Common Weakness Enumeration

CWE-75

Discouraged

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Abstraction: Class · Status: Draft

The product does not adequately filter user-controlled input for special elements with control implications.

59 vulnerabilities reference this CWE, most recent first.

GHSA-MXV6-M383-394F

Vulnerability from github – Published: 2023-01-04 21:30 – Updated: 2023-01-11 03:30
VLAI
Details

** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled old_tf_topic_name and/or new_tf_topic_name parameter. NOTE: the vendor's position is "it is the responsibility of the programmer to make sure that only known and required parameters are set and unexpected parameters are not."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-04T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** The tf_remapper_node component 1.1.1 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot\u0027s behavior. This occurs because a topic name depends on the attacker-controlled old_tf_topic_name and/or new_tf_topic_name parameter. NOTE: the vendor\u0027s position is \"it is the responsibility of the programmer to make sure that only known and required parameters are set and unexpected parameters are not.\"",
  "id": "GHSA-mxv6-m383-394f",
  "modified": "2023-01-11T03:30:17Z",
  "published": "2023-01-04T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tradr-project/tf_remapper_cpp/issues/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW86-GVC3-5WVH

Vulnerability from github – Published: 2024-04-08 15:30 – Updated: 2024-08-01 15:31
VLAI
Details

In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig.",
  "id": "GHSA-pw86-gvc3-5wvh",
  "modified": "2024-08-01T15:31:37Z",
  "published": "2024-04-08T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31812"
    },
    {
      "type": "WEB",
      "url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/Leak_getWiFiExtenderConfig/Leak.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QMQH-R82R-6Q87

Vulnerability from github – Published: 2024-07-01 18:32 – Updated: 2024-07-01 18:32
VLAI
Details

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36997"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-01T17:15:09Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312, an admin user could store and execute arbitrary JavaScript code in the browser context of another Splunk user through the conf-web/settings REST endpoint. This could potentially cause a persistent cross-site scripting (XSS) exploit.",
  "id": "GHSA-qmqh-r82r-6q87",
  "modified": "2024-07-01T18:32:41Z",
  "published": "2024-07-01T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36997"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2024-0717"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/ed1209ef-228d-4dab-9856-be9369925a5c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R7R6-CC7P-4V5M

Vulnerability from github – Published: 2025-10-10 22:51 – Updated: 2025-10-13 15:47
VLAI
Summary
python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
Details

Summary

The sanitization method ldap.filter.escape_filter_chars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertion_value parameter, and the non-default escape_mode=1 is configured.

Details

The method ldap.filter.escape_filter_chars supports 3 different escaping modes. escape_mode=0 (default) and escape_mode=2 happen to raise exceptions when a list or dict object is supplied as the assertion_value parameter. However, escape_mode=1 happily computes without performing adequate logic to ensure a fully escaped return value.

PoC

>>> import ldap.filter

Exploitable

>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
'abc@*()/xyz'
>>> ldap.filter.escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
'abc@*()/xyz'

Not exploitable

>>> ldap.filter.escape_filter_chars("abc@*()/xyz", escape_mode=1)
'abc@\\2a\\28\\29\\2fxyz'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 41, in escape_filter_chars
    s = assertion_value.replace('\\', r'\5c')
        ^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'replace'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=2)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 36, in escape_filter_chars
    r.append("\\%02x" % ord(c))
                        ^^^^^^
TypeError: ord() expected a character, but string of length 11 found

Impact

If an application relies on the vulnerable method in the python-ldap library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them.

With Python being a dynamically typed language, and the commonly used JSON format supporting list and dict, it is to be expected that Python applications may commonly forward unchecked and potentially malicious list and dict objects to the vulnerable sanitization method.

The vulnerable escape_mode=1 configuration does not appear to be widely used.

Suggested Fix

Add a type check at the start of the ldap.filter.escape_filter_chars method to raise an exception when the supplied assertion_value parameter is not of type str.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75",
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T22:51:28Z",
    "nvd_published_at": "2025-10-10T22:15:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured.\n\n### Details\nThe method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` happily computes without performing adequate logic to ensure a fully escaped return value.\n\n### PoC\n```\n\u003e\u003e\u003e import ldap.filter\n```\n**Exploitable**\n```\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=1)\n\u0027abc@*()/xyz\u0027\n\u003e\u003e\u003e ldap.filter.escape_filter_chars({\"abc@*()/xyz\": 1}, escape_mode=1)\n\u0027abc@*()/xyz\u0027\n```\n**Not exploitable**\n```\n\u003e\u003e\u003e ldap.filter.escape_filter_chars(\"abc@*()/xyz\", escape_mode=1)\n\u0027abc@\\\\2a\\\\28\\\\29\\\\2fxyz\u0027\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=0)\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n  File \"/usr/local/lib64/python3.12/site-packages/ldap/filter.py\", line 41, in escape_filter_chars\n    s = assertion_value.replace(\u0027\\\\\u0027, r\u0027\\5c\u0027)\n        ^^^^^^^^^^^^^^^^^^^^^^^\nAttributeError: \u0027list\u0027 object has no attribute \u0027replace\u0027\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=2)\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n  File \"/usr/local/lib64/python3.12/site-packages/ldap/filter.py\", line 36, in escape_filter_chars\n    r.append(\"\\\\%02x\" % ord(c))\n                        ^^^^^^\nTypeError: ord() expected a character, but string of length 11 found\n```\n### Impact\nIf an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them.\n\nWith Python being a dynamically typed language, and the commonly used `JSON` format supporting `list` and `dict`, it is to be expected that Python applications may commonly forward unchecked and potentially malicious `list` and `dict` objects to the vulnerable sanitization method.\n\nThe vulnerable `escape_mode=1` configuration does not appear to be widely used.\n\n### Suggested Fix\nAdd a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`.",
  "id": "GHSA-r7r6-cc7p-4v5m",
  "modified": "2025-10-13T15:47:36Z",
  "published": "2025-10-10T22:51:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61911"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-ldap/python-ldap"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "python-ldap has sanitization bypass in ldap.filter.escape_filter_chars"
}

GHSA-RJ5F-VM79-5J84

Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2024-10-08 12:56
VLAI
Summary
OctoPrint vulnerable to Special Element Injection
Details

OctoPrint prior to 1.8.3 is vulnerable to Special Element Injection.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3607"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-19T22:21:33Z",
    "nvd_published_at": "2022-10-19T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OctoPrint prior to 1.8.3 is vulnerable to Special Element Injection.",
  "id": "GHSA-rj5f-vm79-5j84",
  "modified": "2024-10-08T12:56:58Z",
  "published": "2022-10-19T19:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3607"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octoprint/octoprint/commit/3cca3a43f3d085e9bbe5a5840c8255bb1b5d052e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octoprint/octoprint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-42975.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2d1db3c9-93e8-4902-a55b-5ea53c22aa11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OctoPrint vulnerable to Special Element Injection"
}

GHSA-RMQP-9W4C-GC7W

Vulnerability from github – Published: 2023-09-05 15:30 – Updated: 2025-02-13 19:11
VLAI
Summary
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
Details

When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.

As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-18T22:22:36Z",
    "nvd_published_at": "2023-09-05T15:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through \"ServiceFactory.getService\" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to \"ServiceFactory.getService\", or by applying the patch from  https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.",
  "id": "GHSA-rmqp-9w4c-gc7w",
  "modified": "2025-02-13T19:11:39Z",
  "published": "2023-09-05T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/axis-axis1-java"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService"
}

GHSA-RP2C-JRGP-CVR8

Vulnerability from github – Published: 2021-12-16 15:32 – Updated: 2021-12-06 22:08
VLAI
Summary
Code injection in plupload
Details

This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "plupload"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23562"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434",
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-06T22:08:43Z",
    "nvd_published_at": "2021-12-03T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file.",
  "id": "GHSA-rp2c-jrgp-cvr8",
  "modified": "2021-12-06T22:08:43Z",
  "published": "2021-12-16T15:32:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23562"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moxiecode/plupload/commit/d12175d4b5fa799b994ee1bb17bfbeec55b386fb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/moxiecode/plupload"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2306665"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2306663"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-PLUPLOAD-1583909"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code injection in plupload"
}

GHSA-V9HM-FCQ5-J7H7

Vulnerability from github – Published: 2024-04-08 15:30 – Updated: 2024-08-01 15:31
VLAI
Details

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31806"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization.",
  "id": "GHSA-v9hm-fcq5-j7h7",
  "modified": "2024-08-01T15:31:37Z",
  "published": "2024-04-08T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31806"
    },
    {
      "type": "WEB",
      "url": "https://github.com/4hsien/CVE-vulns/blob/main/TOTOLINK/EX200/DoS_RebootSystem/DoS.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVW3-6Q4F-2GCV

Vulnerability from github – Published: 2023-03-30 21:30 – Updated: 2024-03-27 15:30
VLAI
Details

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-75"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-30T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in input validation exists in curl \u003c8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application\u0027s intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.",
  "id": "GHSA-xvw3-6q4f-2gcv",
  "modified": "2024-03-27T15:30:36Z",
  "published": "2023-03-30T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27533"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1891474"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-12"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230420-0011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Programming languages and supporting technologies might be chosen which are not subject to these issues.

Mitigation
Implementation

Utilize an appropriate mix of allowlist and denylist parsing to filter special element syntax from all input.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.