Common Weakness Enumeration

CWE-704

Allowed-with-Review

Incorrect Type Conversion or Cast

Abstraction: Class · Status: Incomplete

The product does not correctly convert an object, resource, or structure from one type to a different type.

334 vulnerabilities reference this CWE, most recent first.

GHSA-HQFV-PV9J-G44P

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the pageSpan method of XFA Layout objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5029.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-20T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the pageSpan method of XFA Layout objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5029.",
  "id": "GHSA-hqfv-pv9j-g44p",
  "modified": "2022-05-13T01:37:35Z",
  "published": "2022-05-13T01:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14837"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-881"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV4G-MMV9-QWRP

Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26
VLAI
Details

Memory corruption due to incorrect type conversion or cast in audio while using audio playback/capture when crafted address is sent from AGM IPC to AGM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-13T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption due to incorrect type conversion or cast in audio while using audio playback/capture when crafted address is sent from AGM IPC to AGM.",
  "id": "GHSA-hv4g-mmv9-qwrp",
  "modified": "2024-04-04T03:26:10Z",
  "published": "2023-04-13T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33301"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J32J-2HXV-RQF7

Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2023-10-19 18:45
VLAI
Summary
pg-native and libpq vulnerable to uncontrolled resource consumption
Details

pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "libpq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "pg-native"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-704"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:28:59Z",
    "nvd_published_at": "2022-06-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. **Note:** pg-native is a mere binding to npm\u0027s libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm\u0027s libpq.",
  "id": "GHSA-j32j-2hxv-rqf7",
  "modified": "2023-10-19T18:45:44Z",
  "published": "2022-06-18T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25852"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brianc/node-libpq/issues/84"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brianc/node-libpq/pull/86"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-LIBPQ-2392366"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-PGNATIVE-2392365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pg-native and libpq vulnerable to uncontrolled resource consumption"
}

GHSA-J3HQ-436J-W545

Vulnerability from github – Published: 2022-05-14 01:07 – Updated: 2022-05-14 01:07
VLAI
Details

drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-17T20:29:00Z",
    "severity": "LOW"
  },
  "details": "drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ.",
  "id": "GHSA-j3hq-436j-w545",
  "modified": "2022-05-14T01:07:17Z",
  "published": "2022-05-14T01:07:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18386"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/966031f340185eddd05affcf72b740549f056348"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0831"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1094825"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3849-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3849-2"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=966031f340185eddd05affcf72b740549f056348"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J3MQ-6VQF-JM43

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setFocus method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5022.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-20T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 8.3.1.21155. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the setFocus method of XFAScriptObject objects. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this to execute code in the context of the current process. Was ZDI-CAN-5022.",
  "id": "GHSA-j3mq-6vqf-jm43",
  "modified": "2022-05-13T01:37:35Z",
  "published": "2022-05-13T01:37:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14830"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-874"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5XF-XFVF-PJW6

Vulnerability from github – Published: 2022-05-14 03:16 – Updated: 2022-05-14 03:16
VLAI
Details

Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4920"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-843"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-19T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Flash Player versions 28.0.0.161 and earlier have an exploitable type confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.",
  "id": "GHSA-j5xf-xfvf-pjw6",
  "modified": "2022-05-14T03:16:14Z",
  "published": "2022-05-14T03:16:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4920"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0520"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb18-05.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103383"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8CP-GRG7-WC8R

Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5586.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-17T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-5586.",
  "id": "GHSA-j8cp-grg7-wc8r",
  "modified": "2022-05-13T01:35:02Z",
  "published": "2022-05-13T01:35:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10495"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8F5-P7W2-6843

Vulnerability from github – Published: 2022-05-14 01:44 – Updated: 2022-05-14 01:44
VLAI
Details

Flash Player versions 31.0.0.148 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-29T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Flash Player versions 31.0.0.148 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution.",
  "id": "GHSA-j8f5-p7w2-6843",
  "modified": "2022-05-14T01:44:34Z",
  "published": "2022-05-14T01:44:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15981"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3644"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb18-44.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105964"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1042151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J8P6-96VP-F3R9

Vulnerability from github – Published: 2026-05-18 20:20 – Updated: 2026-06-09 10:58
VLAI
Summary
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages
Details

Summary

Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.

Details

MongoDB parsing support was introduced by commit 2070f568a (Add Initial support for mongodb), so the explicit released version minimum affected is v0.1.0.

There are two related panic conditions in released go.opentelemetry.io/obi versions:

  • In v0.1.0 through v0.3.0, parseOpMessage reads OP_MSG flag bits from buf[msgHeaderSize:msgHeaderSize+int32Size] without first ensuring the buffer is at least msgHeaderSize + int32Size bytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error.
  • In v0.1.0 through v0.3.0, parseSections consumes the section type byte and then reads the document-sequence length from buf[offSet:offSet+int32Size] without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic.
  • In v0.1.0 through v0.8.0, parseFirstField assumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion on field.Value. A malformed BSON document can therefore trigger a runtime panic with interface conversion instead of returning a parse error.

The bounds-check panic was fixed by commit 3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb (Fix MongoDB client panic), which first appears in release v0.4.0. The unchecked BSON type assertion is still present in v0.8.0.

Because this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.

Affected code paths are in pkg/ebpf/common/mongo_detect_transform.go and correspond to parseOpMessage, parseSections, and parseFirstField.

PoC

The following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run go test against the real parser code in the repository.

  1. Reproduce the v0.1.0 through v0.3.0 bounds-check panics:

```bash git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.3.0

cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon

import "testing"

func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) { parseOpMessage(make([]byte, 16), 0, false, nil) }

func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) { parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03}) } EOF

go test ./pkg/ebpf/common -run 'TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics' -count=1 ```

Expected result:

  • TestSecurityPoCParseOpMessageShortPanics panics with a message similar to slice bounds out of range [:20] with capacity 16
  • TestSecurityPoCParseSectionsShortDocSequencePanics panics with a message similar to slice bounds out of range [:5] with capacity 4

  • Reproduce the v0.1.0 through v0.8.0 unchecked BSON type-assertion panic:

```bash git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc cd obi-poc git checkout v0.8.0

cat > pkg/ebpf/common/mongo_security_poc_test.go <<'EOF' package ebpfcommon

import ( "testing"

   "go.mongodb.org/mongo-driver/v2/bson"

)

func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) { parseFirstField(bson.E{Key: commFind, Value: int32(123)}) } EOF

go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1 ```

Expected result: panic with a message similar to interface conversion: interface {} is int32, not string.

Impact

This is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45685"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-248",
      "CWE-704"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:20:03Z",
    "nvd_published_at": "2026-06-02T16:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nMalformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node.\n\n### Details\n\nMongoDB parsing support was introduced by commit `2070f568a` (`Add Initial support for mongodb`), so the explicit released version minimum affected is `v0.1.0`.\n\nThere are two related panic conditions in released `go.opentelemetry.io/obi` versions:\n\n- In `v0.1.0` through `v0.3.0`, `parseOpMessage` reads OP_MSG flag bits from `buf[msgHeaderSize:msgHeaderSize+int32Size]` without first ensuring the buffer is at least `msgHeaderSize + int32Size` bytes long. A truncated OP_MSG packet can therefore trigger a slice-bounds panic before the parser returns an error.\n- In `v0.1.0` through `v0.3.0`, `parseSections` consumes the section type byte and then reads the document-sequence length from `buf[offSet:offSet+int32Size]` without re-validating that enough bytes remain after the type byte. A malformed document-sequence section can therefore trigger another slice-bounds panic.\n- In `v0.1.0` through `v0.8.0`, `parseFirstField` assumes the collection name for collection-scoped commands is always a string and performs an unchecked type assertion on `field.Value`. A malformed BSON document can therefore trigger a runtime panic with `interface conversion` instead of returning a parse error.\n\nThe bounds-check panic was fixed by commit `3aa58cdaaa97fbb72f8ef4c3609ae425aacaf8bb` (`Fix MongoDB client panic`), which first appears in release `v0.4.0`. The unchecked BSON type assertion is still present in `v0.8.0`.\n\nBecause this code runs while decoding attacker-controlled MongoDB traffic, the failure mode is process termination rather than graceful rejection of invalid input. In deployments where the telemetry agent monitors traffic from untrusted or partially trusted clients, a single malformed packet can terminate collection until the agent is restarted.\n\nAffected code paths are in `pkg/ebpf/common/mongo_detect_transform.go` and correspond to `parseOpMessage`, `parseSections`, and `parseFirstField`.\n\n### PoC\n\nThe following reproductions are fully self-contained. They create a temporary test file inside an affected checkout and then run `go test` against the real parser code in the repository.\n\n1. Reproduce the `v0.1.0` through `v0.3.0` bounds-check panics:\n\n   ```bash\n   git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc\n   cd obi-poc\n   git checkout v0.3.0\n\n   cat \u003e pkg/ebpf/common/mongo_security_poc_test.go \u003c\u003c\u0027EOF\u0027\n   package ebpfcommon\n\n   import \"testing\"\n\n   func TestSecurityPoCParseOpMessageShortPanics(t *testing.T) {\n\t   parseOpMessage(make([]byte, 16), 0, false, nil)\n   }\n\n   func TestSecurityPoCParseSectionsShortDocSequencePanics(t *testing.T) {\n\t   parseSections([]byte{byte(sectionTypeDocumentSequence), 0x01, 0x02, 0x03})\n   }\n   EOF\n\n   go test ./pkg/ebpf/common -run \u0027TestSecurityPoCParseOpMessageShortPanics|TestSecurityPoCParseSectionsShortDocSequencePanics\u0027 -count=1\n   ```\n\n   Expected result:\n\n   - `TestSecurityPoCParseOpMessageShortPanics` panics with a message similar to `slice bounds out of range [:20] with capacity 16`\n   - `TestSecurityPoCParseSectionsShortDocSequencePanics` panics with a message similar to `slice bounds out of range [:5] with capacity 4`\n\n1. Reproduce the `v0.1.0` through `v0.8.0` unchecked BSON type-assertion panic:\n\n   ```bash\n   git clone https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation.git obi-poc\n   cd obi-poc\n   git checkout v0.8.0\n\n   cat \u003e pkg/ebpf/common/mongo_security_poc_test.go \u003c\u003c\u0027EOF\u0027\n   package ebpfcommon\n\n   import (\n\t   \"testing\"\n\n\t   \"go.mongodb.org/mongo-driver/v2/bson\"\n   )\n\n   func TestSecurityPoCParseFirstFieldTypeAssertionPanics(t *testing.T) {\n\t   parseFirstField(bson.E{Key: commFind, Value: int32(123)})\n   }\n   EOF\n\n   go test ./pkg/ebpf/common -run TestSecurityPoCParseFirstFieldTypeAssertionPanics -count=1\n   ```\n\n   Expected result: panic with a message similar to `interface conversion: interface {} is int32, not string`.\n\n### Impact\n\nThis is a remote denial-of-service vulnerability in the MongoDB protocol parser. Any deployment that enables MongoDB parsing and processes attacker-controlled or malformed MongoDB traffic is impacted. Successful exploitation lets an unauthenticated attacker crash the telemetry agent by sending a crafted OP_MSG packet or malformed BSON document, causing loss of observability until the process is restarted.",
  "id": "GHSA-j8p6-96vp-f3r9",
  "modified": "2026-06-09T10:58:53Z",
  "published": "2026-05-18T20:20:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-j8p6-96vp-f3r9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45685"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages"
}

GHSA-J9F3-QC93-888P

Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the getPageBox method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6020.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14257"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-31T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the getPageBox method. By performing actions in JavaScript, an attacker can trigger a type confusion condition. An attacker can leverage this vulnerability to execute code under the context of the current process. Was ZDI-CAN-6020.",
  "id": "GHSA-j9f3-qc93-888p",
  "modified": "2022-05-13T01:34:39Z",
  "published": "2022-05-13T01:34:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14257"
    },
    {
      "type": "WEB",
      "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-18-717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.