Common Weakness Enumeration

CWE-755

Discouraged

Improper Handling of Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not handle or incorrectly handles an exceptional condition.

685 vulnerabilities reference this CWE, most recent first.

GHSA-2MJH-J6V5-C2WP

Vulnerability from github – Published: 2022-05-17 00:01 – Updated: 2022-05-25 00:00
VLAI
Details

Bento4 v1.6.0.0 was discovered to contain a segmentation fault via the component /x86_64/multiarch/strlen-avx2.S.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Bento4 v1.6.0.0 was discovered to contain a segmentation fault via the component /x86_64/multiarch/strlen-avx2.S.",
  "id": "GHSA-2mjh-j6v5-c2wp",
  "modified": "2022-05-25T00:00:31Z",
  "published": "2022-05-17T00:01:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axiomatic-systems/Bento4/issues/691"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2MMF-R54M-7994

Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-04-04 03:07
VLAI
Details

mwlib 0.13 through 0.13.4 has a denial of service vulnerability when parsing #iferror magic functions

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-1109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-12T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "mwlib 0.13 through 0.13.4 has a denial of service vulnerability when parsing #iferror magic functions",
  "id": "GHSA-2mmf-r54m-7994",
  "modified": "2024-04-04T03:07:36Z",
  "published": "2022-05-24T22:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1109"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1109"
    },
    {
      "type": "WEB",
      "url": "https://www.securityfocus.com/bid/52577"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/03/05/20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2P6R-X3VV-XQM2

Vulnerability from github – Published: 2026-05-06 21:49 – Updated: 2026-05-06 21:49
VLAI
Summary
rpassword affected by partial password reveal when input is interrupted
Details

rpassword maintainers were made aware of a possible issue with a partial password reveal when input is interrupted.

To quote @squell:

@conradkleinespel I've confirmed this problem with SequoiaPGP, which I think uses rpassword, e.g.:

Suppose we use pkill -9 sq in a different terminal right after the password has been typed in:

$ sq key generate --userid "barf" --with-password Enter password to protect the key: Killed $ hello^C

Where the password I typed in is "hello".

This has been fixed in version v7.5.0 and above.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.4.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "rpassword"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T21:49:33Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "rpassword maintainers were made aware of a possible issue with a partial password reveal when input is interrupted.\n\nTo quote @squell:\n\n\u003e @conradkleinespel I\u0027ve confirmed this problem with SequoiaPGP, which I think uses rpassword, e.g.:\n\u003e\n\u003e Suppose we use pkill -9 sq in a different terminal right after the password has been typed in:\n\u003e\n\u003e $ sq key generate --userid \"barf\" --with-password\n\u003e Enter password to protect the key: Killed\n\u003e $ hello^C\n\u003e\n\u003e Where the password I typed in is \"hello\".\n\nThis has been fixed in version v7.5.0 and above.",
  "id": "GHSA-2p6r-x3vv-xqm2",
  "modified": "2026-05-06T21:49:34Z",
  "published": "2026-05-06T21:49:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/conradkleinespel/rpassword/security/advisories/GHSA-2p6r-x3vv-xqm2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/conradkleinespel/rpassword"
    },
    {
      "type": "WEB",
      "url": "https://github.com/conradkleinespel/rpassword/releases/tag/v7.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rpassword affected by partial password reveal when input is interrupted "
}

GHSA-2PQ9-CJ9C-6VGR

Vulnerability from github – Published: 2023-02-20 06:30 – Updated: 2024-02-16 21:31
VLAI
Details

app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-20T04:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.",
  "id": "GHSA-2pq9-cj9c-6vgr",
  "modified": "2024-02-16T21:31:30Z",
  "published": "2023-02-20T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/1edbc2569989f844799261a5f90edfa433d7dbcc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/commit/206f540f0275af2dd2a86275abc199df41e72a21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MISP/MISP/compare/v2.4.166...v2.4.167"
    },
    {
      "type": "WEB",
      "url": "https://zigrin.com/advisories/misp-sql-injection-in-crud-component"
    },
    {
      "type": "WEB",
      "url": "https://zigrin.com/cakephp-application-cybersecurity-research-hiding-in-plain-sight-the-hidden-danger-of-sql-injection-in-input-field-names"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q89-485C-9J2X

Vulnerability from github – Published: 2023-05-11 20:40 – Updated: 2023-05-24 18:31
VLAI
Summary
Improper random reading in CIRCL
Details

Impact

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret.

The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.

Patches

The fix was introduced in CIRCL v. 1.3.3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cloudflare/circl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-11T20:40:54Z",
    "nvd_published_at": "2023-05-10T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether `crypto/rand.Read()` returns an error. In rare deployment cases (error thrown by the `Read()` function), this could lead to a predictable shared secret.\n\nThe tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides `crypto/rand.Reader`, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.\n\n\n### Patches\nThe fix was introduced in CIRCL v. 1.3.3\n",
  "id": "GHSA-2q89-485c-9j2x",
  "modified": "2023-05-24T18:31:42Z",
  "published": "2023-05-11T20:40:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/security/advisories/GHSA-2q89-485c-9j2x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/commit/ff8d91225f8954b4970b6d6382d2e4c78f4a4cf8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/circl"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/circl/releases/tag/v1.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper random reading in CIRCL"
}

GHSA-2QRQ-4QXF-6CFM

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-10 00:00
VLAI
Details

There is an Exception log vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause address information leakage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is an Exception log vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause address information leakage.",
  "id": "GHSA-2qrq-4qxf-6cfm",
  "modified": "2021-12-10T00:00:54Z",
  "published": "2021-12-09T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37052"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2021/9"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202109-0000001196270727"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2R4W-C5QM-VPX8

Vulnerability from github – Published: 2022-05-17 04:21 – Updated: 2022-05-17 04:21
VLAI
Details

Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-1943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-02-18T19:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.",
  "id": "GHSA-2r4w-c5qm-vpx8",
  "modified": "2022-05-17T04:21:31Z",
  "published": "2022-05-17T04:21:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-1943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glensc/file/blob/FILE5_17/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-03/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-03/msg00037.html"
    },
    {
      "type": "WEB",
      "url": "http://mx.gw.com/pipermail/file/2014/001327.html"
    },
    {
      "type": "WEB",
      "url": "http://mx.gw.com/pipermail/file/2014/001330.html"
    },
    {
      "type": "WEB",
      "url": "http://mx.gw.com/pipermail/file/2014/001334.html"
    },
    {
      "type": "WEB",
      "url": "http://mx.gw.com/pipermail/file/2014/001337.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1765.html"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT6443"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2861"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2014/dsa-2868"
    },
    {
      "type": "WEB",
      "url": "http://www.php.net/ChangeLog-5.php"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2123-1"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2126-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2V7G-8JVX-2WFC

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-07-13 00:00
VLAI
Details

An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15566"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-07T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a host OS crash because of incorrect error handling in event-channel port allocation. The allocation of an event-channel port may fail for multiple reasons: (1) port is already in use, (2) the memory allocation failed, or (3) the port we try to allocate is higher than what is supported by the ABI (e.g., 2L or FIFO) used by the guest or the limit set by an administrator (max_event_channels in xl cfg). Due to the missing error checks, only (1) will be considered an error. All the other cases will provide a valid port and will result in a crash when trying to access the event channel. When the administrator configured a guest to allow more than 1023 event channels, that guest may be able to crash the host. When Xen is out-of-memory, allocation of new event channels will result in crashing the host rather than reporting an error. Xen versions 4.10 and later are affected. All architectures are affected. The default configuration, when guests are created with xl/libxl, is not vulnerable, because of the default event-channel limit.",
  "id": "GHSA-2v7g-8jvx-2wfc",
  "modified": "2022-07-13T00:00:44Z",
  "published": "2022-05-24T17:22:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15566"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MXESCOVI7AVRNC7HEAMFM7PMEO6D3AUH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VB3QJJZV23Z2IDYEMIHELWYSQBUEW6JP"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202007-02"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4723"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00024.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/07/07/2"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-317.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VG2-F293-3RC8

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user could potentially exploit this vulnerability, leading to unauthorized information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-16T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC PowerScale OneFS versions 8.2.x - 9.2.x improperly handle an exceptional condition. A remote low privileged user could potentially exploit this vulnerability, leading to unauthorized information disclosure.",
  "id": "GHSA-2vg2-f293-3rc8",
  "modified": "2022-05-24T19:11:27Z",
  "published": "2022-05-24T19:11:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21592"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000190408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2VP3-CRWQ-3FG5

Vulnerability from github – Published: 2025-07-16 09:31 – Updated: 2025-11-05 00:31
VLAI
Details

Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags.

For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-16T09:15:23Z",
    "severity": "MODERATE"
  },
  "details": "Certain instructions need intercepting and emulating by Xen.  In some\ncases Xen emulates the instruction by replaying it, using an executable\nstub.  Some instructions may raise an exception, which is supposed to be\nhandled gracefully.  Certain replayed instructions have additional logic\nto set up and recover the changes to the arithmetic flags.\n\nFor replayed instructions where the flags recovery logic is used, the\nmetadata for exception handling was incorrect, preventing Xen from\nhandling the the exception gracefully, treating it as fatal instead.",
  "id": "GHSA-2vp3-crwq-3fg5",
  "modified": "2025-11-05T00:31:21Z",
  "published": "2025-07-16T09:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27465"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xenproject.org/xsa/advisory-470.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/01/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-470.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.