CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
686 vulnerabilities reference this CWE, most recent first.
GHSA-7HWJ-X2VH-JQV9
Vulnerability from github – Published: 2024-11-19 18:31 – Updated: 2025-11-04 00:32In the Linux kernel, the following vulnerability has been resolved:
media: dvbdev: prevent the risk of out of memory access
The dvbdev contains a static variable used to store dvb minors.
The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set, dvb_register_device() won't check for boundaries, as it will rely that a previous call to dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption that the register functions already did the needed checks.
This can be fragile if some device ends using different calls. This also generate warnings on static check analysers like Coverity.
So, add explicit guards to prevent potential risk of OOM issues.
{
"affected": [],
"aliases": [
"CVE-2024-53063"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-19T18:15:26Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvbdev: prevent the risk of out of memory access\n\nThe dvbdev contains a static variable used to store dvb minors.\n\nThe behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set\nor not. When not set, dvb_register_device() won\u0027t check for\nboundaries, as it will rely that a previous call to\ndvb_register_adapter() would already be enforcing it.\n\nOn a similar way, dvb_device_open() uses the assumption\nthat the register functions already did the needed checks.\n\nThis can be fragile if some device ends using different\ncalls. This also generate warnings on static check analysers\nlike Coverity.\n\nSo, add explicit guards to prevent potential risk of OOM issues.",
"id": "GHSA-7hwj-x2vh-jqv9",
"modified": "2025-11-04T00:32:05Z",
"published": "2024-11-19T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53063"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1e461672616b726f29261ee81bb991528818537c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b88675e18b6517043a6f734eaa8ea6eb3bfa140"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f76f7df14861e3a560898fa41979ec92424b58f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/972e63e895abbe8aa1ccbdbb4e6362abda7cd457"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c17085fabbde2041c893d29599800f2d4992b23"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4a17210c03ade1c8d9a9f193a105654b7a05c11"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b751a96025275c17f04083cbfe856822f1658946"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fedfde9deb83ac8d2f3d5f36f111023df34b1684"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7J85-MWFJ-2GR8
Vulnerability from github – Published: 2023-07-28 03:30 – Updated: 2023-07-28 03:30An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.
{
"affected": [],
"aliases": [
"CVE-2023-3774"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-28T01:15:09Z",
"severity": null
},
"details": "An unhandled error in Vault Enterprise\u0027s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.",
"id": "GHSA-7j85-mwfj-2gr8",
"modified": "2023-07-28T03:30:12Z",
"published": "2023-07-28T03:30:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3774"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2023-23-vault-enterprise-namespace-creation-may-lead-to-denial-of-service/56617"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7MQR-2V3Q-V2WM
Vulnerability from github – Published: 2021-05-24 16:57 – Updated: 2023-02-14 00:21Impact
The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.
References
RFC 7009 states that a 503 HTTP code must be returned when the server has a problem.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ory/fosite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.34.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15223"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T12:53:07Z",
"nvd_published_at": "2020-09-24T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe `TokenRevocationHandler` ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can use this for her advantage depends on the ability to trigger errors in the store.\n\n### References\n[RFC 7009](https://tools.ietf.org/html/rfc7009#section-2.2.1) states that a 503 HTTP code must be returned when the server has a problem.",
"id": "GHSA-7mqr-2v3q-v2wm",
"modified": "2023-02-14T00:21:03Z",
"published": "2021-05-24T16:57:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ory/fosite/security/advisories/GHSA-7mqr-2v3q-v2wm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15223"
},
{
"type": "WEB",
"url": "https://github.com/ory/fosite/commit/03dd55813f5521985f7dd64277b7ba0cf1441319"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0109"
},
{
"type": "WEB",
"url": "https://tools.ietf.org/html/rfc7009#section-2.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ory fosite contains Improper Handling of Exceptional Conditions "
}
GHSA-7P74-P32G-2V26
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14A vulnerability in SonicWall SonicOS and SonicOSv, allow authenticated read-only admin to leave the firewall in an unstable state by downloading certificate with specific extension. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).
{
"affected": [],
"aliases": [
"CVE-2019-7474"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-02T18:30:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in SonicWall SonicOS and SonicOSv, allow authenticated read-only admin to leave the firewall in an unstable state by downloading certificate with specific extension. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).",
"id": "GHSA-7p74-p32g-2v26",
"modified": "2022-05-13T01:14:52Z",
"published": "2022-05-13T01:14:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7474"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7PP3-X5H4-FX5V
Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-04-04 07:39A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.
{
"affected": [],
"aliases": [
"CVE-2023-27998"
],
"database_specific": {
"cwe_ids": [
"CWE-755",
"CWE-756"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T13:15:08Z",
"severity": "MODERATE"
},
"details": "A lack of custom error pages vulnerability [CWE-756] in FortiPresence versions 1.2.0 through 1.2.1 and all versions of 1.1 and 1.0 may allow an unauthenticated attacker with the ability to navigate to the login GUI to gain sensitive information via navigating to specific HTTP(s) paths.",
"id": "GHSA-7pp3-x5h4-fx5v",
"modified": "2024-04-04T07:39:06Z",
"published": "2023-09-13T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27998"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-288"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7RP2-Q3M6-W939
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46RRC sends a connection establishment success to NAS even though connection setup validation returns failure and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile
{
"affected": [],
"aliases": [
"CVE-2020-11243"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-07T08:15:00Z",
"severity": "HIGH"
},
"details": "RRC sends a connection establishment success to NAS even though connection setup validation returns failure and leads to denial of service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Mobile",
"id": "GHSA-7rp2-q3m6-w939",
"modified": "2022-05-24T17:46:43Z",
"published": "2022-05-24T17:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11243"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7RW7-XM59-WMR8
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attacker could exploit these vulnerabilities by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause the web UI software to become unresponsive and consume all available vty lines, preventing new session establishment and resulting in a DoS condition. Manual intervention would be required to regain web UI and vty session functionality. Note: These vulnerabilities do not affect the console connection.
{
"affected": [],
"aliases": [
"CVE-2021-1356"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T21:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in the web UI of Cisco IOS XE Software could allow an authenticated, remote attacker with read-only privileges to cause the web UI software to become unresponsive and consume vty line instances, resulting in a denial of service (DoS) condition. These vulnerabilities are due to insufficient error handling in the web UI. An attacker could exploit these vulnerabilities by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause the web UI software to become unresponsive and consume all available vty lines, preventing new session establishment and resulting in a DoS condition. Manual intervention would be required to regain web UI and vty session functionality. Note: These vulnerabilities do not affect the console connection.",
"id": "GHSA-7rw7-xm59-wmr8",
"modified": "2022-05-24T17:45:11Z",
"published": "2022-05-24T17:45:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1356"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-webui-dos-z9yqYQAn"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7VJF-QW8C-2V29
Vulnerability from github – Published: 2023-08-14 18:32 – Updated: 2024-04-04 06:55Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch.
{
"affected": [],
"aliases": [
"CVE-2023-28768"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T17:15:10Z",
"severity": "MODERATE"
},
"details": "Improper frame handling in the Zyxel XGS2220-30 firmware version V4.80(ABXN.1), XMG1930-30 firmware version V4.80(ACAR.1), and XS1930-10 firmware version\u00a0V4.80(ABQE.1) could allow an unauthenticated LAN-based attacker to cause denial-of-service (DoS) conditions by sending crafted frames to an affected switch.",
"id": "GHSA-7vjf-qw8c-2v29",
"modified": "2024-04-04T06:55:05Z",
"published": "2023-08-14T18:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28768"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-dos-vulnerability-of-xgs2220-xmg1930-and-xs1930-series-switches"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7VM6-QWH5-9X44
Vulnerability from github – Published: 2024-11-04 23:22 – Updated: 2024-11-05 18:35Summary
loona-hpack suffers from the same vulnerability as the original hpack as documented in https://github.com/mlalic/hpack-rs/issues/11
Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}
Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.2"
},
"package": {
"ecosystem": "crates.io",
"name": "loona-hpack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-51502"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-04T23:22:33Z",
"nvd_published_at": "2024-11-04T23:15:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n`loona-hpack` suffers from the same vulnerability as the original `hpack` as documented in https://github.com/mlalic/hpack-rs/issues/11 \n\n### Details\nThe original includes a very nice description of the problem, as well as an easy-enough fix for it.\n\n### PoC\nThe original example pretty much still applies:\n```rust\nuse loona_hpack::Decoder;\n\npub fn main() {\n let input = \u0026[0x3f];\n let mut decoder = Decoder::new();\n let _ = decoder.decode(input);\n}\n```\n\n### Impact\nFrom the original:\n`All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo\u0027s documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.`\n",
"id": "GHSA-7vm6-qwh5-9x44",
"modified": "2024-11-05T18:35:38Z",
"published": "2024-11-04T23:22:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bearcove/loona/security/advisories/GHSA-7vm6-qwh5-9x44"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51502"
},
{
"type": "WEB",
"url": "https://github.com/mlalic/hpack-rs/issues/11"
},
{
"type": "WEB",
"url": "https://github.com/bearcove/loona/commit/9a4028ec6484f50a320281271a41a5040ddb1ba8"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-w7hm-hmxv-pvhf"
},
{
"type": "PACKAGE",
"url": "https://github.com/bearcove/loona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "loona-hpack Panic Vulnerability"
}
GHSA-7VV7-V9GP-WHMR
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-05-24 16:45Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.
{
"affected": [],
"aliases": [
"CVE-2019-3558"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-06T16:29:00Z",
"severity": "HIGH"
},
"details": "Python Facebook Thrift servers would not error upon receiving messages with containers of fields of unknown type. As a result, malicious clients could send short messages which would take a long time for the server to parse, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.02.18.00.",
"id": "GHSA-7vv7-v9gp-whmr",
"modified": "2022-05-24T16:45:14Z",
"published": "2022-05-24T16:45:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3558"
},
{
"type": "WEB",
"url": "https://github.com/facebook/fbthrift/commit/c5d6e07588cd03061bc54d451a7fa6e84883d62b"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2019-3558"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108274"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.