CWE-404
Improper Resource Shutdown or Release
The product does not release or incorrectly releases a resource before it is made available for re-use.
CVE-2020-5416 (GCVE-0-2020-5416)
Vulnerability from cvelistv5 – Published: 2020-08-21 21:50 – Updated: 2024-09-16 16:53
VLAI
Title
CF clusters with NGINX in front of them may be vulnerable to DoS
Summary
Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool.
Severity
7.7 (High)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cloudfoundry.org/blog/cve-2020-5416 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Cloud Foundry | Routing |
Affected:
All , < 0.204.0
(custom)
|
|
| Cloud Foundry | CF Deployment |
Affected:
All , < 13.13.0
(custom)
|
Date Public
2020-08-14 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5416"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Routing",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "0.204.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
},
{
"product": "CF Deployment",
"vendor": "Cloud Foundry",
"versions": [
{
"lessThan": "13.13.0",
"status": "affected",
"version": "All",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-08-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404: Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-21T21:50:14.000Z",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cloudfoundry.org/blog/cve-2020-5416"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CF clusters with NGINX in front of them may be vulnerable to DoS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-08-14T00:00:00.000Z",
"ID": "CVE-2020-5416",
"STATE": "PUBLIC",
"TITLE": "CF clusters with NGINX in front of them may be vulnerable to DoS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Routing",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "0.204.0"
}
]
}
},
{
"product_name": "CF Deployment",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "All",
"version_value": "13.13.0"
}
]
}
}
]
},
"vendor_name": "Cloud Foundry"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cloud Foundry Routing (Gorouter), versions prior to 0.204.0, when used in a deployment with NGINX reverse proxies in front of the Gorouters, is potentially vulnerable to denial-of-service attacks in which an unauthenticated malicious attacker can send specially-crafted HTTP requests that may cause the Gorouters to be dropped from the NGINX backend pool."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404: Improper Resource Shutdown or Release"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cloudfoundry.org/blog/cve-2020-5416",
"refsource": "CONFIRM",
"url": "https://www.cloudfoundry.org/blog/cve-2020-5416"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5416",
"datePublished": "2020-08-21T21:50:14.375Z",
"dateReserved": "2020-01-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:53:12.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21003 (GCVE-0-2021-21003)
Vulnerability from cvelistv5 – Published: 2021-06-25 18:25 – Updated: 2024-09-17 01:31
VLAI
Title
Denial of Service Vulnerability in Phoenix Contact FL SWITCH SMCS series products
Summary
In Phoenix Contact FL SWITCH SMCS series products in multiple versions fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP- and ICMP-Echo services. The switching functionality of the device is not affected.
Severity
5.3 (Medium)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cert.vde.com/en-us/advisories/vde-2021-023 | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Phoenix Contact | FL SWITCH |
Affected:
SMCS 16TX (2700996) , ≤ 4.70
(custom)
Affected: SMCS 14TX/2FX (2700997) , ≤ 4.70 (custom) Affected: SMCS 14TX/2FX-SM (2701466) , ≤ 4.70 (custom) Affected: SMCS 8GT (2891123) , ≤ 4.70 (custom) Affected: SMCS 6GT/2SFP (2891479) , ≤ 4.70 (custom) Affected: SMCS 8TX-PN (2989103) , ≤ 4.70 (custom) Affected: SMCS 4TX-PN (2989093) , ≤ 4.70 (custom) Affected: SMCS 8TX (2989226) , ≤ 4.70 (custom) Affected: SMCS 6TX/2SFP (2989323) , ≤ 4.70 (custom) Affected: SMN 6TX/2POF-PN (2700290) , ≤ 4.70 (custom) Affected: SMN 8TX-PN (2989501) , ≤ 4.70 (custom) Affected: SMN 6TX/2FX (2989543) , ≤ 4.70 (custom) Affected: SMN 6TX/2FX SM (2989556) , ≤ 4.70 (custom) |
|
| Phoenix Contact | FL NAT |
Affected:
SMN 8TX (2989365) , ≤ 4.63
(custom)
Affected: SMN 8TX-M (2702443) , ≤ 4.63 (custom) |
Date Public
2021-06-23 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2021-023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "FL SWITCH",
"vendor": "Phoenix Contact",
"versions": [
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 16TX (2700996)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 14TX/2FX (2700997)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 14TX/2FX-SM (2701466)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 8GT (2891123)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 6GT/2SFP (2891479)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 8TX-PN (2989103)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 4TX-PN (2989093)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 8TX (2989226)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMCS 6TX/2SFP (2989323)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMN 6TX/2POF-PN (2700290)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMN 8TX-PN (2989501)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMN 6TX/2FX (2989543)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.70",
"status": "affected",
"version": "SMN 6TX/2FX SM (2989556)",
"versionType": "custom"
}
]
},
{
"product": "FL NAT",
"vendor": "Phoenix Contact",
"versions": [
{
"lessThanOrEqual": "4.63",
"status": "affected",
"version": "SMN 8TX (2989365)",
"versionType": "custom"
},
{
"lessThanOrEqual": "4.63",
"status": "affected",
"version": "SMN 8TX-M (2702443)",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability has been discovered and reported by Anne Borcherding, Fraunhofer- Institut f\u00fcr Optronik, Systemtechnik und Bildauswertung IOSB. PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication."
}
],
"datePublic": "2021-06-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Phoenix Contact FL SWITCH SMCS series products in multiple versions fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP- and ICMP-Echo services. The switching functionality of the device is not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-25T18:25:51.000Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert.vde.com/en-us/advisories/vde-2021-023"
}
],
"source": {
"advisory": "VDE-2021-023",
"defect": [
"VDE-2021-023"
],
"discovery": "EXTERNAL"
},
"title": "Denial of Service Vulnerability in Phoenix Contact FL SWITCH SMCS series products",
"workarounds": [
{
"lang": "en",
"value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note:\nMeasures to protect network-capable devices with Ethernet connection https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "info@cert.vde.com",
"DATE_PUBLIC": "2021-06-23T10:00:00.000Z",
"ID": "CVE-2021-21003",
"STATE": "PUBLIC",
"TITLE": "Denial of Service Vulnerability in Phoenix Contact FL SWITCH SMCS series products"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FL SWITCH",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "SMCS 16TX (2700996)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 14TX/2FX (2700997)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 14TX/2FX-SM (2701466)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 8GT (2891123)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 6GT/2SFP (2891479)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 8TX-PN (2989103)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 4TX-PN (2989093)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 8TX (2989226)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMCS 6TX/2SFP (2989323)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMN 6TX/2POF-PN (2700290)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMN 8TX-PN (2989501)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMN 6TX/2FX (2989543)",
"version_value": "4.70"
},
{
"version_affected": "\u003c=",
"version_name": "SMN 6TX/2FX SM (2989556)",
"version_value": "4.70"
}
]
}
},
{
"product_name": "FL NAT",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "SMN 8TX (2989365)",
"version_value": "4.63"
},
{
"version_affected": "\u003c=",
"version_name": "SMN 8TX-M (2702443)",
"version_value": "4.63"
}
]
}
}
]
},
"vendor_name": "Phoenix Contact"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability has been discovered and reported by Anne Borcherding, Fraunhofer- Institut f\u00fcr Optronik, Systemtechnik und Bildauswertung IOSB. PHOENIX CONTACT thanks CERT@VDE for the coordination and support with this publication."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Phoenix Contact FL SWITCH SMCS series products in multiple versions fragmented TCP-Packets may cause a Denial of Service of Web-, SNMP- and ICMP-Echo services. The switching functionality of the device is not affected."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404 Improper Resource Shutdown or Release"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert.vde.com/en-us/advisories/vde-2021-023",
"refsource": "CONFIRM",
"url": "https://cert.vde.com/en-us/advisories/vde-2021-023"
}
]
},
"source": {
"advisory": "VDE-2021-023",
"defect": [
"VDE-2021-023"
],
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Phoenix Contact recommends operating network-capable devices in closed networks or protected with a suitable firewall. For detailed information on our recommendations for measures to protect network-capable devices, please refer to the Phoenix Contact application note:\nMeasures to protect network-capable devices with Ethernet connection https://dam-mdc.phoenixcontact.com/asset/156443151564/0a870ae433c19148b80bd760f3a1c1f2/107913_en_03.pdf"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2021-21003",
"datePublished": "2021-06-25T18:25:51.312Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:31:02.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27458 (GCVE-0-2021-27458)
Vulnerability from cvelistv5 – Published: 2021-04-19 21:07 – Updated: 2024-08-03 20:48
VLAI
Summary
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions; TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions; TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions) are left in an open state by an attacker, Ethernet communications cannot be established with other devices, depending on the settings of the link parameters.
Severity
No CVSS data available.
CWE
- CWE-404 - IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | JTEKT Corporation TOYOPUC products |
Affected:
TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions
Affected: TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions Affected: TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:17.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JTEKT Corporation TOYOPUC products",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions"
},
{
"status": "affected",
"version": "TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions"
},
{
"status": "affected",
"version": "TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If Ethernet communication of the JTEKT Corporation TOYOPUC product series\u2019 (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions; TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions; TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions) are left in an open state by an attacker, Ethernet communications cannot be established with other devices, depending on the settings of the link parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-19T21:07:55.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-27458",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "JTEKT Corporation TOYOPUC products",
"version": {
"version_data": [
{
"version_value": "TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions"
},
{
"version_value": "TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions"
},
{
"version_value": "TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If Ethernet communication of the JTEKT Corporation TOYOPUC product series\u2019 (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: All versions, PC10B TCC-1021: All versions, PC10B-E/C TCU-6521: All versions, PC10E TCC-4737: All versions; TOYOPUC-Plus Series: Plus CPU TCC-6740: All versions, Plus EX TCU-6741: All versions, Plus EX2 TCU-6858: All versions, Plus EFR TCU-6743: All versions, Plus EFR2 TCU-6859: All versions, Plus 2P-EFR TCU-6929: All versions, Plus BUS-EX TCU-6900: All versions; TOYOPUC-PC3J/PC2J Series: FL/ET-T-V2H THU-6289: All versions, 2PORT-EFR THU-6404: All versions) are left in an open state by an attacker, Ethernet communications cannot be established with other devices, depending on the settings of the link parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER RESOURCE SHUTDOWN OR RELEASE CWE-404"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03",
"refsource": "MISC",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-27458",
"datePublished": "2021-04-19T21:07:55.000Z",
"dateReserved": "2021-02-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T20:48:17.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4247 (GCVE-0-2021-4247)
Vulnerability from cvelistv5 – Published: 2022-12-18 00:00 – Updated: 2025-04-15 13:00
VLAI
Title
OWASP NodeGoat Query Parameter research.js denial of service
Summary
A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The name of the patch is 4a4d1db74c63fb4ff8d366551c3af006c25ead12. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216184.
Severity
4.3 (Medium)
CWE
- CWE-404 - Denial of Service
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OWASP/NodeGoat/issues/225"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/OWASP/NodeGoat/commit/4a4d1db74c63fb4ff8d366551c3af006c25ead12"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.216184"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4247",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:54:48.478096Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:00:25.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NodeGoat",
"vendor": "OWASP",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in OWASP NodeGoat and classified as problematic. This vulnerability affects unknown code of the file app/routes/research.js of the component Query Parameter Handler. The manipulation leads to denial of service. The attack can be initiated remotely. The name of the patch is 4a4d1db74c63fb4ff8d366551c3af006c25ead12. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216184."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-18T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/OWASP/NodeGoat/issues/225"
},
{
"url": "https://github.com/OWASP/NodeGoat/commit/4a4d1db74c63fb4ff8d366551c3af006c25ead12"
},
{
"url": "https://vuldb.com/?id.216184"
}
],
"title": "OWASP NodeGoat Query Parameter research.js denial of service",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4247",
"datePublished": "2022-12-18T00:00:00.000Z",
"dateReserved": "2022-12-18T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:00:25.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4249 (GCVE-0-2021-4249)
Vulnerability from cvelistv5 – Published: 2022-12-18 00:00 – Updated: 2025-04-15 13:00
VLAI
Title
xml-conduit DOCTYPE Entity Expansion Parse.hs infinite loop
Summary
A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204.
Severity
4.3 (Medium)
CWE
- CWE-404 - Denial of Service -> CWE-835 Infinite Loop
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| unspecified | xml-conduit |
Affected:
0.5.0
Affected: 0.5.0.1 Affected: 0.5.1 Affected: 0.5.1.1 Affected: 0.5.1.2 Affected: 0.5.2 Affected: 0.5.3 Affected: 0.5.3.1 Affected: 0.5.4 Affected: 0.6.0 Affected: 0.6.1 Affected: 0.7.0 Affected: 0.7.0.1 Affected: 0.7.0.2 Affected: 0.7.0.3 Affected: 1.0.0 Affected: 1.0.1 Affected: 1.0.1.1 Affected: 1.0.2 Affected: 1.0.2.1 Affected: 1.0.3 Affected: 1.0.3.1 Affected: 1.0.3.2 Affected: 1.0.3.3 Affected: 1.1.0 Affected: 1.1.0.1 Affected: 1.1.0.2 Affected: 1.1.0.3 Affected: 1.1.0.4 Affected: 1.1.0.5 Affected: 1.1.0.6 Affected: 1.1.0.7 Affected: 1.1.0.8 Affected: 1.1.0.9 Affected: 1.2.0 Affected: 1.2.0.1 Affected: 1.2.0.2 Affected: 1.2.0.3 Affected: 1.2.1 Affected: 1.2.1.1 Affected: 1.2.2 Affected: 1.2.3 Affected: 1.2.3.1 Affected: 1.2.3.2 Affected: 1.2.3.3 Affected: 1.2.4 Affected: 1.2.5 Affected: 1.2.5.1 Affected: 1.2.6 Affected: 1.3.0 Affected: 1.3.1 Affected: 1.3.2 Affected: 1.3.3 Affected: 1.3.3.1 Affected: 1.3.4 Affected: 1.3.4.1 Affected: 1.3.4.2 Affected: 1.3.5 Affected: 1.4.0 Affected: 1.4.0.1 Affected: 1.4.0.2 Affected: 1.4.0.3 Affected: 1.4.0.4 Affected: 1.5.0 Affected: 1.5.1 Affected: 1.6.0 Affected: 1.7.0 Affected: 1.7.0.1 Affected: 1.7.1.0 Affected: 1.7.1.1 Affected: 1.7.1.2 Affected: 1.8.0 Affected: 1.8.0.1 Affected: 1.9.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:09.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snoyberg/xml/pull/161"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackage.haskell.org/package/xml-conduit-1.9.1.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea"
},
{
"tags": [
"x_transferred"
],
"url": "https://vuldb.com/?id.216204"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:02:21.860887Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:00:10.630Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xml-conduit",
"vendor": "unspecified",
"versions": [
{
"status": "affected",
"version": "0.5.0"
},
{
"status": "affected",
"version": "0.5.0.1"
},
{
"status": "affected",
"version": "0.5.1"
},
{
"status": "affected",
"version": "0.5.1.1"
},
{
"status": "affected",
"version": "0.5.1.2"
},
{
"status": "affected",
"version": "0.5.2"
},
{
"status": "affected",
"version": "0.5.3"
},
{
"status": "affected",
"version": "0.5.3.1"
},
{
"status": "affected",
"version": "0.5.4"
},
{
"status": "affected",
"version": "0.6.0"
},
{
"status": "affected",
"version": "0.6.1"
},
{
"status": "affected",
"version": "0.7.0"
},
{
"status": "affected",
"version": "0.7.0.1"
},
{
"status": "affected",
"version": "0.7.0.2"
},
{
"status": "affected",
"version": "0.7.0.3"
},
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "1.0.1"
},
{
"status": "affected",
"version": "1.0.1.1"
},
{
"status": "affected",
"version": "1.0.2"
},
{
"status": "affected",
"version": "1.0.2.1"
},
{
"status": "affected",
"version": "1.0.3"
},
{
"status": "affected",
"version": "1.0.3.1"
},
{
"status": "affected",
"version": "1.0.3.2"
},
{
"status": "affected",
"version": "1.0.3.3"
},
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.0.1"
},
{
"status": "affected",
"version": "1.1.0.2"
},
{
"status": "affected",
"version": "1.1.0.3"
},
{
"status": "affected",
"version": "1.1.0.4"
},
{
"status": "affected",
"version": "1.1.0.5"
},
{
"status": "affected",
"version": "1.1.0.6"
},
{
"status": "affected",
"version": "1.1.0.7"
},
{
"status": "affected",
"version": "1.1.0.8"
},
{
"status": "affected",
"version": "1.1.0.9"
},
{
"status": "affected",
"version": "1.2.0"
},
{
"status": "affected",
"version": "1.2.0.1"
},
{
"status": "affected",
"version": "1.2.0.2"
},
{
"status": "affected",
"version": "1.2.0.3"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.2.1.1"
},
{
"status": "affected",
"version": "1.2.2"
},
{
"status": "affected",
"version": "1.2.3"
},
{
"status": "affected",
"version": "1.2.3.1"
},
{
"status": "affected",
"version": "1.2.3.2"
},
{
"status": "affected",
"version": "1.2.3.3"
},
{
"status": "affected",
"version": "1.2.4"
},
{
"status": "affected",
"version": "1.2.5"
},
{
"status": "affected",
"version": "1.2.5.1"
},
{
"status": "affected",
"version": "1.2.6"
},
{
"status": "affected",
"version": "1.3.0"
},
{
"status": "affected",
"version": "1.3.1"
},
{
"status": "affected",
"version": "1.3.2"
},
{
"status": "affected",
"version": "1.3.3"
},
{
"status": "affected",
"version": "1.3.3.1"
},
{
"status": "affected",
"version": "1.3.4"
},
{
"status": "affected",
"version": "1.3.4.1"
},
{
"status": "affected",
"version": "1.3.4.2"
},
{
"status": "affected",
"version": "1.3.5"
},
{
"status": "affected",
"version": "1.4.0"
},
{
"status": "affected",
"version": "1.4.0.1"
},
{
"status": "affected",
"version": "1.4.0.2"
},
{
"status": "affected",
"version": "1.4.0.3"
},
{
"status": "affected",
"version": "1.4.0.4"
},
{
"status": "affected",
"version": "1.5.0"
},
{
"status": "affected",
"version": "1.5.1"
},
{
"status": "affected",
"version": "1.6.0"
},
{
"status": "affected",
"version": "1.7.0"
},
{
"status": "affected",
"version": "1.7.0.1"
},
{
"status": "affected",
"version": "1.7.1.0"
},
{
"status": "affected",
"version": "1.7.1.1"
},
{
"status": "affected",
"version": "1.7.1.2"
},
{
"status": "affected",
"version": "1.8.0"
},
{
"status": "affected",
"version": "1.8.0.1"
},
{
"status": "affected",
"version": "1.9.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in xml-conduit. It has been classified as problematic. Affected is an unknown function of the file xml-conduit/src/Text/XML/Stream/Parse.hs of the component DOCTYPE Entity Expansion Handler. The manipulation leads to infinite loop. It is possible to launch the attack remotely. Upgrading to version 1.9.1.0 is able to address this issue. The name of the patch is 4be1021791dcdee8b164d239433a2043dc0939ea. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216204."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service -\u003e CWE-835 Infinite Loop",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-18T00:00:00.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"url": "https://github.com/snoyberg/xml/pull/161"
},
{
"url": "https://hackage.haskell.org/package/xml-conduit-1.9.1.0"
},
{
"url": "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea"
},
{
"url": "https://vuldb.com/?id.216204"
}
],
"title": "xml-conduit DOCTYPE Entity Expansion Parse.hs infinite loop",
"x_generator": "vuldb.com"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4249",
"datePublished": "2022-12-18T00:00:00.000Z",
"dateReserved": "2022-12-18T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:00:10.630Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4250 (GCVE-0-2021-4250)
Vulnerability from cvelistv5 – Published: 2022-12-18 00:00 – Updated: 2024-08-03 17:23
VLAI
Title
cgriego active_attr Regex boolean_typecaster.rb call denial of service
Summary
A vulnerability classified as problematic has been found in cgriego active_attr up to 0.15.2. This affects the function call of the file lib/active_attr/typecasting/boolean_typecaster.rb of the component Regex Handler. The manipulation of the argument value leads to denial of service. The exploit has been disclosed to the public and may be used. Upgrading to version 0.15.3 is able to address this issue. The name of the patch is dab95e5843b01525444b82bd7b336ef1d79377df. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216207.
Severity
CWE
- CWE-404 - Denial of Service
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.216207 | technical-descriptionvdb-entry |
| https://github.com/cgriego/active_attr/issues/184 | exploitissue-tracking |
| https://github.com/cgriego/active_attr/pull/185 | related |
| https://github.com/cgriego/active_attr/commit/dab… | mitigationpatch |
| https://github.com/cgriego/active_attr/releases/t… | mitigation |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cgriego | active_attr |
Affected:
0.15.0
Affected: 0.15.1 Affected: 0.15.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:09.957Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"technical-description",
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.216207"
},
{
"tags": [
"exploit",
"issue-tracking",
"x_transferred"
],
"url": "https://github.com/cgriego/active_attr/issues/184"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://github.com/cgriego/active_attr/pull/185"
},
{
"tags": [
"mitigation",
"patch",
"x_transferred"
],
"url": "https://github.com/cgriego/active_attr/commit/dab95e5843b01525444b82bd7b336ef1d79377df"
},
{
"tags": [
"mitigation",
"x_transferred"
],
"url": "https://github.com/cgriego/active_attr/releases/tag/v0.15.3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"Regex Handler"
],
"product": "active_attr",
"vendor": "cgriego",
"versions": [
{
"status": "affected",
"version": "0.15.0"
},
{
"status": "affected",
"version": "0.15.1"
},
{
"status": "affected",
"version": "0.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in cgriego active_attr up to 0.15.2. This affects the function call of the file lib/active_attr/typecasting/boolean_typecaster.rb of the component Regex Handler. The manipulation of the argument value leads to denial of service. The exploit has been disclosed to the public and may be used. Upgrading to version 0.15.3 is able to address this issue. The name of the patch is dab95e5843b01525444b82bd7b336ef1d79377df. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216207."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in cgriego active_attr bis 0.15.2 entdeckt. Sie wurde als problematisch eingestuft. Es geht dabei um die Funktion call der Datei lib/active_attr/typecasting/boolean_typecaster.rb der Komponente Regex Handler. Mit der Manipulation des Arguments value mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 0.15.3 vermag dieses Problem zu l\u00f6sen. Der Patch wird als dab95e5843b01525444b82bd7b336ef1d79377df bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-24T21:49:20.118Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"technical-description",
"vdb-entry"
],
"url": "https://vuldb.com/?id.216207"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/cgriego/active_attr/issues/184"
},
{
"tags": [
"related"
],
"url": "https://github.com/cgriego/active_attr/pull/185"
},
{
"tags": [
"mitigation",
"patch"
],
"url": "https://github.com/cgriego/active_attr/commit/dab95e5843b01525444b82bd7b336ef1d79377df"
},
{
"tags": [
"mitigation"
],
"url": "https://github.com/cgriego/active_attr/releases/tag/v0.15.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-12-18T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2022-12-18T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2022-12-24T15:05:01.000Z",
"value": "VulDB last update"
}
],
"title": "cgriego active_attr Regex boolean_typecaster.rb call denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4250",
"datePublished": "2022-12-18T00:00:00.000Z",
"dateReserved": "2022-12-18T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:23:09.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4280 (GCVE-0-2021-4280)
Vulnerability from cvelistv5 – Published: 2022-12-25 19:51 – Updated: 2025-04-14 17:26
VLAI
Title
styler_praat_scripts Slash file_segmenter.praat denial of service
Summary
A vulnerability was found in styler_praat_scripts. It has been classified as problematic. Affected is an unknown function of the file file_segmenter.praat of the component Slash Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The name of the patch is 0cad44aa4a3eb0ecdba071c10eaff16023d8b35f. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216780.
Severity
4.3 (Medium)
4.3 (Medium)
CWE
- CWE-404 - Denial of Service
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.216780 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.216780 | signaturepermissions-required |
| https://github.com/stylerw/styler_praat_scripts/c… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | styler_praat_scripts |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:09.888Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.216780"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.216780"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://github.com/stylerw/styler_praat_scripts/commit/0cad44aa4a3eb0ecdba071c10eaff16023d8b35f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:59:31.124113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T17:26:58.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Slash Handler"
],
"product": "styler_praat_scripts",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in styler_praat_scripts. It has been classified as problematic. Affected is an unknown function of the file file_segmenter.praat of the component Slash Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The name of the patch is 0cad44aa4a3eb0ecdba071c10eaff16023d8b35f. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216780."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in styler_praat_scripts ausgemacht. Es betrifft eine unbekannte Funktion der Datei file_segmenter.praat der Komponente Slash Handler. Durch die Manipulation mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 0cad44aa4a3eb0ecdba071c10eaff16023d8b35f bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-25T19:51:16.250Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.216780"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.216780"
},
{
"tags": [
"patch"
],
"url": "https://github.com/stylerw/styler_praat_scripts/commit/0cad44aa4a3eb0ecdba071c10eaff16023d8b35f"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-12-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2022-12-25T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2022-12-25T20:56:13.000Z",
"value": "VulDB last update"
}
],
"title": "styler_praat_scripts Slash file_segmenter.praat denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4280",
"datePublished": "2022-12-25T19:51:16.250Z",
"dateReserved": "2022-12-25T19:50:02.695Z",
"dateUpdated": "2025-04-14T17:26:58.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4432 (GCVE-0-2021-4432)
Vulnerability from cvelistv5 – Published: 2024-01-16 14:31 – Updated: 2025-06-17 21:19
VLAI
Title
PCMan FTP Server USER Command denial of service
Summary
A vulnerability was found in PCMan FTP Server 2.0.7. It has been classified as problematic. This affects an unknown part of the component USER Command Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250719.
Severity
5.3 (Medium)
5.3 (Medium)
CWE
- CWE-404 - Denial of Service
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.250719 | vdb-entry |
| https://vuldb.com/?ctiid.250719 | signaturepermissions-required |
| https://packetstormsecurity.com/files/163104/PCMa… | related |
| https://0day.today/exploit/description/36412 | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PCMan | FTP Server |
Affected:
2.0.7
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:30:07.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.250719"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.250719"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163104/PCMan-FTP-Server-2.0.7-Denial-Of-Service.html"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://0day.today/exploit/description/36412"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4432",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T01:34:02.888548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:14.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"USER Command Handler"
],
"product": "FTP Server",
"vendor": "PCMan",
"versions": [
{
"status": "affected",
"version": "2.0.7"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fernando.mengali (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in PCMan FTP Server 2.0.7. It has been classified as problematic. This affects an unknown part of the component USER Command Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250719."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in PCMan FTP Server 2.0.7 ausgemacht. Sie wurde als problematisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Komponente USER Command Handler. Durch das Manipulieren mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T14:31:03.717Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.250719"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.250719"
},
{
"tags": [
"related"
],
"url": "https://packetstormsecurity.com/files/163104/PCMan-FTP-Server-2.0.7-Denial-Of-Service.html"
},
{
"tags": [
"exploit"
],
"url": "https://0day.today/exploit/description/36412"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-14T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-01-14T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-14T20:32:11.000Z",
"value": "VulDB entry last update"
}
],
"title": "PCMan FTP Server USER Command denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4432",
"datePublished": "2024-01-16T14:31:03.717Z",
"dateReserved": "2024-01-14T19:26:57.126Z",
"dateUpdated": "2025-06-17T21:19:14.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4433 (GCVE-0-2021-4433)
Vulnerability from cvelistv5 – Published: 2024-01-18 00:31 – Updated: 2024-10-23 18:22
VLAI
Title
Karjasoft Sami HTTP Server HTTP HEAD Rrequest denial of service
Summary
A vulnerability was found in Karjasoft Sami HTTP Server 2.0. It has been classified as problematic. Affected is an unknown function of the component HTTP HEAD Rrequest Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250836.
Severity
5.3 (Medium)
5.3 (Medium)
CWE
- CWE-404 - Denial of Service
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.250836 | vdb-entry |
| https://vuldb.com/?ctiid.250836 | signaturepermissions-required |
| https://packetstormsecurity.com/files/163138/Sami… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Karjasoft | Sami HTTP Server |
Affected:
2.0
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:30:07.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://vuldb.com/?id.250836"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.250836"
},
{
"tags": [
"exploit",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/163138/Sami-HTTP-Server-2.0-Denial-Of-Service.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4433",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T18:21:08.931814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T18:22:58.309Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP HEAD Rrequest Handler"
],
"product": "Sami HTTP Server",
"vendor": "Karjasoft",
"versions": [
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fernando.mengali (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Karjasoft Sami HTTP Server 2.0. It has been classified as problematic. Affected is an unknown function of the component HTTP HEAD Rrequest Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250836."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in Karjasoft Sami HTTP Server 2.0 ausgemacht. Hiervon betroffen ist ein unbekannter Codeblock der Komponente HTTP HEAD Rrequest Handler. Durch die Manipulation mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-18T00:31:03.590Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.250836"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.250836"
},
{
"tags": [
"exploit"
],
"url": "https://packetstormsecurity.com/files/163138/Sami-HTTP-Server-2.0-Denial-Of-Service.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-01-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2024-01-16T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-16T16:27:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Karjasoft Sami HTTP Server HTTP HEAD Rrequest denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2021-4433",
"datePublished": "2024-01-18T00:31:03.590Z",
"dateReserved": "2024-01-16T15:21:53.574Z",
"dateUpdated": "2024-10-23T18:22:58.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1289 (GCVE-0-2022-1289)
Vulnerability from cvelistv5 – Published: 2022-04-10 15:15 – Updated: 2025-04-15 14:41
VLAI
Title
tildearrow Furnace Incomplete Fix CVE-2022-1211 denial of service
Summary
A denial of service vulnerability was found in tildearrow Furnace. It has been classified as problematic. This is due to an incomplete fix of CVE-2022-1211. It is possible to initiate the attack remotely but it requires user interaction. The issue got fixed with the patch 0eb02422d5161767e9983bdaa5c429762d3477ce.
Severity
4.3 (Medium)
CWE
- CWE-404 - Denial of Service
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/tildearrow/furnace/issues/325#… | x_refsource_MISC |
| https://github.com/tildearrow/furnace/commit/0eb0… | x_refsource_MISC |
| https://vuldb.com/?id.196755 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tildearrow | Furnace |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.630Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tildearrow/furnace/issues/325#issuecomment-1094139655"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tildearrow/furnace/commit/0eb02422d5161767e9983bdaa5c429762d3477ce"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.196755"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-1289",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:13:59.249714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T14:41:32.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Furnace",
"vendor": "tildearrow",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability was found in tildearrow Furnace. It has been classified as problematic. This is due to an incomplete fix of CVE-2022-1211. It is possible to initiate the attack remotely but it requires user interaction. The issue got fixed with the patch 0eb02422d5161767e9983bdaa5c429762d3477ce."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404 Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-10T15:15:15.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tildearrow/furnace/issues/325#issuecomment-1094139655"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tildearrow/furnace/commit/0eb02422d5161767e9983bdaa5c429762d3477ce"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.196755"
}
],
"title": "tildearrow Furnace Incomplete Fix CVE-2022-1211 denial of service",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2022-1289",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "tildearrow Furnace Incomplete Fix CVE-2022-1211 denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Furnace",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "tildearrow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability was found in tildearrow Furnace. It has been classified as problematic. This is due to an incomplete fix of CVE-2022-1211. It is possible to initiate the attack remotely but it requires user interaction. The issue got fixed with the patch 0eb02422d5161767e9983bdaa5c429762d3477ce."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-404 Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/tildearrow/furnace/issues/325#issuecomment-1094139655",
"refsource": "MISC",
"url": "https://github.com/tildearrow/furnace/issues/325#issuecomment-1094139655"
},
{
"name": "https://github.com/tildearrow/furnace/commit/0eb02422d5161767e9983bdaa5c429762d3477ce",
"refsource": "MISC",
"url": "https://github.com/tildearrow/furnace/commit/0eb02422d5161767e9983bdaa5c429762d3477ce"
},
{
"name": "https://vuldb.com/?id.196755",
"refsource": "MISC",
"url": "https://vuldb.com/?id.196755"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-1289",
"datePublished": "2022-04-10T15:15:15.000Z",
"dateReserved": "2022-04-10T00:00:00.000Z",
"dateUpdated": "2025-04-15T14:41:32.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation ID: MIT-3
Phase: Requirements
Strategy: Language Selection
Description:
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
Phase: Implementation
Description:
- It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free memory in a function. If you allocate memory that you intend to free upon completion of the function, you must be sure to free the memory at all exit points for that function including error conditions.
Mitigation
Phase: Implementation
Description:
- Memory should be allocated/freed using matching functions such as malloc/free, new/delete, and new[]/delete[].
Mitigation
Phase: Implementation
Description:
- When releasing a complex object or structure, ensure that you properly dispose of all of its member components, not just the object itself.
CAPEC-125: Flooding
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.
CAPEC-130: Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.
CAPEC-131: Resource Leak Exposure
An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.
CAPEC-494: TCP Fragmentation
An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.
CAPEC-495: UDP Fragmentation
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.
CAPEC-496: ICMP Fragmentation
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.
CAPEC-666: BlueSmacking
An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.