CWE-1059
ProhibitedInsufficient Technical Documentation
Abstraction: Class · Status: Incomplete
The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc.
5 vulnerabilities reference this CWE, most recent first.
CVE-2026-59084 (GCVE-0-2026-59084)
Vulnerability from cvelistv5 – Published: 2026-07-14 08:24 – Updated: 2026-07-14 13:51- CWE-1059 - Insufficient Technical Documentation
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Tomcat |
Affected:
11.0.0-M1 , ≤ 11.0.23
(semver)
Affected: 10.1.0-M1 , ≤ 10.1.56 (semver) Affected: 9.0.13 , ≤ 9.0.119 (semver) Affected: 8.5.38 , ≤ 8.5.100 (semver) Affected: 7.0.100 , ≤ 7.0.109 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-14T10:33:10.332Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/14/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-59084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T13:51:48.818351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T13:51:52.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Tomcat",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "11.0.23",
"status": "affected",
"version": "11.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.1.56",
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.119",
"status": "affected",
"version": "9.0.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.5.100",
"status": "affected",
"version": "8.5.38",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.109",
"status": "affected",
"version": "7.0.100",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "NDIx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u0026nbsp;Other versions that have reached end of support may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.\u003c/p\u003e"
}
],
"value": "Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u00a0Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1059",
"description": "CWE-1059 Insufficient Technical Documentation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T08:24:21.531Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7w9746ootcxo0gvx26xjpw80l31f1qw7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Tomcat: EncryptInterceptor requirements not clearly documented",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-59084",
"datePublished": "2026-07-14T08:24:21.531Z",
"dateReserved": "2026-07-02T10:42:32.668Z",
"dateUpdated": "2026-07-14T13:51:52.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-3270 (GCVE-0-2022-3270)
Vulnerability from cvelistv5 – Published: 2022-12-01 10:27 – Updated: 2025-04-24 20:05- CWE-1059 - Incomplete Documentation
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert.vde.com/en/advisories/VDE-2022-041/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-24T20:05:18.903206Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-24T20:05:32.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Bus module CPX-E-EP",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB32",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB33",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB36",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB37",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB39",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB40",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-FB43",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-M-FB34",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-M-FB35",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-M-FB44",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CPX-M-FB45",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CTEU-EP",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CTEU-PN",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus node CTEU-PN-EX1C",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Camera system CHB-C-N",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Compact Vision System SBO*-C-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Compact Vision System SBO*-M-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Compact Vision System SBO*-Q-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC-C1",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC-C1-V3",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC-M1",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC-M1-V3",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CEC-S1-V3",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CMXX",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-CMXX",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Control block CPX-FEC-1-IE",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECC-D",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECC-D-BA",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECC-LK",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECC-S",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECC-X-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECX-X-C1",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CECX-X-M1",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CMXH-ST2-C5-7-DIOP",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller CPX-E-CEC-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Controller SBRD-Q",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "EtherNet/IP interface CPX-AP-I-EP-M12",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "EtherNet/IP interface CPX-AP-I-PN-M12",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Gateway CPX-IOT",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Integrated drive EMCA-EC-67-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Motor controller CMMO-ST-C5-1-DION",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Motor controller CMMO-ST-C5-1-DIOP",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Motor controller CMMO-ST-C5-1-LKP",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Motor controller CMMP-AS-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Motor controller CMMT-AS-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Operator unit CDPX-X-A-S-10",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Operator unit CDPX-X-A-W-13",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Operator unit CDPX-X-A-W-4",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Operator unit CDPX-X-A-W-7",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Planar surface gantry EXCM-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Servo drive CMMT-ST-C8-1C-EP-S0",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Servo drive CMMT-ST-C8-1C-PN-S0",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "VTEM-S1-*",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
},
{
"defaultStatus": "affected",
"product": "Bus module CPX-E-PN",
"vendor": "Festo SE",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"datePublic": "2022-11-29T12:02:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In multiple products by Festo a remote unauthenticated attacker could use functions of an\u0026nbsp;undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.\u003cbr\u003e"
}
],
"value": "In multiple products by Festo a remote unauthenticated attacker could use functions of an\u00a0undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-166",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-166 Force the System to Reset Values"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1059",
"description": "CWE-1059 Incomplete Documentation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T09:12:44.661Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://cert.vde.com/en/advisories/VDE-2022-041/"
}
],
"source": {
"advisory": "VDE-2022-041",
"defect": [
"CERT@VDE#64162"
],
"discovery": "EXTERNAL"
},
"title": "Incomplete Documentation of remote functions in FESTO products.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2022-3270",
"datePublished": "2022-12-01T10:27:52.434Z",
"dateReserved": "2022-09-22T08:52:13.296Z",
"dateUpdated": "2025-04-24T20:05:32.864Z",
"requesterUserId": "a1e5283b-8f0d-401e-98b2-bc6219c0e8d1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2MXR-P26X-MJ73
Vulnerability from github – Published: 2026-06-10 13:38 – Updated: 2026-06-10 13:38Affected: @hulumi/baseline < 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)
Summary
The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with delete access can erase from it, the forensic trail is gone. There were three independent ways the protection could be silently weakened:
- No Write-Once-Read-Many on the startup-hardened audit bucket. The startup-hardened tier hard-coded
objectLock: falseon the audit bucket. (The reason was real — bucket-wide Object Lock blocks an AWS Config write-then-delete probe — but the fix was a sledgehammer that disabled WORM for all objects, not just the probe key.) forceDestroywas forwarded to the audit bucket. Nothing prevented a downstream stack from settinglogBucketForceDestroy: true, which madepulumi destroypurge every audit-log object on teardown.- Sandbox tier dropped everything. Sandbox-tier
AccountFoundationcreated its audit bucket withtier: "sandbox", which skipped Object Lock, server access logging, AND the CloudTrail-LakeEventDataStore(the independent immutable mirror) — leaving sandbox accounts with no audit immutability at all.
Impact
Consumers using AccountFoundation could ship an AWS account whose CloudTrail / Config audit logs were deletable by any S3-delete-capable principal — while believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all (defects 1 and 3 compounded).
Patches
Upgrade to @hulumi/baseline@1.4.0. A single invariant in SecureBucket now fires whenever the bucket actually backs CloudTrail/Config delivery (i.e. awsServiceLogDelivery.cloudTrail === true || .config === true):
- refuses
forceDestroy: trueon the startup-hardened tier; - emits the CloudTrail-Lake
EventDataStoreregardless of parent tier (so sandbox accounts regain immutable audit capture); - adds a deny-
s3:DeleteObject*bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes (a retention floor on the audit objects). The deny excludes the AWS ConfigConfigWritabilityCheckFileprobe key so Config's write-then-delete still works, which is why bucket-wide Object Lock is intentionally NOT re-enabled.
Workarounds
Replicating audit logs out-of-account to an Object-Locked archive bucket partially mitigates while you upgrade.
Resources
- PR #178 (Cluster C); see CHANGELOG
### Migrationfor theforceDestroybehaviour change.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@hulumi/baseline"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48035"
],
"database_specific": {
"cwe_ids": [
"CWE-1059"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T13:38:37Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "**Affected:** `@hulumi/baseline` `\u003c 1.4.0` \u2014 **Fixed in:** `1.4.0` \u2014 **Severity:** High \u2014 **CWE-1059 (Insufficient Technical Documentation / Behavioral Inconsistency)**\n\n#### Summary\n\nThe S3 bucket that `AccountFoundation` creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant \u2014 if someone with delete access can erase from it, the forensic trail is gone. There were three independent ways the protection could be silently weakened:\n\n1. **No Write-Once-Read-Many on the startup-hardened audit bucket.** The startup-hardened tier hard-coded `objectLock: false` on the audit bucket. (The reason was real \u2014 bucket-wide Object Lock blocks an AWS Config write-then-delete probe \u2014 but the fix was a sledgehammer that disabled WORM for all objects, not just the probe key.)\n2. **`forceDestroy` was forwarded to the audit bucket.** Nothing prevented a downstream stack from setting `logBucketForceDestroy: true`, which made `pulumi destroy` purge every audit-log object on teardown.\n3. **Sandbox tier dropped everything.** Sandbox-tier `AccountFoundation` created its audit bucket with `tier: \"sandbox\"`, which skipped Object Lock, server access logging, AND the CloudTrail-Lake `EventDataStore` (the independent immutable mirror) \u2014 leaving sandbox accounts with no audit immutability at all.\n\n#### Impact\n\nConsumers using `AccountFoundation` could ship an AWS account whose CloudTrail / Config audit logs were deletable by any S3-delete-capable principal \u2014 while believing the startup-hardened tier guaranteed tamper-resistance. Sandbox-tier deployments had no audit immutability at all (defects 1 and 3 compounded).\n\n#### Patches\n\nUpgrade to `@hulumi/baseline@1.4.0`. A single invariant in `SecureBucket` now fires whenever the bucket actually backs CloudTrail/Config delivery (i.e. `awsServiceLogDelivery.cloudTrail === true || .config === true`):\n\n- refuses `forceDestroy: true` on the startup-hardened tier;\n- emits the CloudTrail-Lake `EventDataStore` regardless of parent tier (so sandbox accounts regain immutable audit capture);\n- adds a deny-`s3:DeleteObject*` bucket-policy statement scoped to the CloudTrail and Config history/snapshot prefixes (a retention floor on the audit objects). The deny excludes the AWS Config `ConfigWritabilityCheckFile` probe key so Config\u0027s write-then-delete still works, which is why bucket-wide Object Lock is intentionally NOT re-enabled.\n\n#### Workarounds\n\nReplicating audit logs out-of-account to an Object-Locked archive bucket partially mitigates while you upgrade.\n\n#### Resources\n\n- [PR #178](https://github.com/kerberosmansour/hulumi/pull/178) (Cluster C); see CHANGELOG `### Migration` for the `forceDestroy` behaviour change.",
"id": "GHSA-2mxr-p26x-mj73",
"modified": "2026-06-10T13:38:37Z",
"published": "2026-06-10T13:38:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kerberosmansour/hulumi/security/advisories/GHSA-2mxr-p26x-mj73"
},
{
"type": "WEB",
"url": "https://github.com/kerberosmansour/hulumi/pull/178"
},
{
"type": "PACKAGE",
"url": "https://github.com/kerberosmansour/hulumi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened"
}
GHSA-CWXF-7CW2-7R32
Vulnerability from github – Published: 2026-07-14 09:31 – Updated: 2026-07-14 15:32Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.
{
"affected": [],
"aliases": [
"CVE-2026-59084"
],
"database_specific": {
"cwe_ids": [
"CWE-1059"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T09:16:41Z",
"severity": "CRITICAL"
},
"details": "Insufficient Technical Documentation vulnerability in Apache Tomcat since the requirements to securely configure the EncryptInterceptor were not clearly documented.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.13 through 9.0.119, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u00a0Other versions that have reached end of support may also be affected.\n\nUsers are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120 which fix the issue.",
"id": "GHSA-cwxf-7cw2-7r32",
"modified": "2026-07-14T15:32:15Z",
"published": "2026-07-14T09:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59084"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/7w9746ootcxo0gvx26xjpw80l31f1qw7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/14/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V7VR-MF26-79CM
Vulnerability from github – Published: 2022-12-01 12:30 – Updated: 2022-12-01 12:30In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2022-3270"
],
"database_specific": {
"cwe_ids": [
"CWE-1059"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-01T11:15:00Z",
"severity": "CRITICAL"
},
"details": "In multiple products by Festo a remote unauthenticated attacker could use functions of an undocumented protocol which could lead to a complete loss of confidentiality, integrity and availability.",
"id": "GHSA-v7vr-mf26-79cm",
"modified": "2022-12-01T12:30:25Z",
"published": "2022-12-01T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3270"
},
{
"type": "WEB",
"url": "https://cert.vde.com/en/advisories/VDE-2022-041"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that design documentation is detailed enough to allow for post-manufacturing verification.
No CAPEC attack patterns related to this CWE.