CWE-920
AllowedImproper Restriction of Power Consumption
Abstraction: Base · Status: Incomplete
The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes.
6 vulnerabilities reference this CWE, most recent first.
CVE-2017-12714 (GCVE-0-2017-12714)
Vulnerability from cvelistv5 – Published: 2018-04-25 13:00 – Updated: 2024-09-17 00:16- CWE-920 - Improper Restriction of power consumption CWE-920
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01 | x_refsource_MISC |
| http://www.securityfocus.com/bid/100523 | vdb-entryx_refsource_BID |
| Vendor | Product | Version | |
|---|---|---|---|
| Abbott Laboratories | Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI. |
Affected:
All versions of pacemakers manufactured prior to August 28, 2017
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T18:43:56.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"vendor": "Abbott Laboratories",
"versions": [
{
"status": "affected",
"version": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
],
"datePublic": "2017-08-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-920",
"description": "Improper Restriction of power consumption CWE-920",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-26T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/100523"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2017-08-29T00:00:00",
"ID": "CVE-2017-12714",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI.",
"version": {
"version_data": [
{
"version_value": "All versions of pacemakers manufactured prior to August 28, 2017"
}
]
}
}
]
},
"vendor_name": "Abbott Laboratories"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Restriction of power consumption CWE-920"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"name": "100523",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/100523"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-12714",
"datePublished": "2018-04-25T13:00:00.000Z",
"dateReserved": "2017-08-09T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:16:50.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-28X2-H22V-2JV6
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36An issue was discovered on Samsung mobile devices with Q(10.0) and R(11.0) (Qualcomm SM8250 chipsets) software. They allows attackers to cause a denial of service (unlock failure) by triggering a power-shortage incident that causes a false-positive attack detection. The Samsung ID is SVE-2020-19678 (December 2020).
{
"affected": [],
"aliases": [
"CVE-2020-35553"
],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-18T09:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on Samsung mobile devices with Q(10.0) and R(11.0) (Qualcomm SM8250 chipsets) software. They allows attackers to cause a denial of service (unlock failure) by triggering a power-shortage incident that causes a false-positive attack detection. The Samsung ID is SVE-2020-19678 (December 2020).",
"id": "GHSA-28x2-h22v-2jv6",
"modified": "2022-05-24T17:36:56Z",
"published": "2022-05-24T17:36:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35553"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4GWC-877G-8PXQ
Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2017-12714"
],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-25T13:29:00Z",
"severity": "MODERATE"
},
"details": "Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted \"RF wake-up\" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.",
"id": "GHSA-4gwc-877g-8pxq",
"modified": "2022-05-13T01:37:45Z",
"published": "2022-05-13T01:37:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12714"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100523"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7V33-W57Q-9G8P
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47Honor 5A,Honor 8 Lite,Mate9,Mate9 Pro,P10,P10 Plus Huawei smartphones with software the versions before CAM-L03C605B143CUSTC605D003,the versions before Prague-L03C605B161,the versions before Prague-L23C605B160,the versions before MHA-AL00C00B225,the versions before LON-AL00C00B225,the versions before VTR-AL00C00B167,the versions before VTR-TL00C01B167,the versions before VKY-AL00C00B167,the versions before VKY-TL00C01B167 have a resource exhaustion vulnerability due to configure setting. An attacker tricks a user into installing a malicious application, the application may turn on the device flash-light and rapidly drain the device battery.
{
"affected": [],
"aliases": [
"CVE-2017-8144"
],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-22T19:29:00Z",
"severity": "HIGH"
},
"details": "Honor 5A,Honor 8 Lite,Mate9,Mate9 Pro,P10,P10 Plus Huawei smartphones with software the versions before CAM-L03C605B143CUSTC605D003,the versions before Prague-L03C605B161,the versions before Prague-L23C605B160,the versions before MHA-AL00C00B225,the versions before LON-AL00C00B225,the versions before VTR-AL00C00B167,the versions before VTR-TL00C01B167,the versions before VKY-AL00C00B167,the versions before VKY-TL00C01B167 have a resource exhaustion vulnerability due to configure setting. An attacker tricks a user into installing a malicious application, the application may turn on the device flash-light and rapidly drain the device battery.",
"id": "GHSA-7v33-w57q-9g8p",
"modified": "2022-05-13T01:47:19Z",
"published": "2022-05-13T01:47:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8144"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170725-01-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9HHF-J948-M466
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-07-03 18:42In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level".
UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211]
In this case, simply return an error instead, to indicate that no data is available.
{
"affected": [],
"aliases": [
"CVE-2023-52832"
],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:20Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: don\u0027t return unset power in ieee80211_get_tx_power()\n\nWe can get a UBSAN warning if ieee80211_get_tx_power() returns the\nINT_MIN value mac80211 internally uses for \"unset power level\".\n\n UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5\n -2147483648 * 100 cannot be represented in type \u0027int\u0027\n CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE\n Call Trace:\n dump_stack+0x74/0x92\n ubsan_epilogue+0x9/0x50\n handle_overflow+0x8d/0xd0\n __ubsan_handle_mul_overflow+0xe/0x10\n nl80211_send_iface+0x688/0x6b0 [cfg80211]\n [...]\n cfg80211_register_wdev+0x78/0xb0 [cfg80211]\n cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]\n [...]\n ieee80211_if_add+0x60e/0x8f0 [mac80211]\n ieee80211_register_hw+0xda5/0x1170 [mac80211]\n\nIn this case, simply return an error instead, to indicate\nthat no data is available.",
"id": "GHSA-9hhf-j948-m466",
"modified": "2024-07-03T18:42:57Z",
"published": "2024-05-21T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52832"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1571120c44dbe5757aee1612c5b6097cdc42710f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21a0f310a9f3bfd2b4cf4f382430e638607db846"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/298e767362cade639b7121ecb3cc5345b6529f62"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2be24c47ac19bf639c48c082486c08888bd603c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a94cffe90e20e8fade0b9abd4370bd671fe87c7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/717de20abdcd1d4993fa450e28b8086a352620ea"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/adc2474d823fe81d8da759207f4f1d3691aa775a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e160ab85166e77347d0cbe5149045cb25e83937f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/efeae5f4972f75d50002bc50eb112ab9e7069b18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG2Q-2JH9-447Q
Vulnerability from github – Published: 2024-08-08 16:30 – Updated: 2024-08-08 17:03Component: wasmvm Criticality: Medium (ACMv1: I:Moderate; L:Likely) Patched versions: wasmvm 1.5.4, 2.0.3, 2.1.2
Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the gas target we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.
See CWA-2024-004 for more details.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "cosmwasm-vm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cosmwasm-vm"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cosmwasm-vm"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/CosmWasm/wasmvm/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/CosmWasm/wasmvm/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/CosmWasm/wasmvm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-920"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-08T16:30:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "**Component:** wasmvm\n**Criticality:** Medium ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Likely)\n**Patched versions:** wasmvm 1.5.4, 2.0.3, 2.1.2\n\nSome Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the [gas target](https://github.com/CosmWasm/cosmwasm/blob/e50490c4199a234200a497219b27f071c3409f58/docs/GAS.md#cosmwasm-gas-pricing) we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain.\n\nSee [CWA-2024-004](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md) for more details.\n",
"id": "GHSA-rg2q-2jh9-447q",
"modified": "2024-08-08T17:03:07Z",
"published": "2024-08-08T16:30:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/CosmWasm/wasmvm/security/advisories/GHSA-rg2q-2jh9-447q"
},
{
"type": "WEB",
"url": "https://github.com/CosmWasm/cosmwasm/commit/5bef1c588933bd60a04bb70099150cf84b69e144"
},
{
"type": "WEB",
"url": "https://github.com/CosmWasm/cosmwasm/commit/9b4d6d03772b75d500a7d3c972d0d8ba6d085c06"
},
{
"type": "WEB",
"url": "https://github.com/CosmWasm/cosmwasm/commit/c1313afeb261e17b1c8cf6a1eacee1da0dac42ae"
},
{
"type": "WEB",
"url": "https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md"
},
{
"type": "PACKAGE",
"url": "https://github.com/CosmWasm/wasmvm"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0361.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gas mispricing in cosmwasm-vm"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.