThere is the `ApiPlatform\\GraphQl\\Serializer\\ItemNormalizer::isCacheKeySafe()` method that seems to be intended to prevent this: https://github.com/api-platform/core/blob/88f5ac50d20d6510686a7552310cc567fcca45bf/src/GraphQl/Serializer/ItemNormalizer.php#L160-L164 \nand in its usage on line 90 it does indeed not create a cache key, but the `parent::normalize()` that is called afterwards still creates the cache key and causes the issue.\n\n### Impact\n\nIt grants access to properties that it should not.\n\n### Workarounds\n\nOverride the ItemNormalizer.\n\nPatched at: https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8",
"id": "GHSA-428q-q3vv-3fq3",
"modified": "2025-08-29T21:08:09Z",
"published": "2025-04-04T14:19:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/api-platform/core/security/advisories/GHSA-428q-q3vv-3fq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31485"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/commit/7af65aad13037d7649348ee3dcd88e084ef771f8"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/commit/cba3acfbd517763cf320167250c5bed6d569696a"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2025-31485.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/graphql/CVE-2025-31485.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/api-platform/core"
},
{
"type": "WEB",
"url": "https://github.com/api-platform/core/releases/tag/v3.4.17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "GraphQL grant on a property might be cached with different objects"
}
GHSA-4G73-W726-53H3
Vulnerability from github – Published: 2026-05-14 03:32 – Updated: 2026-06-08 20:07In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ironic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "36.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44919"
],
"database_specific": {
"cwe_ids": [
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:15:08Z",
"nvd_published_at": "2026-05-14T02:17:21Z",
"severity": "MODERATE"
},
"details": "In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.",
"id": "GHSA-4g73-w726-53h3",
"modified": "2026-06-08T20:07:39Z",
"published": "2026-05-14T03:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44919"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ironic/+bug/2150332"
},
{
"type": "PACKAGE",
"url": "https://opendev.org/openstack/ironic"
},
{
"type": "WEB",
"url": "https://opendev.org/openstack/ironic/commit/a3f6d735ac3642ab95b49142c7305f072ae748d0"
},
{
"type": "WEB",
"url": "https://security.openstack.org/ossa/OSSA-2026-013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices"
}
GHSA-4V4G-726H-XVFV
Vulnerability from github – Published: 2021-04-19 14:59 – Updated: 2023-03-17 17:49Impact
AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).
Patches
A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are >=3.11.4.
Users should upgrade to ^3.11.4.
Credits
Thanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jose-node-esm-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29445"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208",
"CWE-696"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:00:41Z",
"nvd_published_at": "2021-04-16T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\n[AES_CBC_HMAC_SHA2 Algorithm](https://tools.ietf.org/html/rfc7518#section-5.2) (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block).\n\n### Patches\n\nA patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `\u003e=3.11.4`.\n\nUsers should upgrade to `^3.11.4`.\n\n### Credits\nThanks to Morgan Brown of Microsoft for bringing this up and Eva Sarafianou (@esarafianou) for helping to score this advisory.",
"id": "GHSA-4v4g-726h-xvfv",
"modified": "2023-03-17T17:49:46Z",
"published": "2021-04-19T14:59:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/panva/jose/security/advisories/GHSA-4v4g-726h-xvfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29445"
},
{
"type": "PACKAGE",
"url": "https://github.com/panva/jose"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/jose-node-esm-runtime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime"
}
No mitigation information available for this CWE.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.