CWE-1116
AllowedInaccurate Source Code Comments
Abstraction: Base · Status: Incomplete
The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.
4 vulnerabilities reference this CWE, most recent first.
CVE-2025-47271 (GCVE-0-2025-47271)
Vulnerability from cvelistv5 – Published: 2025-05-12 10:52 – Updated: 2025-05-12 12:12| URL | Tags |
|---|---|
| https://github.com/OZI-Project/publish/security/a… | x_refsource_CONFIRM |
| https://github.com/OZI-Project/publish/commit/abd… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| OZI-Project | publish |
Affected:
>= 1.13.2, < 1.13.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-12T12:10:34.546853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T12:12:40.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "publish",
"vendor": "OZI-Project",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.2, \u003c 1.13.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1116",
"description": "CWE-1116: Inaccurate Comments",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-12T10:52:26.916Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9"
},
{
"name": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c"
}
],
"source": {
"advisory": "GHSA-2487-9f55-2vg9",
"discovery": "UNKNOWN"
},
"title": "OZI-Project/ozi-publish Code Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47271",
"datePublished": "2025-05-12T10:52:26.916Z",
"dateReserved": "2025-05-05T16:53:10.372Z",
"dateUpdated": "2025-05-12T12:12:40.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2487-9F55-2VG9
Vulnerability from github – Published: 2025-05-12 19:58 – Updated: 2025-05-12 19:58Impact
Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.
Patches
This is patched in 1.13.6
Workarounds
Downgrade to <1.13.2
References
{
"affected": [
{
"package": {
"ecosystem": "GitHub Actions",
"name": "OZI-Project/publish"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.2"
},
{
"fixed": "1.13.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47271"
],
"database_specific": {
"cwe_ids": [
"CWE-1116",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-12T19:58:07Z",
"nvd_published_at": "2025-05-12T11:15:51Z",
"severity": "MODERATE"
},
"details": "### Impact\nPotentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.\n\n### Patches\nThis is patched in 1.13.6\n\n### Workarounds\nDowngrade to \u003c1.13.2\n\n### References\n\n* [Understanding the Risk of Script Injections](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)",
"id": "GHSA-2487-9f55-2vg9",
"modified": "2025-05-12T19:58:07Z",
"published": "2025-05-12T19:58:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OZI-Project/publish/security/advisories/GHSA-2487-9f55-2vg9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47271"
},
{
"type": "WEB",
"url": "https://github.com/OZI-Project/publish/commit/abd8524ec69800890529846b3ccfb09ce7c10b5c"
},
{
"type": "PACKAGE",
"url": "https://github.com/OZI-Project/publish"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "OZI-Project/ozi-publish Code Injection vulnerability"
}
GHSA-JWXQ-F9VM-725G
Vulnerability from github – Published: 2023-02-21 00:30 – Updated: 2025-03-18 18:30An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
{
"affected": [],
"aliases": [
"CVE-2022-48339"
],
"database_specific": {
"cwe_ids": [
"CWE-1116",
"CWE-116",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-20T23:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.",
"id": "GHSA-jwxq-f9vm-725g",
"modified": "2025-03-18T18:30:37Z",
"published": "2023-02-21T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48339"
},
{
"type": "WEB",
"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5360"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V82W-4932-72HF
Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2025-02-18 18:33PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is "locked" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.
{
"affected": [],
"aliases": [
"CVE-2022-30351"
],
"database_specific": {
"cwe_ids": [
"CWE-1116",
"CWE-116"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T16:15:00Z",
"severity": "HIGH"
},
"details": "PDFZorro PDFZorro Online r20220428 using TCPDF 6.2.5, despite having workflows claiming to correctly remove redacted information from a supplied PDF file, does not properly sanitize this information in all cases, causing redacted information, including images and text embedded in the PDF file, to be leaked unintentionally. In cases where PDF text objects are present it is possible to copy-paste redacted information into the system clipboard. Once a document is \"locked\" and marked for redaction once, all redactions performed after this feature is triggered are vulnerable.",
"id": "GHSA-v82w-4932-72hf",
"modified": "2025-02-18T18:33:02Z",
"published": "2023-03-30T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30351"
},
{
"type": "WEB",
"url": "https://arxiv.org/pdf/2206.02285.pdf"
},
{
"type": "WEB",
"url": "https://www.pdfzorro.com/pdf-edit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Verify that each comment accurately reflects what is intended to happen during execution of the code.
No CAPEC attack patterns related to this CWE.