Common Weakness Enumeration

CWE-703

Discouraged

Improper Check or Handling of Exceptional Conditions

Abstraction: Pillar · Status: Incomplete

The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.

210 vulnerabilities reference this CWE, most recent first.

GHSA-PQJ7-JX24-WJ7W

Vulnerability from github – Published: 2023-05-11 19:40 – Updated: 2023-05-11 19:40
VLAI
Summary
VTAdmin users that can create shards can deny access to other functions
Details

Impact

Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.

Patches

v16.0.2, corresponding to 0.16.2 on pkg.go.dev

Workarounds

  • Always use vtctldclient to create shards, instead of using VTAdmin
  • Disable creating shards from VTAdmin using RBAC
  • Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called a/b in keyspace commerce, and you are running etcd, it can be deleted by doing something like
% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard

References

https://github.com/vitessio/vitess/issues/12842

Found during a security audit sponsored by the CNCF and facilitated by OSTIF.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "vitess.io/vitess"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.16.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-11T19:40:49Z",
    "nvd_published_at": "2023-05-11T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsers can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. \nAttempting to view the keyspace(s) will also no longer work.\nCreating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly.\n\n### Patches\nv16.0.2, corresponding to [0.16.2 on pkg.go.dev](https://pkg.go.dev/vitess.io/vitess@v0.16.2)\n\n### Workarounds\n- Always use `vtctldclient` to create shards, instead of using VTAdmin\n- Disable creating shards from VTAdmin using RBAC\n- Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called `a/b` in keyspace `commerce`, and you are running etcd, it can be deleted by doing something like\n```\n% etcdctl --endpoints \"http://${ETCD_SERVER}\" del /vitess/global/keyspaces/commerce/shards/a/b/Shard\n```\n\n### References\nhttps://github.com/vitessio/vitess/issues/12842\n\nFound during a security audit sponsored by the [CNCF](https://cncf.io) and facilitated by [OSTIF](https://ostif.org).",
  "id": "GHSA-pqj7-jx24-wj7w",
  "modified": "2023-05-11T19:40:49Z",
  "published": "2023-05-11T19:40:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitessio/vitess/issues/12842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitessio/vitess/pull/12843"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vitessio/vitess"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vitessio/vitess/releases/tag/v16.0.2"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vitess.io/vitess@v0.16.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "VTAdmin users that can create shards can deny access to other functions"
}

GHSA-PVGQ-2PR4-WXJ6

Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-11 18:31
VLAI
Details

chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-70758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T18:16:18Z",
    "severity": "HIGH"
  },
  "details": "chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database.",
  "id": "GHSA-pvgq-2pr4-wxj6",
  "modified": "2026-02-11T18:31:25Z",
  "published": "2026-02-03T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chetans9/core-php-admin-panel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVXC-5V6M-8CM2

Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-19 21:31
VLAI
Details

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T16:15:38Z",
    "severity": "HIGH"
  },
  "details": "Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox \u003c 145 and Firefox ESR \u003c 140.5.",
  "id": "GHSA-pvxc-5v6m-8cm2",
  "modified": "2025-11-19T21:31:17Z",
  "published": "2025-11-11T18:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13016"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992130"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-87"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-88"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-90"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-91"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX74-PRRR-J3JP

Vulnerability from github – Published: 2023-07-14 18:31 – Updated: 2024-04-04 06:08
VLAI
Details

An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).

When a malformed LLDP packet is received, l2cpd will crash and restart. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected. Continued receipt of such packets will lead to a sustained Denial of Service.

This issue affects: Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S3; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R2.

Juniper Networks Junos OS Evolved 21.4-EVO versions prior to 21.4R3-S2-EVO; 22.1-EVO versions prior to 22.1R3-S3-EVO; 22.2-EVO versions prior to 22.2R2-S1-EVO, 22.2R3-EVO; 22.3-EVO versions prior to 22.3R2-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-14T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).\n\nWhen a malformed LLDP packet is received, l2cpd will crash and restart. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected. Continued receipt of such packets will lead to a sustained Denial of Service.\n\nThis issue affects:\nJuniper Networks Junos OS\n21.4 versions prior to 21.4R3-S3;\n22.1 versions prior to 22.1R3-S3;\n22.2 versions prior to 22.2R2-S1, 22.2R3;\n22.3 versions prior to 22.3R2.\n\nJuniper Networks Junos OS Evolved\n21.4-EVO versions prior to 21.4R3-S2-EVO;\n22.1-EVO versions prior to 22.1R3-S3-EVO;\n22.2-EVO versions prior to 22.2R2-S1-EVO, 22.2R3-EVO;\n22.3-EVO versions prior to 22.3R2-EVO.\n",
  "id": "GHSA-px74-prrr-j3jp",
  "modified": "2024-04-04T06:08:53Z",
  "published": "2023-07-14T18:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36849"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA71660"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7G2-V5XX-CMXX

Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-30 15:30
VLAI
Details

In updateInputChannel of WindowManagerService.java, there is a possible way to set a touchable region beyond its own SurfaceControl due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-254681548

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-24T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In updateInputChannel of WindowManagerService.java, there is a possible way to set a touchable region beyond its own SurfaceControl due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-254681548",
  "id": "GHSA-q7g2-v5xx-cmxx",
  "modified": "2023-03-30T15:30:20Z",
  "published": "2023-03-24T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21026"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QFC7-WQHW-2Q8R

Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2026-01-23 21:30
VLAI
Details

Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-58153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-667",
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T14:15:52Z",
    "severity": "HIGH"
  },
  "details": "Under undisclosed traffic conditions along with conditions beyond the attacker\u0027s control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-qfc7-wqhw-2q8r",
  "modified": "2026-01-23T21:30:39Z",
  "published": "2025-10-15T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58153"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000151658"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QJH3-4J3H-VMWP

Vulnerability from github – Published: 2025-01-13 16:13 – Updated: 2025-01-14 21:07
VLAI
Summary
notation-go has an OS error when setting CRL cache leads to denial of signature verification
Details

Summary

The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.

Details

In method crl.(*FileCache).Set, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated notation cache directory thanks os.Rename. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation.

PoC

  1. Ensure that the temporary file storage area (e.g., /tmp) is mounted on a different mount point than the user's 'notation' cache directory.
  2. Either disable the Online Certificate Status Protocol (OCSP) revocation check, or utilize certificates that exclusively support Certificate Revocation Lists (CRLs) for revocation check.
  3. Try to verify a previously generated signature using the 'notation' tool.

Impact

The signature verification process is aborted as process crashes.

Remediation

The cache file should be created, written, then copied to the wanted final location, and finally removed. Additionally, this error shouldn't lead to a crash as it is not fatal and shouldn't prevent the rest of the program to properly continue

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/notaryproject/notation-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0-rc.1"
            },
            {
              "fixed": "1.3.0-rc.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.3.0-rc.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-13T16:13:59Z",
    "nvd_published_at": "2025-01-13T22:15:13Z",
    "severity": "LOW"
  },
  "details": "### Summary\nThe issue was identified during Quarkslab\u0027s security audit on the Certificate Revocation List (CRL) based revocation check feature.\nAfter retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.\n\n### Details\n\nIn method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on `rename` syscall from the libc and as per the [documentation](https://man7.org/linux/man-pages/man2/rename.2.html), moving a file to a different mountpoint raises an `EXDEV` error, interpreted as `Cross device link not permitted error`.\nSome Linux distribution, like `RedHat` use a dedicated filesystem (`tmpfs`), mounted on a specific mountpoint (usually `/tmp`) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash `notation`. \n\n### PoC\n1. Ensure that the temporary file storage area (e.g., /tmp) is mounted on a different mount point than the user\u0027s \u0027notation\u0027 cache directory.\n2. Either disable the Online Certificate Status Protocol (OCSP) revocation check, or utilize certificates that exclusively support Certificate Revocation Lists (CRLs) for revocation check.\n3. Try to verify a previously generated signature using the \u0027notation\u0027 tool.\n\n### Impact\nThe signature verification process is aborted as process crashes.\n\n### Remediation\nThe cache file should be created, written, then copied to the wanted final location, and finally removed. Additionally, this error shouldn\u0027t lead to a crash as it is not fatal and shouldn\u0027t prevent the rest of the program to properly continue\n",
  "id": "GHSA-qjh3-4j3h-vmwp",
  "modified": "2025-01-14T21:07:52Z",
  "published": "2025-01-13T16:13:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/notaryproject/notation-go"
    },
    {
      "type": "WEB",
      "url": "https://man7.org/linux/man-pages/man2/rename.2.html"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3382"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "notation-go has an OS error when setting CRL cache leads to denial of signature verification"
}

GHSA-QM62-5PC4-C833

Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2025-05-14 18:30
VLAI
Details

The DFX unwind stack module of the ArkCompiler has a vulnerability in interface calling.Successful exploitation of this vulnerability affects system services and device availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41589"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-14T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DFX unwind stack module of the ArkCompiler has a vulnerability in interface calling.Successful exploitation of this vulnerability affects system services and device availability.",
  "id": "GHSA-qm62-5pc4-c833",
  "modified": "2025-05-14T18:30:34Z",
  "published": "2022-10-14T19:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41589"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/10"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202210-0000001416095697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QVJG-564F-22C8

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2025-10-22 00:32
VLAI
Details

An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25372"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-26T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.",
  "id": "GHSA-qvjg-564f-22c8",
  "modified": "2025-10-22T00:32:05Z",
  "published": "2022-05-24T17:45:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25372"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R344-XW3P-2FRJ

Vulnerability from github – Published: 2023-10-19 16:08 – Updated: 2023-10-19 16:08
VLAI
Summary
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Details

Impact

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.

To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.

Patches

Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.

Workarounds

For affected versions, avoid using the coprocessor supergraph response:

# do not use this stage in your coprocessor configuration
coprocessor:
  supergraph:
    response:

Or you can disable defer and subscriptions support:

# disable defer and subscriptions:
supergraph:
  defer_support: false # enabled by default
subscription:
  enabled: false # disabled by default

and continue to use the coprocessor supergraph response.

References

https://github.com/apollographql/router/issues/4013

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "apollo-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.31.0"
            },
            {
              "fixed": "1.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-703",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T16:08:10Z",
    "nvd_published_at": "2023-10-18T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThe Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic.\n \nTo be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions.  \n\n### Patches\nRouter version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.  \n\n### Workarounds\nFor affected versions, avoid using the coprocessor supergraph response:\n```yml\n# do not use this stage in your coprocessor configuration\ncoprocessor:\n  supergraph:\n    response:\n``` \n\nOr you can disable defer and subscriptions support:\n```yml\n# disable defer and subscriptions:\nsupergraph:\n  defer_support: false # enabled by default\nsubscription:\n  enabled: false # disabled by default\n```\nand continue to use the coprocessor supergraph response.\n### References\nhttps://github.com/apollographql/router/issues/4013\n",
  "id": "GHSA-r344-xw3p-2frj",
  "modified": "2023-10-19T16:08:10Z",
  "published": "2023-10-19T16:08:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45812"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/issues/4013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/pull/4014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/commit/b917b8c117b46a2d508428c0856f4927dfcfc341"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apollographql/router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.