CWE-787
Allowed-with-ReviewOut-of-bounds Write
Abstraction: Base · Status: Draft
The product writes data past the end, or before the beginning, of the intended buffer.
15106 vulnerabilities reference this CWE, most recent first.
GHSA-XG7R-7865-V6C7
Vulnerability from github – Published: 2024-04-03 15:30 – Updated: 2025-03-17 18:31In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix data corruption in dsync block recovery for small block sizes
The helper function nilfs_recovery_copy_block() of nilfs_recovery_dsync_blocks(), which recovers data from logs created by data sync writes during a mount after an unclean shutdown, incorrectly calculates the on-page offset when copying repair data to the file's page cache. In environments where the block size is smaller than the page size, this flaw can cause data corruption and leak uninitialized memory bytes during the recovery process.
Fix these issues by correcting this byte offset calculation on the page.
{
"affected": [],
"aliases": [
"CVE-2024-26697"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-03T15:15:52Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file\u0027s page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page.",
"id": "GHSA-xg7r-7865-v6c7",
"modified": "2025-03-17T18:31:38Z",
"published": "2024-04-03T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26697"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/120f7fa2008e3bd8b7680b4ab5df942decf60fd5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2000016bab499074e6248ea85aeea7dd762355d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/364a66be2abdcd4fd426ffa44d9b8f40aafb3caa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5278c3eb6bf5896417572b52adb6be9d26e92f65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/67b8bcbaed4777871bb0dcc888fb02a614a98ab1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9c9c68d64fd3284f7097ed6ae057c8441f39fcd3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG85-X3P5-P592
Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0655.
{
"affected": [],
"aliases": [
"CVE-2019-0652"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-05T23:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge, aka \u0027Scripting Engine Memory Corruption Vulnerability\u0027. This CVE ID is unique from CVE-2019-0590, CVE-2019-0591, CVE-2019-0593, CVE-2019-0605, CVE-2019-0607, CVE-2019-0610, CVE-2019-0640, CVE-2019-0642, CVE-2019-0644, CVE-2019-0651, CVE-2019-0655.",
"id": "GHSA-xg85-x3p5-p592",
"modified": "2022-05-13T01:21:26Z",
"published": "2022-05-13T01:21:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0652"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0652"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG8M-385J-RC99
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30In HID_DevAddRecord of hidd_api.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth service with User execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-79946737.
{
"affected": [],
"aliases": [
"CVE-2018-9560"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-06T14:29:00Z",
"severity": "HIGH"
},
"details": "In HID_DevAddRecord of hidd_api.cc, there is a possible out-of-bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth service with User execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-9. Android ID: A-79946737.",
"id": "GHSA-xg8m-385j-rc99",
"modified": "2022-05-13T01:30:37Z",
"published": "2022-05-13T01:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9560"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-12-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106147"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG9M-9PG9-92J4
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:46Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution .
{
"affected": [],
"aliases": [
"CVE-2019-7124"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-23T18:29:00Z",
"severity": "CRITICAL"
},
"details": "Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010.20098 and earlier, 2017.011.30127 and earlier version, and 2015.006.30482 and earlier have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution .",
"id": "GHSA-xg9m-9pg9-92j4",
"modified": "2024-04-04T00:46:12Z",
"published": "2022-05-24T16:46:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7124"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-17.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG9R-W6FX-9996
Vulnerability from github – Published: 2023-08-01 18:30 – Updated: 2024-04-04 06:28In certain EZVIZ products, two stack buffer overflows in netClientSetWlanCfg function of the EZVIZ SDK command server can allow an authenticated attacker present on the same local network as the camera to achieve remote code execution. This affects CS-C6N-B0-1G2WF Firmware versions before V5.3.0 build 230215 and CS-C6N-R101-1G2WF Firmware versions before V5.3.0 build 230215 and CS-CV310-A0-1B2WFR Firmware versions before V5.3.0 build 230221 and CS-CV310-A0-1C2WFR-C Firmware versions before V5.3.2 build 230221 and CS-C6N-A0-1C2WFR-MUL Firmware versions before V5.3.2 build 230218 and CS-CV310-A0-3C2WFRL-1080p Firmware versions before V5.2.7 build 230302 and CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p Firmware versions before V5.3.2 build 230214 and CS-CV248-A0-32WMFR Firmware versions before V5.2.3 build 230217 and EZVIZ LC1C Firmware versions before V5.3.4 build 230214. The impact is: execute arbitrary code (remote).
{
"affected": [],
"aliases": [
"CVE-2023-34551"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-01T18:15:09Z",
"severity": "HIGH"
},
"details": "In certain EZVIZ products, two stack buffer overflows in netClientSetWlanCfg function of the EZVIZ SDK command server can allow an authenticated attacker present on the same local network as the camera to achieve remote code execution. This affects CS-C6N-B0-1G2WF Firmware versions before V5.3.0 build 230215 and CS-C6N-R101-1G2WF Firmware versions before V5.3.0 build 230215 and CS-CV310-A0-1B2WFR Firmware versions before V5.3.0 build 230221 and CS-CV310-A0-1C2WFR-C Firmware versions before V5.3.2 build 230221 and CS-C6N-A0-1C2WFR-MUL Firmware versions before V5.3.2 build 230218 and CS-CV310-A0-3C2WFRL-1080p Firmware versions before V5.2.7 build 230302 and CS-CV310-A0-1C2WFR Wifi IP66 2.8mm 1080p Firmware versions before V5.3.2 build 230214 and CS-CV248-A0-32WMFR Firmware versions before V5.2.3 build 230217 and EZVIZ LC1C Firmware versions before V5.3.4 build 230214. The impact is: execute arbitrary code (remote).",
"id": "GHSA-xg9r-w6fx-9996",
"modified": "2024-04-04T06:28:48Z",
"published": "2023-08-01T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34551"
},
{
"type": "WEB",
"url": "https://www.ezviz.com/data-security/security-notice/detail/827"
},
{
"type": "WEB",
"url": "http://ezviz.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG9W-79QQ-WR22
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:01In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A-120665616
{
"affected": [],
"aliases": [
"CVE-2019-2009"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-19T20:15:00Z",
"severity": "HIGH"
},
"details": "In l2c_lcc_proc_pdu of l2c_fcr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9Android ID: A-120665616",
"id": "GHSA-xg9w-79qq-wr22",
"modified": "2024-04-04T01:01:08Z",
"published": "2022-05-24T16:48:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2009"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2019-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGC3-M89P-VR3X
Vulnerability from github – Published: 2021-05-21 14:23 – Updated: 2024-10-30 23:28Impact
An attacker can cause a heap buffer overflow to occur in Conv2DBackpropFilter:
import tensorflow as tf
input_tensor = tf.constant([386.078431372549, 386.07843139643234],
shape=[1, 1, 1, 2], dtype=tf.float32)
filter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([386.078431372549], shape=[1, 1, 1, 1],
dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(
input=input_tensor,
filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 49, 1],
use_cudnn_on_gpu=True,
padding='VALID',
explicit_paddings=[],
data_format='NHWC',
dilations=[1, 1, 1, 1]
)
Alternatively, passing empty tensors also results in similar behavior:
import tensorflow as tf
input_tensor = tf.constant([], shape=[0, 1, 1, 5], dtype=tf.float32)
filter_sizes = tf.constant([3, 8, 1, 1], shape=[4], dtype=tf.int32)
out_backprop = tf.constant([], shape=[0, 1, 1, 1], dtype=tf.float32)
tf.raw_ops.Conv2DBackpropFilter(
input=input_tensor,
filter_sizes=filter_sizes,
out_backprop=out_backprop,
strides=[1, 66, 49, 1],
use_cudnn_on_gpu=True,
padding='VALID',
explicit_paddings=[],
data_format='NHWC',
dilations=[1, 1, 1, 1]
)
This is because the implementation computes the size of the filter tensor but does not validate that it matches the number of elements in filter_sizes. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor.
Patches
We have patched the issue in GitHub commit c570e2ecfc822941335ad48f6e10df4e21f11c96.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29540"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T22:05:40Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can cause a heap buffer overflow to occur in `Conv2DBackpropFilter`:\n\n```python\nimport tensorflow as tf\n\ninput_tensor = tf.constant([386.078431372549, 386.07843139643234],\n shape=[1, 1, 1, 2], dtype=tf.float32)\nfilter_sizes = tf.constant([1, 1, 1, 1], shape=[4], dtype=tf.int32)\nout_backprop = tf.constant([386.078431372549], shape=[1, 1, 1, 1],\n dtype=tf.float32)\n \ntf.raw_ops.Conv2DBackpropFilter(\n input=input_tensor,\n filter_sizes=filter_sizes,\n out_backprop=out_backprop,\n strides=[1, 66, 49, 1],\n use_cudnn_on_gpu=True,\n padding=\u0027VALID\u0027,\n explicit_paddings=[],\n data_format=\u0027NHWC\u0027,\n dilations=[1, 1, 1, 1]\n)\n```\n\nAlternatively, passing empty tensors also results in similar behavior: \n\n```python\nimport tensorflow as tf\n\ninput_tensor = tf.constant([], shape=[0, 1, 1, 5], dtype=tf.float32)\nfilter_sizes = tf.constant([3, 8, 1, 1], shape=[4], dtype=tf.int32)\nout_backprop = tf.constant([], shape=[0, 1, 1, 1], dtype=tf.float32)\n\ntf.raw_ops.Conv2DBackpropFilter(\n input=input_tensor,\n filter_sizes=filter_sizes, \n out_backprop=out_backprop,\n strides=[1, 66, 49, 1], \n use_cudnn_on_gpu=True,\n padding=\u0027VALID\u0027,\n explicit_paddings=[],\n data_format=\u0027NHWC\u0027,\n dilations=[1, 1, 1, 1]\n)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/1b0296c3b8dd9bd948f924aa8cd62f87dbb7c3da/tensorflow/core/kernels/conv_grad_filter_ops.cc#L495-L497) computes the size of the filter tensor but does not validate that it matches the number of elements in `filter_sizes`. Later, when reading/writing to this buffer, code uses the value computed here, instead of the number of elements in the tensor.\n\n### Patches \nWe have patched the issue in GitHub commit [c570e2ecfc822941335ad48f6e10df4e21f11c96](https://github.com/tensorflow/tensorflow/commit/c570e2ecfc822941335ad48f6e10df4e21f11c96).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Yakun Zhang and Ying Wang of Baidu X-Team.",
"id": "GHSA-xgc3-m89p-vr3x",
"modified": "2024-10-30T23:28:15Z",
"published": "2021-05-21T14:23:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xgc3-m89p-vr3x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29540"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/c570e2ecfc822941335ad48f6e10df4e21f11c96"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-468.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-666.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-177.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Heap buffer overflow in `Conv2DBackpropFilter`"
}
GHSA-XGCC-R2F3-RQ6P
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2023-10-05 19:29ChakraCore and Microsoft Edge in Windows 10 1703 and 1709 allow information disclosure, due to how the scripting engine handles objects in memory, aka "Scripting Engine Information Disclosure Vulnerability". This CVE ID is unique from CVE-2018-0891.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Microsoft.ChakraCore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-0939"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-20T22:19:42Z",
"nvd_published_at": "2018-03-14T17:29:00Z",
"severity": "MODERATE"
},
"details": "ChakraCore and Microsoft Edge in Windows 10 1703 and 1709 allow information disclosure, due to how the scripting engine handles objects in memory, aka \"Scripting Engine Information Disclosure Vulnerability\". This CVE ID is unique from CVE-2018-0891.",
"id": "GHSA-xgcc-r2f3-rq6p",
"modified": "2023-10-05T19:29:32Z",
"published": "2022-05-13T01:18:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0939"
},
{
"type": "WEB",
"url": "https://github.com/chakra-core/ChakraCore/commit/090277e7a5ea1d938777acb92e7b6759936ea974"
},
{
"type": "PACKAGE",
"url": "https://github.com/chakra-core/ChakraCore"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0939"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20201021051922/http://www.securitytracker.com/id/1040507"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210124145017/http://www.securityfocus.com/bid/103305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ChakraCore information disclosure vulnerability"
}
GHSA-XGCP-JRJ9-XVPP
Vulnerability from github – Published: 2022-05-14 03:12 – Updated: 2022-05-14 03:12In Android before the 2018-06-05 security patch level, NVIDIA TLZ TrustZone contains a possible out of bounds write due to integer overflow which could lead to local escalation of privilege in the TrustZone with no additional execution privileges needed. User interaction is not needed for exploitation. This issue is rated as high. Version: N/A. Android: A-69480285. Reference: N-CVE-2017-6292.
{
"affected": [],
"aliases": [
"CVE-2017-6292"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-07T19:29:00Z",
"severity": "HIGH"
},
"details": "In Android before the 2018-06-05 security patch level, NVIDIA TLZ TrustZone contains a possible out of bounds write due to integer overflow which could lead to local escalation of privilege in the TrustZone with no additional execution privileges needed. User interaction is not needed for exploitation. This issue is rated as high. Version: N/A. Android: A-69480285. Reference: N-CVE-2017-6292.",
"id": "GHSA-xgcp-jrj9-xvpp",
"modified": "2022-05-14T03:12:13Z",
"published": "2022-05-14T03:12:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6292"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2018-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XGF9-9FPJ-MV3C
Vulnerability from github – Published: 2022-05-17 01:08 – Updated: 2025-04-12 12:56Heap-based buffer overflow in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK & Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2016-0971"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-02-10T20:59:00Z",
"severity": "CRITICAL"
},
"details": "Heap-based buffer overflow in Adobe Flash Player before 18.0.0.329 and 19.x and 20.x before 20.0.0.306 on Windows and OS X and before 11.2.202.569 on Linux, Adobe AIR before 20.0.0.260, Adobe AIR SDK before 20.0.0.260, and Adobe AIR SDK \u0026 Compiler before 20.0.0.260 allows attackers to execute arbitrary code via unspecified vectors.",
"id": "GHSA-xgf9-9fpj-mv3c",
"modified": "2025-04-12T12:56:52Z",
"published": "2022-05-17T01:08:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0971"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb16-04.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201603-07"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/39465"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00025.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00027.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00029.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00030.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0166.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1034970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
- Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
- Consider adhering to the following rules when allocating and managing an application's memory:
- Double check that the buffer is as large as specified.
- When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
- Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
- If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
No CAPEC attack patterns related to this CWE.