Common Weakness Enumeration

CWE-706

Allowed-with-Review

Use of Incorrectly-Resolved Name or Reference

Abstraction: Class · Status: Incomplete

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

148 vulnerabilities reference this CWE, most recent first.

CVE-2020-26233 (GCVE-0-2020-26233)

Vulnerability from cvelistv5 – Published: 2020-12-08 19:55 – Updated: 2024-08-04 15:56
VLAI
Title
Remote Code Execution in Git Credential Manager Core
Summary
Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project's GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option.
CWE
  • CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:03.058Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Git-Credential-Manager-Core",
          "vendor": "microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.0.280"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project\u0027s GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-15T17:44:06.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/"
        }
      ],
      "source": {
        "advisory": "GHSA-2gq7-ww4j-3m76",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution in Git Credential Manager Core",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26233",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution in Git Credential Manager Core"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Git-Credential-Manager-Core",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c= 2.0.280"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "microsoft"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project\u0027s GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-706: Use of Incorrectly-Resolved Name or Reference"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76",
              "refsource": "CONFIRM",
              "url": "https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76"
            },
            {
              "name": "https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt",
              "refsource": "MISC",
              "url": "https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt"
            },
            {
              "name": "https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta",
              "refsource": "MISC",
              "url": "https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-beta"
            },
            {
              "name": "https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76",
              "refsource": "MISC",
              "url": "https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76"
            },
            {
              "name": "https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/",
              "refsource": "MISC",
              "url": "https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-2gq7-ww4j-3m76",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26233",
    "datePublished": "2020-12-08T19:55:15.000Z",
    "dateReserved": "2020-10-01T00:00:00.000Z",
    "dateUpdated": "2024-08-04T15:56:03.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2014-125125 (GCVE-0-2014-125125)

Vulnerability from cvelistv5 – Published: 2025-07-31 14:50 – Updated: 2026-05-15 11:14
VLAI
Title
A10 Networks AX Loadbalancer Path Traversal
Summary
A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
Impacted products
Vendor Product Version
A10 Networks AX Series Loadbalancer Affected: 0 , ≤ 2.6.1-GR1-P5 (semver)
Affected: 0 , ≤ 2.7.0 (semver)
Create a notification for this product.
Date Public
2014-01-29 00:00
Credits
xistence
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2014-125125",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-31T15:15:49.521576Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-31T15:15:56.589Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "/xml/downloads"
          ],
          "product": "AX Series Loadbalancer",
          "vendor": "A10 Networks",
          "versions": [
            {
              "lessThanOrEqual": "2.6.1-GR1-P5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.7.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "xistence"
        }
      ],
      "datePublic": "2014-01-29T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e  \n\u003c/p\u003eA path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion.\u003cbr\u003e"
            }
          ],
          "value": "A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-126",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-126 Path Traversal"
            }
          ]
        },
        {
          "capecId": "CAPEC-137",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-137 Parameter Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-706",
              "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-15T11:14:23.430Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "exploit"
          ],
          "url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/31261"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/a10-networks-ax-loadbalancer-path-traversal"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "A10 Networks AX Loadbalancer Path Traversal",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2014-125125",
    "datePublished": "2025-07-31T14:50:53.697Z",
    "dateReserved": "2025-07-30T15:35:38.708Z",
    "dateUpdated": "2026-05-15T11:14:23.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-236C-JVM7-G9G6

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-06T22:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in OFCMS before 1.1.3. Remote attackers can execute arbitrary code because blocking of .jsp and .jspx files does not consider (for example) file.jsp::$DATA to the admin/ueditor/uploadScrawl URI.",
  "id": "GHSA-236c-jvm7-g9g6",
  "modified": "2022-05-13T01:23:04Z",
  "published": "2022-05-13T01:23:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9616"
    },
    {
      "type": "WEB",
      "url": "https://www.seebug.org/vuldb/ssvid-97833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-26GH-P63X-8W5R

Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08
VLAI
Details

An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-18T18:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the \"Setting -\u003e Mailbox configuration -\u003e Registration email template\" screen, and uploading an image file, as demonstrated by a .php filename and the \"Content-Type: image/gif\" header.",
  "id": "GHSA-26gh-p63x-8w5r",
  "modified": "2022-05-13T01:08:17Z",
  "published": "2022-05-13T01:08:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/taosir/wtcms/issues/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GMP-HJMM-V2WX

Vulnerability from github – Published: 2023-02-03 18:30 – Updated: 2023-02-13 15:30
VLAI
Details

Incorrect Access Control issue discoverd in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the source for COPY and MOVE operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-03T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Incorrect Access Control issue discoverd in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the source for COPY and MOVE operations.",
  "id": "GHSA-2gmp-hjmm-v2wx",
  "modified": "2023-02-13T15:30:27Z",
  "published": "2023-02-03T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37315"
    },
    {
      "type": "WEB",
      "url": "https://robertchen.cc/blog/2021/03/31/asus-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2HFW-W5CW-P4G7

Vulnerability from github – Published: 2026-04-26 03:30 – Updated: 2026-04-26 03:30
VLAI
Details

Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-26T03:15:59Z",
    "severity": "MODERATE"
  },
  "details": "Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response.",
  "id": "GHSA-2hfw-w5cw-p4g7",
  "modified": "2026-04-26T03:30:25Z",
  "published": "2026-04-26T03:30:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42254"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2J6Q-WHV2-GH6W

Vulnerability from github – Published: 2026-03-20 20:50 – Updated: 2026-03-27 20:58
VLAI
Summary
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Details

Summary

The mount() method in h3 uses a simple startsWith() check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is / or end-of-string), middleware registered on a mount like /admin will also execute for unrelated routes such as /admin-public, /administrator, or /adminstuff. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags.

Details

The root cause is in src/h3.ts:127 within the mount() method:

// src/h3.ts:122-135
mount(base: string, input: FetchHandler | FetchableObject | H3Type) {
  if ("handler" in input) {
    if (input["~middleware"].length > 0) {
      this["~middleware"].push((event, next) => {
        const originalPathname = event.url.pathname;
        if (!originalPathname.startsWith(base)) {  // <-- BUG: no segment boundary check
          return next();
        }
        event.url.pathname = event.url.pathname.slice(base.length) || "/";
        return callMiddleware(event, input["~middleware"], () => {
          event.url.pathname = originalPathname;
          return next();
        });
      });
    }

When a sub-app is mounted at /admin, the check originalPathname.startsWith("/admin") returns true for /admin, /admin/, /admin/dashboard, but also for /admin-public, /administrator, /adminFoo, etc. The mounted sub-app's entire middleware chain then executes for these unrelated paths.

A secondary instance of the same flaw exists in src/utils/internal/path.ts:40:

// src/utils/internal/path.ts:35-45
export function withoutBase(input: string = "", base: string = ""): string {
  if (!base || base === "/") {
    return input;
  }
  const _base = withoutTrailingSlash(base);
  if (!input.startsWith(_base)) {  // <-- Same flaw: no segment boundary check
    return input;
  }
  const trimmed = input.slice(_base.length);
  return trimmed[0] === "/" ? trimmed : "/" + trimmed;
}

The withoutBase() utility will incorrectly strip the base from paths that merely share a string prefix, returning mangled paths (e.g., withoutBase("/admin-public/info", "/admin") returns /-public/info).

Exploitation flow:

  1. Developer mounts a sub-app at /admin with middleware that sets event.context.isAdmin = true
  2. Developer defines a separate route /admin-public/info on the parent app that reads event.context.isAdmin
  3. Attacker requests GET /admin-public/info
  4. The /admin mount's startsWith check passes → admin middleware executes → sets isAdmin = true
  5. The middleware's "restore pathname" callback fires, control returns to the parent app
  6. The /admin-public/info handler sees event.context.isAdmin === true

PoC

// poc.js — demonstrates context pollution across mount boundaries
import { H3 } from "h3";

const adminApp = new H3();

// Admin middleware sets privileged context
adminApp.use(() => {}, {
  onRequest: (event) => {
    event.context.isAdmin = true;
  }
});

adminApp.get("/dashboard", (event) => {
  return { admin: true, context: event.context };
});

const app = new H3();

// Mount admin sub-app at /admin
app.mount("/admin", adminApp);

// Public route that happens to share the "/admin" prefix
app.get("/admin-public/info", (event) => {
  return {
    path: event.url.pathname,
    isAdmin: event.context.isAdmin ?? false,  // Should always be false here
  };
});

// Test with fetch
const server = Bun.serve({ port: 3000, fetch: app.fetch });

// This request should NOT trigger admin middleware, but it does
const res = await fetch("http://localhost:3000/admin-public/info");
const body = await res.json();
console.log(body);
// Actual output: { path: "/admin-public/info", isAdmin: true }
// Expected output: { path: "/admin-public/info", isAdmin: false }

server.stop();

Steps to reproduce:

# 1. Clone h3 and install
git clone https://github.com/h3js/h3 && cd h3
corepack enable && pnpm install && pnpm build

# 2. Save poc.js (above) and run
bun poc.js
# Output shows isAdmin: true — admin middleware leaked to /admin-public/info

# 3. Verify the boundary leak with additional paths:
# GET /administrator → admin middleware fires
# GET /adminstuff   → admin middleware fires
# GET /admin123     → admin middleware fires
# GET /admi         → admin middleware does NOT fire (correct)

Impact

  • Context pollution across mount boundaries: Middleware registered on a mounted sub-app executes for any route sharing the string prefix, not just routes under the intended path segment tree. This can set privileged flags (isAdmin, isAuthenticated, role assignments) on requests to completely unrelated routes.
  • Authorization bypass: If an application uses mount-scoped middleware to set permissive context flags and other routes check those flags, an attacker can access protected functionality by requesting a path that string-prefix-matches the mount base but routes to a different handler.
  • Path mangling: The withoutBase() utility produces incorrect paths (e.g., /-public/info instead of /admin-public/info) when the input shares only a string prefix, potentially causing routing errors or further security issues in downstream path processing.
  • Scope: Any h3 v2 application using mount() with a base path that is a string prefix of other routes is affected. The impact scales with how the application uses middleware-set context values.

Recommended Fix

Add a segment boundary check after the startsWith call in both locations. The character immediately following the base prefix must be /, ?, #, or the string must end exactly at the base:

Fix for src/h3.ts:127:

 mount(base: string, input: FetchHandler | FetchableObject | H3Type) {
   if ("handler" in input) {
     if (input["~middleware"].length > 0) {
       this["~middleware"].push((event, next) => {
         const originalPathname = event.url.pathname;
-        if (!originalPathname.startsWith(base)) {
+        if (!originalPathname.startsWith(base) ||
+            (originalPathname.length > base.length && originalPathname[base.length] !== "/")) {
           return next();
         }

Fix for src/utils/internal/path.ts:40:

 export function withoutBase(input: string = "", base: string = ""): string {
   if (!base || base === "/") {
     return input;
   }
   const _base = withoutTrailingSlash(base);
-  if (!input.startsWith(_base)) {
+  if (!input.startsWith(_base) ||
+      (input.length > _base.length && input[_base.length] !== "/")) {
     return input;
   }

This ensures that /admin only matches /admin, /admin/, and /admin/... — never /admin-public, /administrator, or other coincidental string-prefix matches.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.1-rc.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1-alpha.0"
            },
            {
              "fixed": "2.0.1-rc.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:50:27Z",
    "nvd_published_at": "2026-03-26T18:16:30Z",
    "severity": "LOW"
  },
  "details": "## Summary\n\nThe `mount()` method in h3 uses a simple `startsWith()` check to determine whether incoming requests fall under a mounted sub-application\u0027s path prefix. Because this check does not verify a path segment boundary (i.e., that the next character after the base is `/` or end-of-string), middleware registered on a mount like `/admin` will also execute for unrelated routes such as `/admin-public`, `/administrator`, or `/adminstuff`. This allows an attacker to trigger context-setting middleware on paths it was never intended to cover, potentially polluting request context with unintended privilege flags.\n\n## Details\n\nThe root cause is in `src/h3.ts:127` within the `mount()` method:\n\n```typescript\n// src/h3.ts:122-135\nmount(base: string, input: FetchHandler | FetchableObject | H3Type) {\n  if (\"handler\" in input) {\n    if (input[\"~middleware\"].length \u003e 0) {\n      this[\"~middleware\"].push((event, next) =\u003e {\n        const originalPathname = event.url.pathname;\n        if (!originalPathname.startsWith(base)) {  // \u003c-- BUG: no segment boundary check\n          return next();\n        }\n        event.url.pathname = event.url.pathname.slice(base.length) || \"/\";\n        return callMiddleware(event, input[\"~middleware\"], () =\u003e {\n          event.url.pathname = originalPathname;\n          return next();\n        });\n      });\n    }\n```\n\nWhen a sub-app is mounted at `/admin`, the check `originalPathname.startsWith(\"/admin\")` returns `true` for `/admin`, `/admin/`, `/admin/dashboard`, but also for `/admin-public`, `/administrator`, `/adminFoo`, etc. The mounted sub-app\u0027s entire middleware chain then executes for these unrelated paths.\n\nA secondary instance of the same flaw exists in `src/utils/internal/path.ts:40`:\n\n```typescript\n// src/utils/internal/path.ts:35-45\nexport function withoutBase(input: string = \"\", base: string = \"\"): string {\n  if (!base || base === \"/\") {\n    return input;\n  }\n  const _base = withoutTrailingSlash(base);\n  if (!input.startsWith(_base)) {  // \u003c-- Same flaw: no segment boundary check\n    return input;\n  }\n  const trimmed = input.slice(_base.length);\n  return trimmed[0] === \"/\" ? trimmed : \"/\" + trimmed;\n}\n```\n\nThe `withoutBase()` utility will incorrectly strip the base from paths that merely share a string prefix, returning mangled paths (e.g., `withoutBase(\"/admin-public/info\", \"/admin\")` returns `/-public/info`).\n\n**Exploitation flow:**\n\n1. Developer mounts a sub-app at `/admin` with middleware that sets `event.context.isAdmin = true`\n2. Developer defines a separate route `/admin-public/info` on the parent app that reads `event.context.isAdmin`\n3. Attacker requests `GET /admin-public/info`\n4. The `/admin` mount\u0027s `startsWith` check passes \u2192 admin middleware executes \u2192 sets `isAdmin = true`\n5. The middleware\u0027s \"restore pathname\" callback fires, control returns to the parent app\n6. The `/admin-public/info` handler sees `event.context.isAdmin === true`\n\n## PoC\n\n```javascript\n// poc.js \u2014 demonstrates context pollution across mount boundaries\nimport { H3 } from \"h3\";\n\nconst adminApp = new H3();\n\n// Admin middleware sets privileged context\nadminApp.use(() =\u003e {}, {\n  onRequest: (event) =\u003e {\n    event.context.isAdmin = true;\n  }\n});\n\nadminApp.get(\"/dashboard\", (event) =\u003e {\n  return { admin: true, context: event.context };\n});\n\nconst app = new H3();\n\n// Mount admin sub-app at /admin\napp.mount(\"/admin\", adminApp);\n\n// Public route that happens to share the \"/admin\" prefix\napp.get(\"/admin-public/info\", (event) =\u003e {\n  return {\n    path: event.url.pathname,\n    isAdmin: event.context.isAdmin ?? false,  // Should always be false here\n  };\n});\n\n// Test with fetch\nconst server = Bun.serve({ port: 3000, fetch: app.fetch });\n\n// This request should NOT trigger admin middleware, but it does\nconst res = await fetch(\"http://localhost:3000/admin-public/info\");\nconst body = await res.json();\nconsole.log(body);\n// Actual output: { path: \"/admin-public/info\", isAdmin: true }\n// Expected output: { path: \"/admin-public/info\", isAdmin: false }\n\nserver.stop();\n```\n\n**Steps to reproduce:**\n\n```bash\n# 1. Clone h3 and install\ngit clone https://github.com/h3js/h3 \u0026\u0026 cd h3\ncorepack enable \u0026\u0026 pnpm install \u0026\u0026 pnpm build\n\n# 2. Save poc.js (above) and run\nbun poc.js\n# Output shows isAdmin: true \u2014 admin middleware leaked to /admin-public/info\n\n# 3. Verify the boundary leak with additional paths:\n# GET /administrator \u2192 admin middleware fires\n# GET /adminstuff   \u2192 admin middleware fires\n# GET /admin123     \u2192 admin middleware fires\n# GET /admi         \u2192 admin middleware does NOT fire (correct)\n```\n\n## Impact\n\n- **Context pollution across mount boundaries**: Middleware registered on a mounted sub-app executes for any route sharing the string prefix, not just routes under the intended path segment tree. This can set privileged flags (`isAdmin`, `isAuthenticated`, role assignments) on requests to completely unrelated routes.\n- **Authorization bypass**: If an application uses mount-scoped middleware to set permissive context flags and other routes check those flags, an attacker can access protected functionality by requesting a path that string-prefix-matches the mount base but routes to a different handler.\n- **Path mangling**: The `withoutBase()` utility produces incorrect paths (e.g., `/-public/info` instead of `/admin-public/info`) when the input shares only a string prefix, potentially causing routing errors or further security issues in downstream path processing.\n- **Scope**: Any h3 v2 application using `mount()` with a base path that is a string prefix of other routes is affected. The impact scales with how the application uses middleware-set context values.\n\n## Recommended Fix\n\nAdd a segment boundary check after the `startsWith` call in both locations. The character immediately following the base prefix must be `/`, `?`, `#`, or the string must end exactly at the base:\n\n**Fix for `src/h3.ts:127`:**\n\n```diff\n mount(base: string, input: FetchHandler | FetchableObject | H3Type) {\n   if (\"handler\" in input) {\n     if (input[\"~middleware\"].length \u003e 0) {\n       this[\"~middleware\"].push((event, next) =\u003e {\n         const originalPathname = event.url.pathname;\n-        if (!originalPathname.startsWith(base)) {\n+        if (!originalPathname.startsWith(base) ||\n+            (originalPathname.length \u003e base.length \u0026\u0026 originalPathname[base.length] !== \"/\")) {\n           return next();\n         }\n```\n\n**Fix for `src/utils/internal/path.ts:40`:**\n\n```diff\n export function withoutBase(input: string = \"\", base: string = \"\"): string {\n   if (!base || base === \"/\") {\n     return input;\n   }\n   const _base = withoutTrailingSlash(base);\n-  if (!input.startsWith(_base)) {\n+  if (!input.startsWith(_base) ||\n+      (input.length \u003e _base.length \u0026\u0026 input[_base.length] !== \"/\")) {\n     return input;\n   }\n```\n\nThis ensures that `/admin` only matches `/admin`, `/admin/`, and `/admin/...` \u2014 never `/admin-public`, `/administrator`, or other coincidental string-prefix matches.",
  "id": "GHSA-2j6q-whv2-gh6w",
  "modified": "2026-03-27T20:58:29Z",
  "published": "2026-03-20T20:50:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-2j6q-whv2-gh6w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33490"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes"
}

GHSA-2R72-MFWR-5645

Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53
VLAI
Details

Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-01-09T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.",
  "id": "GHSA-2r72-mfwr-5645",
  "modified": "2022-05-13T01:53:02Z",
  "published": "2022-05-13T01:53:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6112"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1195"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/798096"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201804-22"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4182"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103917"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RVV-W9R2-RG7M

Vulnerability from github – Published: 2021-05-13 22:30 – Updated: 2024-03-11 16:32
VLAI
Summary
Information Disclosure in Apache Tomcat
Details

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.0-M9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0-M1"
            },
            {
              "fixed": "10.0.0-M10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.0"
            },
            {
              "fixed": "8.5.60"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.107"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-24122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-06T21:27:31Z",
    "nvd_published_at": "2021-01-14T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.",
  "id": "GHSA-2rvv-w9r2-rg7m",
  "modified": "2024-03-11T16:32:22Z",
  "published": "2021-05-13T22:30:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24122"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-9.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-8.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-7.html"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-10.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210212-0008"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/01/14/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information Disclosure in Apache Tomcat"
}

GHSA-2V93-G9J3-9Q9H

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2025-04-30 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/mlx5: Fix initializing CQ fragments buffer

The function init_cq_frag_buf() can be called to initialize the current CQ fragments buffer cq->buf, or the temporary cq->resize_buf that is filled during CQ resize operation.

However, the offending commit started to use function get_cqe() for getting the CQEs, the issue with this change is that get_cqe() always returns CQEs from cq->buf, which leads us to initialize the wrong buffer, and in case of enlarging the CQ we try to access elements beyond the size of the current cq->buf and eventually hit a kernel panic.

[exception RIP: init_cq_frag_buf+103] [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib] [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core] [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt] [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt] [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt] [ffff9f799ddcbec8] kthread at ffffffffa66c5da1 [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd

Fix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that takes the correct source buffer as a parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-706"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:14Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix initializing CQ fragments buffer\n\nThe function init_cq_frag_buf() can be called to initialize the current CQ\nfragments buffer cq-\u003ebuf, or the temporary cq-\u003eresize_buf that is filled\nduring CQ resize operation.\n\nHowever, the offending commit started to use function get_cqe() for\ngetting the CQEs, the issue with this change is that get_cqe() always\nreturns CQEs from cq-\u003ebuf, which leads us to initialize the wrong buffer,\nand in case of enlarging the CQ we try to access elements beyond the size\nof the current cq-\u003ebuf and eventually hit a kernel panic.\n\n [exception RIP: init_cq_frag_buf+103]\n  [ffff9f799ddcbcd8] mlx5_ib_resize_cq at ffffffffc0835d60 [mlx5_ib]\n  [ffff9f799ddcbdb0] ib_resize_cq at ffffffffc05270df [ib_core]\n  [ffff9f799ddcbdc0] llt_rdma_setup_qp at ffffffffc0a6a712 [llt]\n  [ffff9f799ddcbe10] llt_rdma_cc_event_action at ffffffffc0a6b411 [llt]\n  [ffff9f799ddcbe98] llt_rdma_client_conn_thread at ffffffffc0a6bb75 [llt]\n  [ffff9f799ddcbec8] kthread at ffffffffa66c5da1\n  [ffff9f799ddcbf50] ret_from_fork_nospec_begin at ffffffffa6d95ddd\n\nFix it by getting the needed CQE by calling mlx5_frag_buf_get_wqe() that\ntakes the correct source buffer as a parameter.",
  "id": "GHSA-2v93-g9j3-9q9h",
  "modified": "2025-04-30T15:30:43Z",
  "published": "2024-05-21T15:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47261"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ec2dcd680c71d0d36fa25638b327a468babd5c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2ba0aa2feebda680ecfc3c552e867cf4d1b05a3a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3e670c54eda238cb8a1ea93538a79ae89285c1c4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91f7fdc4cc10542ca1045c06aad23365f0d067e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e3ecd9c09fcc10cf6b2bc67e2990c397c40a8c26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-159: Redirect Access to Libraries

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

CAPEC-177: Create files with the same name as files protected with a higher classification

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

CAPEC-48: Passing Local Filenames to Functions That Expect a URL

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

CAPEC-641: DLL Side-Loading

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.