Common Weakness Enumeration

CWE-696

Allowed-with-Review

Incorrect Behavior Order

Abstraction: Class · Status: Incomplete

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways that may produce resultant weaknesses.

70 vulnerabilities reference this CWE, most recent first.

GHSA-9CCR-R5HG-74GF

Vulnerability from github – Published: 2026-05-11 16:16 – Updated: 2026-06-09 10:56
VLAI
Summary
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
Details

Summary

A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.

Details

Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a .git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.

The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.

Attack Scenario

An attacker can exploit this by:

  1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., vendor/malicious.git/ or a deeply nested subdirectory)
  2. Configuring core.fsmonitor (or similar keys) in that bare repository to execute a malicious command
  3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command

This can occur when: - The agent navigates into a subdirectory containing the buried bare repo - The agent runs git status, git diff, or other routine git commands - The agent uses tools like grep or glob that may trigger git operations in subdirectories

Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.

Impact

An attacker who can place a malicious bare repository inside a project — for example, through: - A pull request adding a directory that contains a bare repository - A compromised or malicious dependency that includes a bare repository - A cloned repository that already contains nested bare repositories

— could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.

Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.

Affected Versions

  • GitHub Copilot CLI versions prior to 1.0.42

Remediation and Mitigation

Fix

The fix sets safe.bareRepository=explicit via git's GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used.

User Actions

  1. Upgrade GitHub Copilot CLI to 1.0.43 or later.
  2. Exercise caution when working in repositories that contain nested bare git repositories.
  3. Review project directories for unexpected bare repositories, especially in vendor/, third_party/, or deeply nested subdirectories.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.42"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@github/copilot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:16:06Z",
    "nvd_published_at": "2026-05-13T16:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set `core.fsmonitor` or other executable config keys to run arbitrary commands without user awareness or approval.\n\n## Details\n\nGit supports bare repositories \u2014 repositories without a working tree \u2014 which can be discovered automatically when git traverses the directory hierarchy looking for a `.git` directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.\n\nThe vulnerability arises because git\u0027s `core.fsmonitor` config key (and 15+ similar keys such as `core.hookspath`, `diff.external`, `merge.tool`, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like `status`, `diff`, or `rev-parse`.\n\n### Attack Scenario\n\nAn attacker can exploit this by:\n\n1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., `vendor/malicious.git/` or a deeply nested subdirectory)\n2. Configuring `core.fsmonitor` (or similar keys) in that bare repository to execute a malicious command\n3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker\u0027s command\n\nThis can occur when:\n- The agent navigates into a subdirectory containing the buried bare repo\n- The agent runs `git status`, `git diff`, or other routine git commands\n- The agent uses tools like `grep` or `glob` that may trigger git operations in subdirectories\n\nPrior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.\n\n## Impact\n\nAn attacker who can place a malicious bare repository inside a project \u2014 for example, through:\n- A pull request adding a directory that contains a bare repository\n- A compromised or malicious dependency that includes a bare repository\n- A cloned repository that already contains nested bare repositories\n\n\u2014 could achieve arbitrary code execution on the user\u0027s workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.\n\nSuccessful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.\n\n## Affected Versions\n\n- GitHub Copilot CLI versions prior to 1.0.42\n\n## Remediation and Mitigation\n\n### Fix\n\nThe fix sets `safe.bareRepository=explicit` via git\u0027s `GIT_CONFIG_COUNT` / `GIT_CONFIG_KEY_*` / `GIT_CONFIG_VALUE_*` environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal \u2014 only explicitly allowlisted bare repositories will be used.\n\n### User Actions\n\n1. **Upgrade** GitHub Copilot CLI to **1.0.43** or later.\n2. **Exercise caution** when working in repositories that contain nested bare git repositories.\n3. **Review** project directories for unexpected bare repositories, especially in `vendor/`, `third_party/`, or deeply nested subdirectories.",
  "id": "GHSA-9ccr-r5hg-74gf",
  "modified": "2026-06-09T10:56:45Z",
  "published": "2026-05-11T16:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/copilot-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor"
}

GHSA-9W5M-FV42-36CX

Vulnerability from github – Published: 2025-09-16 15:32 – Updated: 2025-09-16 15:32
VLAI
Details

The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T13:16:07Z",
    "severity": "MODERATE"
  },
  "details": "The improper order of AUTHORIZED_CTM_IP validation in the Control-M/Agent, where the Control-M/Server IP address is validated only after the SSL/TLS handshake is completed, exposes the Control-M/Agent to vulnerabilities in the SSL/TLS implementation under certain non-default conditions (e.g. CVE-2025-55117 or CVE-2025-55118) or potentially to resource exhaustion.",
  "id": "GHSA-9w5m-fv42-36cx",
  "modified": "2025-09-16T15:32:36Z",
  "published": "2025-09-16T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55114"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000441968"
    },
    {
      "type": "WEB",
      "url": "https://bmcapps.my.site.com/casemgmt/sc_KnowledgeArticle?sfdcid=000442099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CVP8-HM87-HR8X

Vulnerability from github – Published: 2024-09-05 21:31 – Updated: 2024-09-12 18:31
VLAI
Details

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-05T19:15:12Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.",
  "id": "GHSA-cvp8-hm87-hr8x",
  "modified": "2024-09-12T18:31:41Z",
  "published": "2024-09-05T21:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mbed-TLS/mbedtls/releases"
    },
    {
      "type": "WEB",
      "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGCQ-9C7C-C4JV

Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 18:32
VLAI
Details

Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T18:15:29Z",
    "severity": "HIGH"
  },
  "details": "Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access.",
  "id": "GHSA-fgcq-9c7c-c4jv",
  "modified": "2025-03-11T18:32:19Z",
  "published": "2025-03-11T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0150"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25009"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJGV-863Q-H54R

Vulnerability from github – Published: 2025-06-23 21:31 – Updated: 2025-06-23 21:31
VLAI
Details

In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-23T20:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed.",
  "id": "GHSA-fjgv-863q-h54r",
  "modified": "2025-06-23T21:31:56Z",
  "published": "2025-06-23T21:31:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WhiteBeamSec/WhiteBeam/security/advisories/GHSA-3f8r-9483-pfxj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47688"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WhiteBeamSec/WhiteBeam/pull/22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WhiteBeamSec/WhiteBeam/security/policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJH6-P566-WR6Q

Vulnerability from github – Published: 2022-07-21 22:35 – Updated: 2022-07-21 22:35
VLAI
Summary
skylot jadx affected by Incorrect Behavior Order in vulnerable dependency
Details

Impact

Vulnerable library protobuf-java 3.11.4 (CVE-2021-22569)

Patches

Dependency updated in jadx 1.4.3

References

According to the AquaSecurity report: 05F1C52A666E4FCC844ABD085BD55124

Also, Maven repository have links to this and other vulnerabilities from dependencies: https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.11.4

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.4.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.skylot:jadx-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T22:35:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nVulnerable library protobuf-java 3.11.4 (CVE-2021-22569)\n\n### Patches\nDependency updated in jadx 1.4.3\n\n### References\nAccording to the AquaSecurity report:\n![05F1C52A666E4FCC844ABD085BD55124](https://user-images.githubusercontent.com/118523/177364939-087e2144-9a8a-4594-ae90-eb2acb0a2036.png)\n\nAlso, Maven repository have links to this and other vulnerabilities from dependencies:\nhttps://mvnrepository.com/artifact/com.google.protobuf/protobuf-java/3.11.4",
  "id": "GHSA-fjh6-p566-wr6q",
  "modified": "2022-07-21T22:35:12Z",
  "published": "2022-07-21T22:35:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/skylot/jadx/security/advisories/GHSA-fjh6-p566-wr6q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/skylot/jadx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skylot/jadx/releases/tag/v1.4.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "skylot jadx affected by Incorrect Behavior Order in vulnerable dependency"
}

GHSA-G7V6-X8XJ-FVJM

Vulnerability from github – Published: 2026-06-20 21:31 – Updated: 2026-06-20 21:31
VLAI
Details

GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-20T21:16:54Z",
    "severity": "LOW"
  },
  "details": "GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization.",
  "id": "GHSA-g7v6-x8xj-fvjm",
  "modified": "2026-06-20T21:31:24Z",
  "published": "2026-06-20T21:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56355"
    },
    {
      "type": "WEB",
      "url": "https://cgit.git.savannah.gnu.org/cgit/administration/savane.git/tree/frontend/php/file.php?h=release-3.17#n113"
    },
    {
      "type": "WEB",
      "url": "https://cgit.git.savannah.gnu.org/cgit/administration/savane.git/tree/frontend/php/file.php?h=release-3.17#n123"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=48605220"
    },
    {
      "type": "WEB",
      "url": "https://www.fsf.org/news/statement-regarding-gnu-savannah-security-reports"
    },
    {
      "type": "WEB",
      "url": "https://www.hacktron.ai"
    },
    {
      "type": "WEB",
      "url": "https://www.mallory.ai/stories/019ee445-bdd4-7775-93b5-a8faaf5c2eb7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HC77-37FQ-X324

Vulnerability from github – Published: 2026-04-18 09:30 – Updated: 2026-05-07 18:30
VLAI
Details

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-18T07:16:10Z",
    "severity": "MODERATE"
  },
  "details": "Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.",
  "id": "GHSA-hc77-37fq-x324",
  "modified": "2026-05-07T18:30:33Z",
  "published": "2026-04-18T09:30:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41254"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc"
    },
    {
      "type": "WEB",
      "url": "https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00014.html"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/04/17/16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV8V-H5Q2-GMV5

Vulnerability from github – Published: 2025-09-29 03:30 – Updated: 2025-09-29 03:30
VLAI
Details

Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T01:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Unallocated memory access vulnerability in print processing of Generic Plus PCL6 Printer Driver / Generic Plus UFR II Printer Driver / Generic Plus LIPS4 Printer Driver / Generic Plus LIPSLX Printer Driver / Generic Plus PS Printer Driver",
  "id": "GHSA-hv8v-h5q2-gmv5",
  "modified": "2025-09-29T03:30:20Z",
  "published": "2025-09-29T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9904"
    },
    {
      "type": "WEB",
      "url": "https://canon.jp/support/support-info/250925vulnerability-response"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/advisory-information/cp2025-005"
    },
    {
      "type": "WEB",
      "url": "https://www.canon-europe.com/support/product-security"
    },
    {
      "type": "WEB",
      "url": "https://www.usa.canon.com/about-us/to-our-customers/cp2025-005-vulnerabilities-remediation-for-certain-printer-drivers-for-production-printers-office-small-office-multifunction-printers-laser-printers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J496-CRGH-34MX

Vulnerability from github – Published: 2024-04-05 17:16 – Updated: 2024-04-05 17:16
VLAI
Summary
ibc-go: Potential Reentrancy using Timeout Callbacks in ibc-hooks
Details

Name: ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks Component: ibc-go Criticality: Critical (ACMv1: I:Critical; L:AlmostCertain) Affected versions: < v4.6.0, < v5.4.0, < v6.3.0, < v7.4.0, < v8.2.0 Affected users: Chain Builders + Maintainers

Summary

Through the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same MsgTimeout inside the IBC hook for the OnTimeout callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the OnTimeout callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens.

Affected Configurations

Chains which satisfy all of the following requirements are considered to be impacted by this vulnerability: * Chain is IBC-enabled and uses a vulnerable version of ibc-go * Chain is CosmWasm-enabled and allows code uploads for wasm contracts by anyone, or by authorized parties (to a lesser extent) * Chain utilizes the ibc-hooks middleware and wraps ICS-20 transfer application

Next Steps for Impacted Chain Builders and Maintainers

It is advised to immediately upgrade to the latest patch fix version of ibc-go for your chain. If you have already applied a soft-patch through private coordination, we recommend additionally updating to the latest ibc-go version via normal software upgrade governance.

If you have not upgraded your chain yet, and you desire to mitigate exposure to this vulnerability in the meantime, it is advisable to limit code uploading for contracts to trusted parties on your chain.

If your chain only allows permissioned, access-controlled contract uploads, it is still strongly recommended to update to the latest patched ibc-go version for your chain per your normal software upgrade process.

Preparing for future coordination

If your chain would like to be included in future coordination efforts, please ensure your chain has a prominently displayed or otherwise easily available up-to-date email address for technical security contact available. A security.md file in the root of your projects’ code repository should contain this information. Additionally, please test this security contact with an unaffiliated email to ensure it works as expected and can receive emails from outside of your domain.

To ensure that your chain is included in future impact assessments, please keep your chain information up to date in the Cosmos Chain Registry with code location, network name, and public RPC and API endpoints in the details.

We recommend that all chains configure and practice the use of the Circuit Breaker module in the Cosmos SDK, as future vulnerability notifications may require the use of this mechanism as a mitigation against exploitation.

Recognition

This issue was reported to the Cosmos Bug Bounty Program on HackerOne on 3/26/24 by Maxwell Dulin (Strikeout) at Asymmetric Research. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Notes

Due to the critical nature of this issue, both the ibc-go team and Amulet independently performed impact assessments for the ecosystem, which informed a risk-driven private patching effort that preceded this public release. This private patching effort significantly reduced the exposure of the ecosystem to this vulnerability. We appreciate the diligence and professionalism of all chains and validators involved with this effort – your ability to move quickly while maintaining confidentiality was instrumental in protecting the wider Interchain Ecosystem.

If you ever have questions about security coordination efforts, public or private, please reach out to our official communication channel at security@interchain.io.

For more information about ibc-go, please see https://ibc.cosmos.network/main.

For more information about the Interchain Foundation’s engagement with Amulet, please see https://github.com/interchainio/security.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-05T17:16:01Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Name**: ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks\n**Component**: ibc-go\n**Criticality**: Critical ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Critical; L:AlmostCertain)\n**Affected versions**: \u003c v4.6.0, \u003c v5.4.0, \u003c v6.3.0, \u003c v7.4.0, \u003c v8.2.0\n**Affected users**: Chain Builders + Maintainers\n\n# Summary\n\nThrough the deployment and subsequent use of a malicious CosmWasm contract via IBC interactions, an attacker could potentially execute the same `MsgTimeout` inside the IBC hook for the `OnTimeout` callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the `OnTimeout` callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens.\n\n# Affected Configurations\n\nChains which satisfy all of the following requirements are considered to be impacted by this vulnerability:\n* Chain is IBC-enabled and uses a vulnerable version of ibc-go\n* Chain is CosmWasm-enabled and allows code uploads for wasm contracts by anyone, or by authorized parties (to a lesser extent)\n* Chain utilizes the ibc-hooks middleware and wraps ICS-20 transfer application\n\n# Next Steps for Impacted Chain Builders and Maintainers\n\nIt is advised to immediately upgrade to the latest patch fix version of ibc-go for your chain. If you have already applied a soft-patch through private coordination, we recommend additionally updating to the latest ibc-go version via normal software upgrade governance.\n\nIf you have not upgraded your chain yet, and you desire to mitigate exposure to this vulnerability in the meantime, it is advisable to limit code uploading for contracts to trusted parties on your chain.\n\n**If your chain only allows permissioned, access-controlled contract uploads, it is still strongly recommended to update to the latest patched ibc-go version for your chain per your normal software upgrade process.**\n\n# Preparing for future coordination\n\nIf your chain would like to be included in future coordination efforts, please ensure your chain has a prominently displayed or otherwise easily available up-to-date email address for technical security contact available. A security.md file in the root of your projects\u2019 code repository should contain this information. Additionally, please test this security contact with an unaffiliated email to ensure it works as expected and can receive emails from outside of your domain.\n\nTo ensure that your chain is included in future impact assessments, please keep your chain information up to date in the [Cosmos Chain Registry](https://github.com/cosmos/chain-registry) with code location, network name, and public RPC and API endpoints in the details.\n\nWe recommend that all chains configure and practice the use of the [Circuit Breaker module](https://docs.cosmos.network/main/build/modules/circuit) in the Cosmos SDK, as future vulnerability notifications may require the use of this mechanism as a mitigation against exploitation.\n\n# Recognition\n\nThis issue was reported to the Cosmos Bug Bounty Program on HackerOne on 3/26/24 by Maxwell Dulin (Strikeout) at [Asymmetric Research](https://www.asymmetric.re/). If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\n# Notes\n\nDue to the critical nature of this issue, both the ibc-go team and Amulet independently performed impact assessments for the ecosystem, which informed a risk-driven private patching effort that preceded this public release. This private patching effort significantly reduced the exposure of the ecosystem to this vulnerability. We appreciate the diligence and professionalism of all chains and validators involved with this effort \u2013 your ability to move quickly while maintaining confidentiality was instrumental in protecting the wider Interchain Ecosystem. \n\nIf you ever have questions about security coordination efforts, public or private, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io).\n\nFor more information about ibc-go, please see https://ibc.cosmos.network/main.\n\nFor more information about the Interchain Foundation\u2019s engagement with Amulet, please see https://github.com/interchainio/security.\n\n",
  "id": "GHSA-j496-crgh-34mx",
  "modified": "2024-04-05T17:16:01Z",
  "published": "2024-04-05T17:16:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/security/advisories/GHSA-j496-crgh-34mx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/04275aa77644dec97fb91b749d963c992591b7f7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/278fa89f192af04af32d82fd5ef41f84f82edd97"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/5e2e9ebc2f67df324028dd36a1837ffcc8e6b0dd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/a0185df3953070ba5ebcb66735925449d1dbe729"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/e78b3a2b9c9ce80a67d6b1c2b7f9abcb225cc219"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/ibc-go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ibc-go: Potential Reentrancy using Timeout Callbacks in ibc-hooks"
}

No mitigation information available for this CWE.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.