Common Weakness Enumeration

CWE-284

Discouraged

Improper Access Control

Abstraction: Pillar · Status: Incomplete

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

7802 vulnerabilities reference this CWE, most recent first.

GHSA-W4FH-P39J-749C

Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01
VLAI
Details

The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-29T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id\u0027s might also be an option but I wouldn\u0027t count on it, since it would take a long time to find a valid one).",
  "id": "GHSA-w4fh-p39j-749c",
  "modified": "2022-09-02T00:01:03Z",
  "published": "2022-08-29T20:06:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3019"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tooljet/tooljet/commit/45e0d3302d92df7d7f2d609c31cea71165600b79"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a610300b-ce3c-4995-8337-11942b3621bf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4H4-7MQM-9J6C

Vulnerability from github – Published: 2022-05-17 00:15 – Updated: 2022-05-17 00:15
VLAI
Details

ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-20T17:59:00Z",
    "severity": "MODERATE"
  },
  "details": "ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries.",
  "id": "GHSA-w4h4-7mqm-9j6c",
  "modified": "2022-05-17T00:15:51Z",
  "published": "2022-05-17T00:15:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6338"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:3427"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-6338"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1369285"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/92666"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4MH-9FW9-766V

Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-12 00:01
VLAI
Details

Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-04T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Multiple vulnerabilities in Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an attacker to escape from the guest virtual machine (VM) to the host machine, inject commands that execute at the root level, or leak system data from the host to the VM. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-w4mh-9fw9-766v",
  "modified": "2022-05-12T00:01:01Z",
  "published": "2022-05-05T00:00:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-v56f-9gq3-rx3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20777"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-NFVIS-MUL-7DySRX9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4QQ-74H6-58WQ

Vulnerability from github – Published: 2026-05-19 16:25 – Updated: 2026-06-09 10:28
VLAI
Summary
AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`
Details

Summary

The endpoint requires no authentication. An unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal.

Details

view/img/image404Raw.php reads the image GET parameter and joins it directly into a filesystem path served via readfile(). view/img/image404Raw.php (full file, current master @ 0dbadbcaaa1b415c7db078a72dc4b26d9fac0485):

<?php

// Fetch requested image URL
$imageURL = !empty($_GET['image']) ? $_GET['image'] : $_SERVER["REQUEST_URI"];
$rootDir = dirname(__FILE__) . '/../../';
if ($imageURL == 'favicon.ico') {
    $imgLocalFile = "{$rootDir}/videos/{$imageURL}";
} else {
    $imgLocalFile = "{$rootDir}/{$imageURL}";   // ← attacker-controlled
}

if (file_exists($imgLocalFile)) {
    $imageInfo = getimagesize($imgLocalFile);   // ← format gate
    if (empty($imageInfo)) {
        die('not image');
    }
    // …extension → Content-Type mapping…
    header("HTTP/1.0 200 OK");
    header('Content-Type: ' . $type);
    header('Content-Length: ' . filesize($imgLocalFile));
    readfile($imgLocalFile);   // ← exfil bytes
    exit;
}

Issues:

  1. No authentication. The file is reachable via direct GET; no require of globals.php, no session check, no API-key gate.
  2. No basename / realpath / prefix containment. $_GET['image'] is concatenated into $imgLocalFile with no .. filtering, no realpath() resolution, no allowlist check against the intended view/img/ directory.
  3. getimagesize() is a magic-bytes check, not a path constraint. Any file on disk whose first bytes match a recognized image format (FFD8FF JPEG, 89504E47 PNG, 474946 GIF, 52494646…57454250 WebP) passes the gate — including images stored outside any ACL'd area of the application.
  4. $_SERVER["REQUEST_URI"] fallback when image is empty widens the attack surface (path components in the URI itself land in $imgLocalFile).

Re-verified pre-submission on 2026-05-13 against view/img/image404Raw.php blob SHA c670b0faff4fbea1fd0508f179956975477d4340 — unsafe shape unchanged since first discovery on 2026-05-12.

Recommended fix — three layered checks, any one alone is insufficient:

// view/img/image404Raw.php — proposed fix
<?php

$imageURL = !empty($_GET['image']) ? $_GET['image'] : '';
if ($imageURL === '') {
    http_response_code(400);
    exit('bad request');
}

// 1. Reject any path-traversal segment outright.
if (strpos($imageURL, '..') !== false
    || strpos($imageURL, "\0") !== false
    || strpos($imageURL, '://') !== false) {
    http_response_code(400);
    exit('bad request');
}

// 2. Resolve to a real path and verify prefix containment under the
//    intended image directory.
$rootDir = realpath(dirname(__FILE__) . '/../../');
$imgLocalFile = realpath($rootDir . '/' . $imageURL);
if ($imgLocalFile === false
    || (strpos($imgLocalFile, $rootDir . '/videos/') !== 0
        && strpos($imgLocalFile, $rootDir . '/view/img/') !== 0)) {
    http_response_code(404);
    exit('not found');
}

// 3. Existing getimagesize() check stays as defense-in-depth.
if (!is_file($imgLocalFile)) {
    http_response_code(404);
    exit('not found');
}
$imageInfo = @getimagesize($imgLocalFile);
if (empty($imageInfo)) {
    http_response_code(404);
    exit('not image');
}

// …rest of the original Content-Type + readfile() flow unchanged…

Drop the $_SERVER["REQUEST_URI"] fallback entirely; if no image parameter is provided, return 400.

PoC

Discovery probe — any HTTP client, no authentication, no cookies:

GET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg HTTP/1.1
Host: avideo.example.com

If videos/userPhoto/photo1.jpg exists on the server, the response is the raw image bytes (HTTP 200, Content-Type: image/jpeg). The application's normal user-photo serving wrapper (which can gate by session / channel ownership) is bypassed entirely.

Cross-directory probe — read images outside the AVideo install root:

GET /view/img/image404Raw.php?image=../../../var/www/other-app/uploads/users/admin.jpg HTTP/1.1
Host: avideo.example.com

If the PHP user has read access to a sibling app's image directory, those files are exfiltrable too.

Enumeration — iterate over predictable numeric IDs:

GET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg
GET /view/img/image404Raw.php?image=../videos/userPhoto/photo2.jpg
GET /view/img/image404Raw.php?image=../videos/userPhoto/photo3.jpg
...

…to harvest all profile images regardless of the application's intended privacy controls.

Impact

Path traversal → arbitrary image read (CWE-22 + CWE-284). Affects any AVideo deployment running master through commit 0dbadbca and likely every release on the supported branches. The attacker:

  1. Bypasses the application's image-content ACLs. Profile photos under videos/userPhoto/ and admin-uploaded private thumbnails that AVideo's normal image-serving wrappers gate by session / channel ownership become readable to any anonymous internet user.
  2. Reads images stored outside the AVideo install root. On shared-hosting / multi-tenant deployments, .. traversal lets the attacker page into sibling-app upload directories — anywhere the PHP user has read access on disk and the target file's first bytes form a valid image header.
  3. Enables enumeration at scale. Numeric ID schemes (photo1.jpg, photo2.jpg, …) and predictable filenames let an attacker harvest every private image on a deployment without detection (each request looks like a single 200-image-OK to the web log).

Because the read primitive is restricted to image-magic-bytes files, there is no source-code or credential exfiltration via this primitive alone — but the privacy / GDPR exposure is substantial on any deployment that hosts user-uploaded photos. CVSS 5.3 (Medium) reflects the limited but real confidentiality impact; many operators will rate this higher because the leaked content is user-private by intent.

This is not a silent-fix disclosure — the bug is still present on current master at submission time; the maintainer is being notified of a previously-unknown issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "WWBN/AVideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T16:25:27Z",
    "nvd_published_at": "2026-05-29T14:16:31Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe endpoint requires **no authentication**. An unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open \u2014 including private user-profile photos that the application\u0027s normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via `..` traversal.\n\n### Details\n`view/img/image404Raw.php` reads the `image` GET parameter and joins it directly into a filesystem path served via `readfile()`.  `view/img/image404Raw.php` (full file, current `master` @ `0dbadbcaaa1b415c7db078a72dc4b26d9fac0485`):\n\n```php\n\u003c?php\n\n// Fetch requested image URL\n$imageURL = !empty($_GET[\u0027image\u0027]) ? $_GET[\u0027image\u0027] : $_SERVER[\"REQUEST_URI\"];\n$rootDir = dirname(__FILE__) . \u0027/../../\u0027;\nif ($imageURL == \u0027favicon.ico\u0027) {\n    $imgLocalFile = \"{$rootDir}/videos/{$imageURL}\";\n} else {\n    $imgLocalFile = \"{$rootDir}/{$imageURL}\";   // \u2190 attacker-controlled\n}\n\nif (file_exists($imgLocalFile)) {\n    $imageInfo = getimagesize($imgLocalFile);   // \u2190 format gate\n    if (empty($imageInfo)) {\n        die(\u0027not image\u0027);\n    }\n    // \u2026extension \u2192 Content-Type mapping\u2026\n    header(\"HTTP/1.0 200 OK\");\n    header(\u0027Content-Type: \u0027 . $type);\n    header(\u0027Content-Length: \u0027 . filesize($imgLocalFile));\n    readfile($imgLocalFile);   // \u2190 exfil bytes\n    exit;\n}\n```\n\nIssues:\n\n1. **No authentication.** The file is reachable via direct GET; no `require` of `globals.php`, no session check, no API-key gate.\n2. **No basename / realpath / prefix containment.** `$_GET[\u0027image\u0027]`  is concatenated into `$imgLocalFile` with no `..` filtering, no `realpath()` resolution, no allowlist check against the intended `view/img/` directory.\n3. **`getimagesize()` is a magic-bytes check, not a path constraint.**  Any file on disk whose first bytes match a recognized image format (`FFD8FF` JPEG, `89504E47` PNG, `474946` GIF, `52494646\u202657454250` WebP) passes the gate \u2014 including images stored outside any ACL\u0027d area of the application.\n4. **`$_SERVER[\"REQUEST_URI\"]` fallback** when `image` is empty widens the attack surface (path components in the URI itself land in `$imgLocalFile`).\n\n**Re-verified pre-submission** on 2026-05-13 against `view/img/image404Raw.php` blob SHA `c670b0faff4fbea1fd0508f179956975477d4340` \u2014 unsafe shape unchanged since first discovery on 2026-05-12.\n\n**Recommended fix** \u2014 three layered checks, any one alone is insufficient:\n\n```php\n// view/img/image404Raw.php \u2014 proposed fix\n\u003c?php\n\n$imageURL = !empty($_GET[\u0027image\u0027]) ? $_GET[\u0027image\u0027] : \u0027\u0027;\nif ($imageURL === \u0027\u0027) {\n    http_response_code(400);\n    exit(\u0027bad request\u0027);\n}\n\n// 1. Reject any path-traversal segment outright.\nif (strpos($imageURL, \u0027..\u0027) !== false\n    || strpos($imageURL, \"\\0\") !== false\n    || strpos($imageURL, \u0027://\u0027) !== false) {\n    http_response_code(400);\n    exit(\u0027bad request\u0027);\n}\n\n// 2. Resolve to a real path and verify prefix containment under the\n//    intended image directory.\n$rootDir = realpath(dirname(__FILE__) . \u0027/../../\u0027);\n$imgLocalFile = realpath($rootDir . \u0027/\u0027 . $imageURL);\nif ($imgLocalFile === false\n    || (strpos($imgLocalFile, $rootDir . \u0027/videos/\u0027) !== 0\n        \u0026\u0026 strpos($imgLocalFile, $rootDir . \u0027/view/img/\u0027) !== 0)) {\n    http_response_code(404);\n    exit(\u0027not found\u0027);\n}\n\n// 3. Existing getimagesize() check stays as defense-in-depth.\nif (!is_file($imgLocalFile)) {\n    http_response_code(404);\n    exit(\u0027not found\u0027);\n}\n$imageInfo = @getimagesize($imgLocalFile);\nif (empty($imageInfo)) {\n    http_response_code(404);\n    exit(\u0027not image\u0027);\n}\n\n// \u2026rest of the original Content-Type + readfile() flow unchanged\u2026\n```\n\nDrop the `$_SERVER[\"REQUEST_URI\"]` fallback entirely; if no `image`\nparameter is provided, return 400.\n\n### PoC\n\nDiscovery probe \u2014 any HTTP client, no authentication, no cookies:\n\n```http\nGET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg HTTP/1.1\nHost: avideo.example.com\n```\n\nIf `videos/userPhoto/photo1.jpg` exists on the server, the response is the raw image bytes (HTTP 200, `Content-Type: image/jpeg`). The application\u0027s normal user-photo serving wrapper (which can gate by session / channel ownership) is bypassed entirely.\n\nCross-directory probe \u2014 read images outside the AVideo install root:\n\n```http\nGET /view/img/image404Raw.php?image=../../../var/www/other-app/uploads/users/admin.jpg HTTP/1.1\nHost: avideo.example.com\n```\n\nIf the PHP user has read access to a sibling app\u0027s image directory, those files are exfiltrable too.\n\nEnumeration \u2014 iterate over predictable numeric IDs:\n\n```\nGET /view/img/image404Raw.php?image=../videos/userPhoto/photo1.jpg\nGET /view/img/image404Raw.php?image=../videos/userPhoto/photo2.jpg\nGET /view/img/image404Raw.php?image=../videos/userPhoto/photo3.jpg\n...\n```\n\n\u2026to harvest all profile images regardless of the application\u0027s intended privacy controls.\n\n### Impact\n\n**Path traversal \u2192 arbitrary image read (CWE-22 + CWE-284).** Affects any AVideo deployment running master through commit `0dbadbca` and likely every release on the supported branches. The attacker:\n\n1. **Bypasses the application\u0027s image-content ACLs.** Profile photos under `videos/userPhoto/` and admin-uploaded private thumbnails  that AVideo\u0027s normal image-serving wrappers gate by session / channel ownership become readable to any anonymous internet user.\n2. **Reads images stored outside the AVideo install root.** On shared-hosting / multi-tenant deployments, `..` traversal lets the  attacker page into sibling-app upload directories \u2014 anywhere the PHP user has read access on disk and the target file\u0027s first bytes form a valid image header.\n3. **Enables enumeration at scale.** Numeric ID schemes (`photo1.jpg`, `photo2.jpg`, \u2026) and predictable filenames let an attacker harvest every private image on a deployment without detection (each request looks like a single 200-image-OK to the web log).\n\nBecause the read primitive is restricted to image-magic-bytes files, there is no source-code or credential exfiltration via this primitive alone \u2014 but the **privacy / GDPR exposure** is substantial on any deployment that hosts user-uploaded photos. CVSS 5.3 (Medium) reflects the limited but real confidentiality impact; many operators will rate this higher because the leaked content is user-private by intent.\n\nThis is **not** a silent-fix disclosure \u2014 the bug is still present on current `master` at submission time; the maintainer is being\nnotified of a previously-unknown issue.",
  "id": "GHSA-w4qq-74h6-58wq",
  "modified": "2026-06-09T10:28:43Z",
  "published": "2026-05-19T16:25:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46337"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php`"
}

GHSA-W4RW-664Q-RP8H

Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41
VLAI
Details

IBM WebSphere MQ 9.0.0.1 and 9.0.2 could allow a local user to write to a file or delete files in a directory they should not have access to due to improper access controls. IBM X-Force ID: 117926.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-6089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-07T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM WebSphere MQ 9.0.0.1 and 9.0.2 could allow a local user to write to a file or delete files in a directory they should not have access to due to improper access controls. IBM X-Force ID: 117926.",
  "id": "GHSA-w4rw-664q-rp8h",
  "modified": "2022-05-17T02:41:51Z",
  "published": "2022-05-17T02:41:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6089"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/117926"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22003509"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98770"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4VG-RF63-F3J3

Vulnerability from github – Published: 2018-07-12 14:45 – Updated: 2024-10-08 13:00
VLAI
Summary
Arbitrary code using "crafted image file" approach affecting Pillow
Details

Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Pillow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-9190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:59:34Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the \"crafted image file\" approach, related to an \"Insecure Sign Extension\" issue affecting the ImagingNew in Storage.c component.",
  "id": "GHSA-w4vg-rf63-f3j3",
  "modified": "2024-10-08T13:00:28Z",
  "published": "2018-07-12T14:45:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/issues/2105"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-pillow/Pillow/pull/2146/commits/5d8a0be45aad78c5a22c8d099118ee26ef8144af"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w4vg-rf63-f3j3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2016-9.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-pillow/Pillow"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201612-52"
    },
    {
      "type": "WEB",
      "url": "http://pillow.readthedocs.io/en/3.4.x/releasenotes/3.3.2.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3710"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94234"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Arbitrary code using \"crafted image file\" approach affecting Pillow"
}

GHSA-W4W5-PFMX-65JC

Vulnerability from github – Published: 2022-05-17 03:46 – Updated: 2022-05-17 03:46
VLAI
Details

The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-6689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-05-02T10:59:00Z",
    "severity": "HIGH"
  },
  "details": "The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux kernel before 3.5.5 does not validate the dst_pid field, which allows local users to have an unspecified impact by spoofing Netlink messages.",
  "id": "GHSA-w4w5-pfmx-65jc",
  "modified": "2022-05-17T03:46:32Z",
  "published": "2022-05-17T03:46:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/20e1db19db5d6b9e4e83021595eab0dc8f107bef"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=848949"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=20e1db19db5d6b9e4e83021595eab0dc8f107bef"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=linux-netdev\u0026m=134522422125983\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=linux-netdev\u0026m=134522422925986\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.5.5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/02/22/10"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/72739"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W4X9-4F5X-8JJ8

Vulnerability from github – Published: 2018-11-21 22:23 – Updated: 2020-06-16 21:59
VLAI
Summary
Low severity vulnerability that affects org.apache.hive:hive-exec, org.apache.hive:hive, and org.apache.hive:hive-service
Details

Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hive:hive"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hive:hive-exec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.hive:hive-service"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-0228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:59:37Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.",
  "id": "GHSA-w4x9-4f5x-8jj8",
  "modified": "2020-06-16T21:59:37Z",
  "published": "2018-11-21T22:23:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0228"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w4x9-4f5x-8jj8"
    },
    {
      "type": "WEB",
      "url": "http://mail-archives.apache.org/mod_mbox/hive-user/201406.mbox/%3CCABgNGzeN7E+9d=YV5yvnKA7wmSx1op_avtUjPcPtDaR6DLJM6g@mail.gmail.com%3E"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/127091/Apache-Hive-0.13.0-Authorization-Failure.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/532418/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Low severity vulnerability that affects      org.apache.hive:hive-exec, org.apache.hive:hive, and org.apache.hive:hive-service"
}

GHSA-W554-GVXR-6PVX

Vulnerability from github – Published: 2026-03-20 21:31 – Updated: 2026-03-20 21:31
VLAI
Details

A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4505"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-20T20:16:50Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-w554-gvxr-6pvx",
  "modified": "2026-03-20T21:31:28Z",
  "published": "2026-03-20T21:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4505"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Ka7arotto/cve/blob/main/DB-gpt-uploadrce.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.352071"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.352071"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.773897"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W56G-56MR-H79P

Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 00:00
VLAI
Details

mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information.",
  "id": "GHSA-w56g-56mr-h79p",
  "modified": "2022-05-25T00:00:19Z",
  "published": "2022-05-14T00:01:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33013"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-217-03"
    },
    {
      "type": "WEB",
      "url": "https://www.myscada.org/version-8-20-0-released-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
CAPEC-19: Embedding Scripts within Scripts

An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.

CAPEC-441: Malicious Logic Insertion

An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.

CAPEC-478: Modification of Windows Service Configuration

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

CAPEC-479: Malicious Root Certificate

An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.

CAPEC-502: Intent Spoof

An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.

CAPEC-503: WebView Exposure

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

CAPEC-536: Data Injected During Configuration

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment

An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.

CAPEC-550: Install New Service

When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.

CAPEC-551: Modify Existing Service

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

CAPEC-552: Install Rootkit

An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.

CAPEC-556: Replace File Extension Handlers

When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.

CAPEC-558: Replace Trusted Executable

An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.

CAPEC-562: Modify Shared File

An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.

CAPEC-563: Add Malicious File to Shared Webroot

An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.

CAPEC-564: Run Software at Logon

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

CAPEC-578: Disable Security Software

An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.