CWE-1284
AllowedImproper Validation of Specified Quantity in Input
Abstraction: Base · Status: Incomplete
The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
494 vulnerabilities reference this CWE, most recent first.
GHSA-9WFW-3RHC-XC4G
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2023-06-26 21:30A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). Affected application contains a stack based buffer overflow vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15085, ZDI-CAN-15289, ZDI-CAN-15602)
{
"affected": [],
"aliases": [
"CVE-2021-46158"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-1284",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Simcenter Femap V2020.2 (All versions), Simcenter Femap V2021.1 (All versions). Affected application contains a stack based buffer overflow vulnerability while parsing NEU files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15085, ZDI-CAN-15289, ZDI-CAN-15602)",
"id": "GHSA-9wfw-3rhc-xc4g",
"modified": "2023-06-26T21:30:56Z",
"published": "2022-02-10T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46158"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-311"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-312"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9XP2-WMW3-FM7W
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.
{
"affected": [],
"aliases": [
"CVE-2025-14869"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:20Z",
"severity": "HIGH"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.",
"id": "GHSA-9xp2-wmw3-fm7w",
"modified": "2026-05-14T06:31:32Z",
"published": "2026-05-14T06:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14869"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3447146"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/584489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C29M-QCCV-C9P6
Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2023-01-10 12:30A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V3.0.1), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.6.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V3.0.1), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions < V5.0), SIPLUS TIM 1531 IRC (All versions), TIM 1531 IRC (All versions). Affected devices don't process correctly certain special crafted packets sent to port 102/tcp, which could allow an attacker to cause a denial-of-service in the device.
{
"affected": [],
"aliases": [
"CVE-2021-44693"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-13T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC Drive Controller family (All versions \u003c V3.0.1), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions \u003c V4.6.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions \u003c V3.0.1), SIMATIC S7-1500 Software Controller (All versions), SIMATIC S7-PLCSIM Advanced (All versions \u003c V5.0), SIPLUS TIM 1531 IRC (All versions), TIM 1531 IRC (All versions). Affected devices don\u0027t process correctly certain special crafted packets sent to port 102/tcp, which could allow an attacker to cause a denial-of-service in the device.",
"id": "GHSA-c29m-qccv-c9p6",
"modified": "2023-01-10T12:30:25Z",
"published": "2022-12-13T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44693"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-382653.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C2QQ-PCR6-27VG
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 21:30An issue in the 690b33e1-0462-4e84-9bea-c7552b45432a.sys component of Asus GPU Tweak II Program Driver v1.0.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.
{
"affected": [],
"aliases": [
"CVE-2024-55410"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T18:15:20Z",
"severity": "HIGH"
},
"details": "An issue in the 690b33e1-0462-4e84-9bea-c7552b45432a.sys component of Asus GPU Tweak II Program Driver v1.0.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests.",
"id": "GHSA-c2qq-pcr6-27vg",
"modified": "2025-01-07T21:30:55Z",
"published": "2025-01-07T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55410"
},
{
"type": "WEB",
"url": "https://github.com/heyheysky/vulnerable-driver/blob/master/CVE-2024-55410/CVE-2024-55410_690b33e1-0462-4e84-9bea-c7552b45432a.sys_README.md"
},
{
"type": "WEB",
"url": "http://asus.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C37P-8677-9FJP
Vulnerability from github – Published: 2025-03-26 15:32 – Updated: 2025-03-26 15:32A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.
{
"affected": [],
"aliases": [
"CVE-2024-45351"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-26T14:15:31Z",
"severity": "HIGH"
},
"details": "A code execution vulnerability exists in the Xiaomi Game center application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.",
"id": "GHSA-c37p-8677-9fjp",
"modified": "2025-03-26T15:32:39Z",
"published": "2025-03-26T15:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45351"
},
{
"type": "WEB",
"url": "https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C43M-486J-J32P
Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2025-11-04 18:30In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
{
"affected": [],
"aliases": [
"CVE-2022-31629"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-28T23:15:00Z",
"severity": "MODERATE"
},
"details": "In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim\u0027s browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.",
"id": "GHSA-c43m-486j-j32p",
"modified": "2025-11-04T18:30:39Z",
"published": "2022-09-29T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31629"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5277"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221209-0001"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202211-03"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00030.html"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=81727"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C43R-48JX-GXV5
Vulnerability from github – Published: 2026-01-31 00:30 – Updated: 2026-01-31 00:30IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.
{
"affected": [],
"aliases": [
"CVE-2025-36427"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-30T22:15:55Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic.",
"id": "GHSA-c43r-48jx-gxv5",
"modified": "2026-01-31T00:30:28Z",
"published": "2026-01-31T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36427"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7257696"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5C5-RWC6-67M5
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 21:30For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.
{
"affected": [],
"aliases": [
"CVE-2021-28510"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T21:15:00Z",
"severity": "HIGH"
},
"details": "For certain systems running EOS, a Precision Time Protocol (PTP) packet of a management/signaling message with an invalid Type-Length-Value (TLV) causes the PTP agent to restart. Repeated restarts of the service will make the service unavailable.",
"id": "GHSA-c5c5-rwc6-67m5",
"modified": "2023-02-03T21:30:29Z",
"published": "2023-01-26T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28510"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/15439-security-advisory-0076"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C9Q4-2W45-HJCR
Vulnerability from github – Published: 2023-02-09 18:30 – Updated: 2025-03-25 15:31The geofencing kernel code does not verify the length of the input data. Successful exploitation of this vulnerability may cause out-of-bounds memory access.
{
"affected": [],
"aliases": [
"CVE-2022-48298"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T17:15:00Z",
"severity": "HIGH"
},
"details": "The geofencing kernel code does not verify the length of the input data. Successful exploitation of this vulnerability may cause out-of-bounds memory access.",
"id": "GHSA-c9q4-2w45-hjcr",
"modified": "2025-03-25T15:31:13Z",
"published": "2023-02-09T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48298"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/2"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202302-0000001454769474"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CCR7-R78X-7JPQ
Vulnerability from github – Published: 2026-05-15 03:30 – Updated: 2026-05-15 03:30Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_COPY_VF_CHIPLET_REGS to write invalid data to a remote Die, potentially resulting in unexpected behavior.
{
"affected": [],
"aliases": [
"CVE-2026-0428"
],
"database_specific": {
"cwe_ids": [
"CWE-1284"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T03:16:23Z",
"severity": "LOW"
},
"details": "Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_COPY_VF_CHIPLET_REGS to write invalid data to a remote Die, potentially resulting in unexpected behavior.",
"id": "GHSA-ccr7-r78x-7jpq",
"modified": "2026-05-15T03:30:37Z",
"published": "2026-05-15T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0428"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
No CAPEC attack patterns related to this CWE.