Common Weakness Enumeration

CWE-1025

Allowed

Comparison Using Wrong Factors

Abstraction: Base · Status: Incomplete

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

19 vulnerabilities reference this CWE, most recent first.

CVE-2024-20342 (GCVE-0-2024-20342)

Vulnerability from cvelistv5 – Published: 2024-10-23 17:09 – Updated: 2025-01-13 17:46
VLAI
Title
Cisco Firepower Threat Defense Software Rate Filter Bypass Vulnerability
Summary
Multiple Cisco products are affected by a vulnerability in the rate filtering feature of the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured rate limiting filter.  This vulnerability is due to an incorrect connection count comparison. An attacker could exploit this vulnerability by sending traffic through an affected device at a rate that exceeds a configured rate filter. A successful exploit could allow the attacker to successfully bypass the rate filter. This could allow unintended traffic to enter the network protected by the affected device.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1025 - Comparison Using Wrong Factors
Assigner
Impacted products
Vendor Product Version
Cisco Cisco Firepower Threat Defense Software Affected: 7.0.0
Affected: 7.0.0.1
Affected: 7.0.1
Affected: 7.1.0
Affected: 7.0.1.1
Affected: 7.1.0.1
Affected: 7.0.2
Affected: 7.2.0
Affected: 7.0.2.1
Affected: 7.0.3
Affected: 7.1.0.2
Affected: 7.2.0.1
Affected: 7.0.4
Affected: 7.2.1
Affected: 7.0.5
Affected: 7.3.0
Affected: 7.2.2
Affected: 7.2.3
Affected: 7.3.1
Affected: 7.1.0.3
Affected: 7.2.4
Affected: 7.0.6
Affected: 7.2.5
Affected: 7.2.4.1
Affected: 7.3.1.1
Affected: 7.4.0
Affected: 7.0.6.1
Affected: 7.2.5.1
Affected: 7.4.1
Affected: 7.4.1.1
Affected: 7.2.5.2
Affected: 7.3.1.2
Create a notification for this product.
cisco firepower_threat_defense_software Affected: 6.7.0 , ≤ 7.4.1.1 (custom)
    cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:cisco:firepower_threat_defense_software:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "firepower_threat_defense_software",
            "vendor": "cisco",
            "versions": [
              {
                "lessThanOrEqual": "7.4.1.1",
                "status": "affected",
                "version": "6.7.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-20342",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T18:42:45.746828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-24T15:08:36.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Firepower Threat Defense Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "7.0.0"
            },
            {
              "status": "affected",
              "version": "7.0.0.1"
            },
            {
              "status": "affected",
              "version": "7.0.1"
            },
            {
              "status": "affected",
              "version": "7.1.0"
            },
            {
              "status": "affected",
              "version": "7.0.1.1"
            },
            {
              "status": "affected",
              "version": "7.1.0.1"
            },
            {
              "status": "affected",
              "version": "7.0.2"
            },
            {
              "status": "affected",
              "version": "7.2.0"
            },
            {
              "status": "affected",
              "version": "7.0.2.1"
            },
            {
              "status": "affected",
              "version": "7.0.3"
            },
            {
              "status": "affected",
              "version": "7.1.0.2"
            },
            {
              "status": "affected",
              "version": "7.2.0.1"
            },
            {
              "status": "affected",
              "version": "7.0.4"
            },
            {
              "status": "affected",
              "version": "7.2.1"
            },
            {
              "status": "affected",
              "version": "7.0.5"
            },
            {
              "status": "affected",
              "version": "7.3.0"
            },
            {
              "status": "affected",
              "version": "7.2.2"
            },
            {
              "status": "affected",
              "version": "7.2.3"
            },
            {
              "status": "affected",
              "version": "7.3.1"
            },
            {
              "status": "affected",
              "version": "7.1.0.3"
            },
            {
              "status": "affected",
              "version": "7.2.4"
            },
            {
              "status": "affected",
              "version": "7.0.6"
            },
            {
              "status": "affected",
              "version": "7.2.5"
            },
            {
              "status": "affected",
              "version": "7.2.4.1"
            },
            {
              "status": "affected",
              "version": "7.3.1.1"
            },
            {
              "status": "affected",
              "version": "7.4.0"
            },
            {
              "status": "affected",
              "version": "7.0.6.1"
            },
            {
              "status": "affected",
              "version": "7.2.5.1"
            },
            {
              "status": "affected",
              "version": "7.4.1"
            },
            {
              "status": "affected",
              "version": "7.4.1.1"
            },
            {
              "status": "affected",
              "version": "7.2.5.2"
            },
            {
              "status": "affected",
              "version": "7.3.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple Cisco products are affected by a vulnerability in the rate filtering feature of the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured rate limiting filter.\u0026nbsp;\r\n\r\nThis vulnerability is due to an incorrect connection count comparison. An attacker could exploit this vulnerability by sending traffic through an affected device at a rate that exceeds a configured rate filter. A successful exploit could allow the attacker to successfully bypass the rate filter. This could allow unintended traffic to enter the network protected by the affected device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1025",
              "description": "Comparison Using Wrong Factors",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T17:46:29.797Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-snort-rf-bypass-OY8f3pnM",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-rf-bypass-OY8f3pnM"
        }
      ],
      "source": {
        "advisory": "cisco-sa-snort-rf-bypass-OY8f3pnM",
        "defects": [
          "CSCwf93293"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Firepower Threat Defense Software Rate Filter Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2024-20342",
    "datePublished": "2024-10-23T17:09:27.934Z",
    "dateReserved": "2023-11-08T15:08:07.643Z",
    "dateUpdated": "2025-01-13T17:46:29.797Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-76G3-38JV-WXH4

Vulnerability from github – Published: 2025-03-28 14:49 – Updated: 2025-10-14 21:59
VLAI
Summary
tough timestamp metadata is cached when it fails snapshot rollback check
Details

Summary

TUF repositories use the timestamp role to protect against rollback events by enabling an automated process to periodically sign the role's metadata. While tough will ensure that the version of snapshot metadata in new timestamp metadata files was always greater than or equal to the previously trusted version, it will only do so after persisting the timestamp metadata to its cache.

Impact

If the tough client successfully detects a rollback event in which timestamp metadata contains outdated snapshot metadata, the invalid timestamp metadata will still be persisted to cache as trusted. tough may then subsequently incorrectly identify valid timestamp metadata as being rolled back, preventing the client from consuming valid updates.

Impacted versions: < v0.20.0

Patches

A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Workarounds

There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Acknowledgement

These issues were identified by the TUF-Conformance project. We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tough"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-2888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-28T14:49:47Z",
    "nvd_published_at": "2025-03-27T23:15:35Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nTUF repositories use the timestamp role to protect against rollback events by enabling an automated process to periodically sign the role\u0027s metadata. While tough will ensure that the version of snapshot metadata in new timestamp metadata files was always greater than or equal to the previously trusted version, it will only do so after persisting the timestamp metadata to its cache.\n\n## Impact\n\nIf the tough client successfully detects a rollback event in which timestamp metadata contains outdated snapshot metadata, the invalid timestamp metadata will still be persisted to cache as trusted. tough may then subsequently incorrectly identify valid timestamp metadata as being rolled back, preventing the client from consuming valid updates.\n\nImpacted versions: \u003c v0.20.0\n\n## Patches\n\nA fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\n\n## Workarounds\n\nThere is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.\n\n## References\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n\n[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting\n\n## Acknowledgement\n\nThese issues were identified by the [TUF-Conformance project](https://github.com/theupdateframework/tuf-conformance). We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.",
  "id": "GHSA-76g3-38jv-wxh4",
  "modified": "2025-10-14T21:59:01Z",
  "published": "2025-03-28T14:49:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/commit/9b400e1c8b7d6b9ab8009104fa7fe5884db05f18"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/awslabs/tough"
    },
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "tough timestamp metadata is cached when it fails snapshot rollback check"
}

GHSA-79QW-G39G-MFXC

Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-30 03:37
VLAI
Details

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9800"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T17:17:04Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
  "id": "GHSA-79qw-g39g-mfxc",
  "modified": "2026-06-30T03:37:13Z",
  "published": "2026-06-25T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30050"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30083"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30084"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-9800"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9800.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRG5-H47X-75J9

Vulnerability from github – Published: 2025-04-09 04:18 – Updated: 2025-04-24 00:31
VLAI
Details

HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32464"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-09T03:15:16Z",
    "severity": "MODERATE"
  },
  "details": "HAProxy 2.2 through 3.1.6, in certain uncommon configurations, has a sample_conv_regsub heap-based buffer overflow because of mishandling of the replacement of multiple short patterns with a longer one.",
  "id": "GHSA-frg5-h47x-75j9",
  "modified": "2025-04-24T00:31:19Z",
  "published": "2025-04-09T04:18:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32464"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haproxy/haproxy/commit/3e3b9eebf871510aee36c3a3336faac2f38c9559"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00031.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HF42-4QWP-GC9R

Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33
VLAI
Details

Multiple Cisco products are affected by a vulnerability in the rate filtering feature of the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured rate limiting filter.

This vulnerability is due to an incorrect connection count comparison. An attacker could exploit this vulnerability by sending traffic through an affected device at a rate that exceeds a configured rate filter. A successful exploit could allow the attacker to successfully bypass the rate filter. This could allow unintended traffic to enter the network protected by the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-23T17:15:18Z",
    "severity": "MODERATE"
  },
  "details": "Multiple Cisco products are affected by a vulnerability in the rate filtering feature of the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured rate limiting filter.\n\nThis vulnerability is due to an incorrect connection count comparison. An attacker could exploit this vulnerability by sending traffic through an affected device at a rate that exceeds a configured rate filter. A successful exploit could allow the attacker to successfully bypass the rate filter. This could allow unintended traffic to enter the network protected by the affected device.",
  "id": "GHSA-hf42-4qwp-gc9r",
  "modified": "2024-10-23T18:33:09Z",
  "published": "2024-10-23T18:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20342"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-xss-yjj7ZjVq"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-rf-bypass-OY8f3pnM"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMQJ-768C-PW4R

Vulnerability from github – Published: 2025-03-08 00:31 – Updated: 2025-03-08 00:31
VLAI
Details

operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation (genuineness check) that causes verification results to be disregarded during the first scan of a card. Exploitation may not have been possible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-08T00:15:38Z",
    "severity": "LOW"
  },
  "details": "operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation (genuineness check) that causes verification results to be disregarded during the first scan of a card. Exploitation may not have been possible.",
  "id": "GHSA-jmqj-768c-pw4r",
  "modified": "2025-03-08T00:31:22Z",
  "published": "2025-03-08T00:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tangem/tangem-sdk-android/commit/24588188fdb51ed469cd59d2c595128c1fe63b07"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tangem/tangem-sdk-android/releases/tag/release-app_5.18-409"
    },
    {
      "type": "WEB",
      "url": "https://tangem.com/en/blog/post/app-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q6R9-R9PW-4CF7

Vulnerability from github – Published: 2025-03-28 14:48 – Updated: 2025-10-14 21:58
VLAI
Summary
tough failure to detect delegated target rollback
Details

Summary

When updating the snapshot role, TUF clients should ensure that any previously encountered targets or delegated targets metadata files continue to be present in new snapshot metadata files. Likewise, the new targets and delegated targets metadata versions must be greater than or equal to the previously encountered versions. While tough will perform this check for targets metadata files, it did not perform this check for delegated targets files.

Impact

tough could fail to detect cases where delegated targets metadata was removed or rolled back to a previous version. As a result, tough could trust and download outdated targets that it should reject.

Impacted versions: < v0.20.0

Patches

A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

Workarounds

There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Acknowledgement

These issues were identified by the TUF-Conformance project. We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "tough"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-2887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-28T14:48:54Z",
    "nvd_published_at": "2025-03-27T23:15:35Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nWhen updating the snapshot role, TUF clients should ensure that any previously encountered targets or delegated targets metadata files continue to be present in new snapshot metadata files. Likewise, the new targets and delegated targets metadata versions must be greater than or equal to the previously encountered versions. While tough will perform this check for targets metadata files, it did not perform this check for delegated targets files.\n\n## Impact\n\ntough could fail to detect cases where delegated targets metadata was removed or rolled back to a previous version. As a result, tough could trust and download outdated targets that it should reject.\n\nImpacted versions: \u003c v0.20.0\n\n## Patches\n\nA fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\n\n## Workarounds\n\nThere is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version.\n\n## References\n\nIf you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.\n\n\n[1] Vulnerability reporting page: [https://aws.amazon.com/security/vulnerability-reporting](https://aws.amazon.com/security/vulnerability-reporting%EF%BF%BC)\n\n## Acknowledgement\n\nThese issues were identified by the [TUF-Conformance project](https://github.com/theupdateframework/tuf-conformance). We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.",
  "id": "GHSA-q6r9-r9pw-4cf7",
  "modified": "2025-10-14T21:58:57Z",
  "published": "2025-03-28T14:48:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/commit/3345151a87c358d1ce43aeb7e8b3ebea5ebdbab4"
    },
    {
      "type": "WEB",
      "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/awslabs/tough"
    },
    {
      "type": "WEB",
      "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "tough failure to detect delegated target rollback"
}

GHSA-X53V-PXF5-CHX6

Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-04-10 18:31
VLAI
Details

In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-40227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-10T16:16:33Z",
    "severity": "MODERATE"
  },
  "details": "In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.",
  "id": "GHSA-x53v-pxf5-chx6",
  "modified": "2026-04-10T18:31:18Z",
  "published": "2026-04-10T18:31:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40227"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XVJ8-PH7X-65GF

Vulnerability from github – Published: 2026-04-18 00:41 – Updated: 2026-04-27 16:17
VLAI
Summary
Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks
Details

CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks

Summary

A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height H+1 but invalid for H+2 and then mining that transaction in a block at height H+2, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network.

Severity

High - This is a Consensus Vulnerability that could allow a malicious miner to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.

Affected Versions

All Zebra versions prior to version 4.3.1. (Some older versions are not affected but are no longer supported by the network)

Description

The vulnerability exists due to a performance optimization whose goal is to improve performance of transaction validation if the transaction was previously accepted into the mempool (and thus was verified as valid). That however did not take into account that a transaction can be valid for a specific height, but invalid at higher heights; for example, it can contain an expiry height, a lock time, and it is always bound to a network upgrade, all of which are height-dependant.

An attacker (specifically a malicious miner) could exploit this by (e.g. in the expiry height case):

  • Submitting a transaction with expiry height H+1 (where H is the height of the current tip)
  • Mining a block H+1, and a block H+2 that contains that same transaction, and submitting block H+2 before H+1
  • Zebra nodes would accept H+2 as valid (pending contextual verification) and wait for block H+1; when it arrives, Zebra would commit both blocks even if H+2 contains an expired transaction
  • Other nodes (like zcashd or zebrad nodes without that transaction in their mempool) reject the block, resulting in a chain fork where the poisoned Zebra node is isolated.

Impact

Consensus Failure

Attack Vector: Network (specifically via a malicious miner). Effect: Network partition/consensus split. Scope: Any Zebra node utilizing the transaction verification cache optimization for V5 transactions.

Fixed Versions

This issue is fixed in Zebra 4.3.1.

We removed the performance optimization altogether, since we deemed it too risky.

The fix ensures that verification is only skipped if the transaction's full integrity—including authorization data—is validated against the mempool entry.

Mitigation

Users should upgrade to Zebra 4.3.0 or later immediately.

There are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.

Credits

Thanks to @sangsoo-osec for a thorough advisory submission that noticed the lock time issue, and to @shieldedonly with an also thorough advisory (that was submitted while we were working on the first one) who noticed that the issue applied to other aspects of the transaction validation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebra-consensus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "zebrad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1025"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:41:54Z",
    "nvd_published_at": "2026-04-21T20:17:01Z",
    "severity": "HIGH"
  },
  "details": "# CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks\n\n## Summary\n\nA logic error in Zebra\u0027s transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height `H+1` but invalid for `H+2` and then mining that transaction in a block at height `H+2`, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network.\n\n## Severity\n\nHigh - This is a Consensus Vulnerability that could allow a malicious miner to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.\n\n## Affected Versions\n\nAll Zebra versions prior to version 4.3.1. (Some older versions are not affected but are no longer supported by the network)\n\n## Description\n\nThe vulnerability exists due to a performance optimization whose goal is to improve performance of transaction validation if the transaction was previously accepted into the mempool (and thus was verified as valid). That however did not take into account that a transaction can be valid for a specific height, but invalid at higher heights; for example, it can contain an expiry height, a lock time, and it is always bound to a network upgrade, all of which are height-dependant.\n\nAn attacker (specifically a malicious miner) could exploit this by (e.g. in the expiry height case):\n\n- Submitting a transaction with expiry height `H+1` (where `H` is the height of the current tip)\n- Mining a block `H+1`, and a block `H+2` that contains that same transaction, and submitting block `H+2` before `H+1`\n- Zebra nodes would accept `H+2` as valid (pending contextual verification) and wait for block `H+1`; when it arrives, Zebra would commit both blocks even if `H+2` contains an expired transaction\n- Other nodes (like `zcashd` or `zebrad` nodes without that transaction in their mempool) reject the block, resulting in a chain fork where the poisoned Zebra node is isolated.\n\n## Impact\n\n**Consensus Failure**\n\n**Attack Vector**: Network (specifically via a malicious miner).\n**Effect**: Network partition/consensus split.\n**Scope**: Any Zebra node utilizing the transaction verification cache optimization for V5 transactions.\n\n## Fixed Versions\n\nThis issue is fixed in **Zebra 4.3.1**.\n\nWe removed the performance optimization altogether, since we deemed it too risky.\n\nThe fix ensures that verification is only skipped if the transaction\u0027s full integrity\u2014including authorization data\u2014is validated against the mempool entry.\n\n## Mitigation\n\nUsers should upgrade to Zebra 4.3.0 or later immediately.\n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.\n\n## Credits\n\nThanks to @sangsoo-osec for a thorough advisory submission that noticed the lock time issue, and to @shieldedonly with an also thorough advisory (that was submitted while we were working on the first one) who noticed that the issue applied to other aspects of the transaction validation.",
  "id": "GHSA-xvj8-ph7x-65gf",
  "modified": "2026-04-27T16:17:07Z",
  "published": "2026-04-18T00:41:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-xvj8-ph7x-65gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40880"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ZcashFoundation/zebra"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zebra: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.