Common Weakness Enumeration

CWE-1059

Prohibited

Insufficient Technical Documentation

Abstraction: Class · Status: Incomplete

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.

5 vulnerabilities reference this CWE, most recent first.

CVE-2026-59084 (GCVE-0-2026-59084)

Vulnerability from cvelistv5 – Published: 2026-07-14 08:24 – Updated: 2026-07-14 13:51
VLAI
Title
Apache Tomcat: EncryptInterceptor requirements not clearly documented
Summary
Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1059 - Insufficient Technical Documentation
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache Tomcat Affected: 11.0.0-M1 , ≤ 11.0.23 (semver)
Affected: 10.1.0-M1 , ≤ 10.1.56 (semver)
Affected: 9.0.13 , ≤ 9.0.119 (semver)
Affected: 8.5.38 , ≤ 8.5.100 (semver)
Affected: 7.0.100 , ≤ 7.0.109 (semver)
Create a notification for this product.
Credits
NDIx
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-07-14T10:33:10.332Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/07/14/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-59084",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-14T13:51:48.818351Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T13:51:52.489Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.23",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.56",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.119",
              "status": "affected",
              "version": "9.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.38",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.100",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "NDIx"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInsufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u0026nbsp;Other versions that have reached end of support may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u00a0Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1059",
              "description": "CWE-1059 Insufficient Technical Documentation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T08:24:21.531Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/7w9746ootcxo0gvx26xjpw80l31f1qw7"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: EncryptInterceptor requirements not clearly documented",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-59084",
    "datePublished": "2026-07-14T08:24:21.531Z",
    "dateReserved": "2026-07-02T10:42:32.668Z",
    "dateUpdated": "2026-07-14T13:51:52.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-3270 (GCVE-0-2022-3270)

Vulnerability from cvelistv5 – Published: 2022-12-01 10:27 – Updated: 2025-04-24 20:05
VLAI
Title
Incomplete Documentation of remote functions in FESTO products.
Summary
In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Festo SE Bus module CPX-E-EP Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB32 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB33 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB36 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB37 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB39 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB40 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-FB43 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-M-FB34 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-M-FB35 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-M-FB44 Affected: all
Create a notification for this product.
Festo SE Bus node CPX-M-FB45 Affected: all
Create a notification for this product.
Festo SE Bus node CTEU-EP Affected: all
Create a notification for this product.
Festo SE Bus node CTEU-PN Affected: all
Create a notification for this product.
Festo SE Bus node CTEU-PN-EX1C Affected: all
Create a notification for this product.
Festo SE Camera system CHB-C-N Affected: all
Create a notification for this product.
Festo SE Compact Vision System SBO*-C-* Affected: all
Create a notification for this product.
Festo SE Compact Vision System SBO*-M-* Affected: all
Create a notification for this product.
Festo SE Compact Vision System SBO*-Q-* Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC-C1 Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC-C1-V3 Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC-M1 Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC-M1-V3 Affected: all
Create a notification for this product.
Festo SE Control block CPX-CEC-S1-V3 Affected: all
Create a notification for this product.
Festo SE Control block CPX-CMXX Affected: all
Create a notification for this product.
Festo SE Control block CPX-FEC-1-IE Affected: all
Create a notification for this product.
Festo SE Controller CECC-D Affected: all
Create a notification for this product.
Festo SE Controller CECC-D-BA Affected: all
Create a notification for this product.
Festo SE Controller CECC-LK Affected: all
Create a notification for this product.
Festo SE Controller CECC-S Affected: all
Create a notification for this product.
Festo SE Controller CECC-X-* Affected: all
Create a notification for this product.
Festo SE Controller CECX-X-C1 Affected: all
Create a notification for this product.
Festo SE Controller CECX-X-M1 Affected: all
Create a notification for this product.
Festo SE Controller CMXH-ST2-C5-7-DIOP Affected: all
Create a notification for this product.
Festo SE Controller CPX-E-CEC-* Affected: all
Create a notification for this product.
Festo SE Controller SBRD-Q Affected: all
Create a notification for this product.
Festo SE EtherNet/IP interface CPX-AP-I-EP-M12 Affected: all
Create a notification for this product.
Festo SE EtherNet/IP interface CPX-AP-I-PN-M12 Affected: all
Create a notification for this product.
Festo SE Gateway CPX-IOT Affected: all
Create a notification for this product.
Festo SE Integrated drive EMCA-EC-67-* Affected: all
Create a notification for this product.
Festo SE Motor controller CMMO-ST-C5-1-DION Affected: all
Create a notification for this product.
Festo SE Motor controller CMMO-ST-C5-1-DIOP Affected: all
Create a notification for this product.
Festo SE Motor controller CMMO-ST-C5-1-LKP Affected: all
Create a notification for this product.
Festo SE Motor controller CMMP-AS-* Affected: all
Create a notification for this product.
Festo SE Motor controller CMMT-AS-* Affected: all
Create a notification for this product.
Festo SE Operator unit CDPX-X-A-S-10 Affected: all
Create a notification for this product.
Festo SE Operator unit CDPX-X-A-W-13 Affected: all
Create a notification for this product.
Festo SE Operator unit CDPX-X-A-W-4 Affected: all
Create a notification for this product.
Festo SE Operator unit CDPX-X-A-W-7 Affected: all
Create a notification for this product.
Festo SE Planar surface gantry EXCM-* Affected: all
Create a notification for this product.
Festo SE Servo drive CMMT-ST-C8-1C-EP-S0 Affected: all
Create a notification for this product.
Festo SE Servo drive CMMT-ST-C8-1C-PN-S0 Affected: all
Create a notification for this product.
Festo SE VTEM-S1-* Affected: all
Create a notification for this product.
Festo SE Bus module CPX-E-PN Affected: all
Create a notification for this product.
Date Public
2022-11-29 12:02
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:07:06.476Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en/advisories/VDE-2022-041/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-3270",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T20:05:18.903206Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T20:05:32.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Bus module CPX-E-EP",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB32",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB33",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB36",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB37",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB39",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB40",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-FB43",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-M-FB34",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-M-FB35",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-M-FB44",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CPX-M-FB45",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CTEU-EP",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CTEU-PN",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus node CTEU-PN-EX1C",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Camera system CHB-C-N",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Compact Vision System SBO*-C-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Compact Vision System SBO*-M-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Compact Vision System SBO*-Q-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC-C1",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC-C1-V3",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC-M1",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC-M1-V3",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CEC-S1-V3",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CMXX",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-CMXX",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Control block CPX-FEC-1-IE",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECC-D",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECC-D-BA",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECC-LK",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECC-S",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECC-X-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECX-X-C1",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CECX-X-M1",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CMXH-ST2-C5-7-DIOP",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller CPX-E-CEC-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Controller SBRD-Q",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "EtherNet/IP interface CPX-AP-I-EP-M12",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "EtherNet/IP interface CPX-AP-I-PN-M12",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Gateway CPX-IOT",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Integrated drive EMCA-EC-67-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Motor controller CMMO-ST-C5-1-DION",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Motor controller CMMO-ST-C5-1-DIOP",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Motor controller CMMO-ST-C5-1-LKP",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Motor controller CMMP-AS-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Motor controller CMMT-AS-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Operator unit CDPX-X-A-S-10",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Operator unit CDPX-X-A-W-13",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Operator unit CDPX-X-A-W-4",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Operator unit CDPX-X-A-W-7",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Planar surface gantry EXCM-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Servo drive CMMT-ST-C8-1C-EP-S0",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Servo drive CMMT-ST-C8-1C-PN-S0",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "VTEM-S1-*",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Bus module CPX-E-PN",
          "vendor": "Festo SE",
          "versions": [
            {
              "status": "affected",
              "version": "all"
            }
          ]
        }
      ],
      "datePublic": "2022-11-29T12:02:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In multiple products by Festo a remote unauthenticated attacker could use functions of an\u0026nbsp;undocumented  protocol which could lead to a complete loss of confidentiality, integrity and availability.\u003cbr\u003e"
            }
          ],
          "value": "In multiple products by Festo a remote unauthenticated attacker could use functions of an\u00a0undocumented  protocol which could lead to a complete loss of confidentiality, integrity and availability.\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-166",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-166 Force the System to Reset Values"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1059",
              "description": "CWE-1059  Incomplete Documentation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-13T09:12:44.661Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://cert.vde.com/en/advisories/VDE-2022-041/"
        }
      ],
      "source": {
        "advisory": "VDE-2022-041",
        "defect": [
          "CERT@VDE#64162"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Incomplete Documentation of remote functions in FESTO products.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2022-3270",
    "datePublished": "2022-12-01T10:27:52.434Z",
    "dateReserved": "2022-09-22T08:52:13.296Z",
    "dateUpdated": "2025-04-24T20:05:32.864Z",
    "requesterUserId": "a1e5283b-8f0d-401e-98b2-bc6219c0e8d1",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2MXR-P26X-MJ73

Vulnerability from github – Published: 2026-06-10 13:38 – Updated: 2026-06-10 13:38
VLAI
Summary
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
Details

Affected: @hulumi/baseline < 1.4.0Fixed in: 1.4.0Severity: High — CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)

Summary

The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with delete access can erase from it, the forensic trail is gone. There were three independent ways the protection could be silently weakened:

  1. No Write-Once-Read-Many on the startup-hardened audit bucket. The startup-hardened tier hard-coded objectLock: false on the audit bucket. (The reason was real — bucket-wide Object Lock blocks an AWS Config write-then-delete probe — but the fix was a sledgehammer that disabled WORM for all objects, not just the probe key.)
  2. forceDestroy was forwarded to the audit bucket. Nothing prevented a downstream stack from setting logBucketForceDestroy: true, which made pulumi destroy purge every audit-log object on teardown.
  3. Sandbox tier dropped everything. Sandbox-tier AccountFoundation created its audit bucket with tier: "sandbox", which skipped Object Lock, server access logging, AND the CloudTrail-Lake EventDataStore (the independent immutable mirror) — leaving sandbox accounts with no audit immutability at all.

Impact

Consumers using AccountFoundation could ship an AWS account whose CloudTrail / Config audit logs were deletable by any S3-delete-capable principal — while believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all (defects 1 and 3 compounded).

Patches

Upgrade to @hulumi/baseline@1.4.0. A single invariant in SecureBucket now fires whenever the bucket actually backs CloudTrail/Config delivery (i.e. awsServiceLogDelivery.cloudTrail === true || .config === true):

  • refuses forceDestroy: true on the startup-hardened tier;
  • emits the CloudTrail-Lake EventDataStore regardless of parent tier (so sandbox accounts regain immutable audit capture);
  • adds a deny-s3:DeleteObject* bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes (a retention floor on the audit objects). The deny excludes the AWS Config ConfigWritabilityCheckFile probe key so Config's write-then-delete still works, which is why bucket-wide Object Lock is intentionally NOT re-enabled.

Workarounds

Replicating audit logs out-of-account to an Object-Locked archive bucket partially mitigates while you upgrade.

Resources

  • PR #178 (Cluster C); see CHANGELOG ### Migration for the forceDestroy behaviour change.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@hulumi/baseline"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1059"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-10T13:38:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "**Affected:** `@hulumi/baseline` `\u003c 1.4.0` \u2014 **Fixed in:** `1.4.0` \u2014 **Severity:** High \u2014 **CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)**\n\n#### Summary\n\nThe S3 bucket that `AccountFoundation` creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant \u2014 if someone with delete access can erase from it, the forensic trail is gone. There were three independent ways the protection could be silently weakened:\n\n1. **No Write-Once-Read-Many on the startup-hardened audit bucket.** The startup-hardened tier hard-coded `objectLock: false` on the audit bucket. (The reason was real \u2014 bucket-wide Object Lock blocks an AWS Config write-then-delete probe \u2014 but the fix was a sledgehammer that disabled WORM for all objects, not just the probe key.)\n2. **`forceDestroy` was forwarded to the audit bucket.** Nothing prevented a downstream stack from setting `logBucketForceDestroy: true`, which made `pulumi destroy` purge every audit-log object on teardown.\n3. **Sandbox tier dropped everything.** Sandbox-tier `AccountFoundation` created its audit bucket with `tier: \"sandbox\"`, which skipped Object Lock, server access logging, AND the CloudTrail-Lake `EventDataStore` (the independent immutable mirror) \u2014 leaving sandbox accounts with no audit immutability at all.\n\n#### Impact\n\nConsumers using `AccountFoundation` could ship an AWS account whose CloudTrail / Config audit logs were deletable by any S3-delete-capable principal \u2014 while believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all (defects 1 and 3 compounded).\n\n#### Patches\n\nUpgrade to `@hulumi/baseline@1.4.0`. A single invariant in `SecureBucket` now fires whenever the bucket actually backs CloudTrail/Config delivery (i.e. `awsServiceLogDelivery.cloudTrail === true || .config === true`):\n\n- refuses `forceDestroy: true` on the startup-hardened tier;\n- emits the CloudTrail-Lake `EventDataStore` regardless of parent tier (so sandbox accounts regain immutable audit capture);\n- adds a deny-`s3:DeleteObject*` bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes (a retention floor on the audit objects). The deny excludes the AWS Config `ConfigWritabilityCheckFile` probe key so Config\u0027s write-then-delete still works, which is why bucket-wide Object Lock is intentionally NOT re-enabled.\n\n#### Workarounds\n\nReplicating audit logs out-of-account to an Object-Locked archive bucket partially mitigates while you upgrade.\n\n#### Resources\n\n- [PR #178](https://github.com/kerberosmansour/hulumi/pull/178) (Cluster C); see CHANGELOG `### Migration` for the `forceDestroy` behaviour change.",
  "id": "GHSA-2mxr-p26x-mj73",
  "modified": "2026-06-10T13:38:37Z",
  "published": "2026-06-10T13:38:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-2mxr-p26x-mj73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kerberosmansour/hulumi/pull/178"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kerberosmansour/hulumi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened"
}

GHSA-CWXF-7CW2-7R32

Vulnerability from github – Published: 2026-07-14 09:31 – Updated: 2026-07-14 15:32
VLAI
Details

Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-59084"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1059"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T09:16:41Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u00a0Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.",
  "id": "GHSA-cwxf-7cw2-7r32",
  "modified": "2026-07-14T15:32:15Z",
  "published": "2026-07-14T09:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59084"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/7w9746ootcxo0gvx26xjpw80l31f1qw7"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/14/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V7VR-MF26-79CM

Vulnerability from github – Published: 2022-12-01 12:30 – Updated: 2022-12-01 12:30
VLAI
Details

In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1059"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-01T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.",
  "id": "GHSA-v7vr-mf26-79cm",
  "modified": "2022-12-01T12:30:25Z",
  "published": "2022-12-01T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3270"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-041"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Documentation Architecture and Design

Ensure that design documentation is detailed enough to allow for post-manufacturing verification.

No CAPEC attack patterns related to this CWE.