Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

499 vulnerabilities reference this CWE, most recent first.

GHSA-XFPX-QRR3-2GMV

Vulnerability from github – Published: 2022-05-17 02:43 – Updated: 2022-05-17 02:43
VLAI
Details

CloudView NMS before 2.10a has a format string issue exploitable over SNMP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T03:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "CloudView NMS before 2.10a has a format string issue exploitable over SNMP.",
  "id": "GHSA-xfpx-qrr3-2gmv",
  "modified": "2022-05-17T02:43:09Z",
  "published": "2022-05-17T02:43:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5074"
    },
    {
      "type": "WEB",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/09/07/multiple-disclosures-for-multiple-network-management-systems-part-2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98723"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGJ6-PGRM-X4R2

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-01-26 22:31
VLAI
Summary
gtk2 vulnerable to Use of Externally-Controlled Format String
Details

Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "gtk2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2007-6183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:18Z",
    "nvd_published_at": "2007-11-30T00:46:00Z",
    "severity": "MODERATE"
  },
  "details": "Format string vulnerability in the `mdiag_initialize` function in `gtk/src/rbgtkmessagedialog.c` in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.",
  "id": "GHSA-xgj6-pgrm-x4r2",
  "modified": "2023-01-26T22:31:40Z",
  "published": "2017-10-24T18:33:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-6183"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=402871"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/38757"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228174159/http://www.securityfocus.com/bid/26616"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201207224244/https://www.securityfocus.com/archive/1/484240/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00214.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2007-December/msg00251.html"
    },
    {
      "type": "WEB",
      "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453689"
    },
    {
      "type": "WEB",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=200623"
    },
    {
      "type": "WEB",
      "url": "http://em386.blogspot.com/2007/11/your-favorite-better-than-c-scripting.html"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200712-09.xml"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3407"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2007/dsa-1431"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2008:033/?name=MDVSA-2008:033"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "gtk2 vulnerable to Use of Externally-Controlled Format String"
}

GHSA-XH6G-PRC3-64GX

Vulnerability from github – Published: 2022-05-01 06:59 – Updated: 2025-04-03 04:33
VLAI
Details

Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-2453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-05-28T10:06:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple unspecified format string vulnerabilities in Dia have unspecified impact and attack vectors, a different set of issues than CVE-2006-2480.",
  "id": "GHSA-xh6g-prc3-64gx",
  "modified": "2025-04-03T04:33:15Z",
  "published": "2022-05-01T06:59:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-2453"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=192830"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11600"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/286-1"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20254"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20339"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20422"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20457"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/20513"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1016203"
    },
    {
      "type": "WEB",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-200606-03.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2006:093"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2006-06-02.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/archives/fedora-package-announce/2006-May/msg00119.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/archives/fedora-security-list/2006-May/msg00099.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2006-0541.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/18166"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XH7P-83H3-2GRW

Vulnerability from github – Published: 2022-05-01 17:41 – Updated: 2022-05-01 17:41
VLAI
Details

Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-0017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-01-03T02:28:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.",
  "id": "GHSA-xh7p-83h3-2grw",
  "modified": "2022-05-01T17:41:21Z",
  "published": "2022-05-01T17:41:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-0017"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31226"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14313"
    },
    {
      "type": "WEB",
      "url": "http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html"
    },
    {
      "type": "WEB",
      "url": "http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/31163"
    },
    {
      "type": "WEB",
      "url": "http://projects.info-pull.com/moab/MOAB-02-01-2007.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23592"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23829"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23910"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23971"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200701-24.xml"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1017464"
    },
    {
      "type": "WEB",
      "url": "http://trac.videolan.org/vlc/changeset/18481"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2007/dsa-1252"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2007_13_xine.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/21852"
    },
    {
      "type": "WEB",
      "url": "http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch"
    },
    {
      "type": "WEB",
      "url": "http://www.videolan.org/sa0701.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/0026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XH8H-MFRV-W6WH

Vulnerability from github – Published: 2025-12-23 00:30 – Updated: 2025-12-23 00:30
VLAI
Details

SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-22T22:16:01Z",
    "severity": "CRITICAL"
  },
  "details": "SOUND4 LinkAndShare Transmitter 1.1.2 contains a format string vulnerability that allows attackers to trigger memory stack overflows through maliciously crafted environment variables. Attackers can manipulate the username environment variable with format string payloads to potentially execute arbitrary code and crash the application.",
  "id": "GHSA-xh8h-mfrv-w6wh",
  "modified": "2025-12-23T00:30:31Z",
  "published": "2025-12-23T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53966"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20221207074555/https://www.sound4.com"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51259"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/sound-linkandshare-transmitter-format-string-stack-buffer-overflow"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XMQ7-7FXM-RR79

Vulnerability from github – Published: 2020-09-25 18:28 – Updated: 2024-10-28 21:23
VLAI
Summary
Denial of Service in Tensorflow
Details

Impact

By controlling the fill argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a printf call is constructed: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74

This can result in unexpected output:

In [1]: tf.strings.as_string(input=[1234], width=6, fill='-')                                                                     
Out[1]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['1234  '], dtype=object)>                                              
In [2]: tf.strings.as_string(input=[1234], width=6, fill='+')                                                                     
Out[2]: <tf.Tensor: shape=(1,), dtype=string, numpy=array([' +1234'], dtype=object)> 
In [3]: tf.strings.as_string(input=[1234], width=6, fill="h")                                                                     
Out[3]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['%6d'], dtype=object)> 
In [4]: tf.strings.as_string(input=[1234], width=6, fill="d")                                                                     
Out[4]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['12346d'], dtype=object)> 
In [5]: tf.strings.as_string(input=[1234], width=6, fill="o")
Out[5]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['23226d'], dtype=object)>
In [6]: tf.strings.as_string(input=[1234], width=6, fill="x")
Out[6]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['4d26d'], dtype=object)>
In [7]: tf.strings.as_string(input=[1234], width=6, fill="g")
Out[7]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['8.67458e-3116d'], dtype=object)>
In [8]: tf.strings.as_string(input=[1234], width=6, fill="a")
Out[8]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['0x0.00ff7eebb4d4p-10226d'], dtype=object)>
In [9]: tf.strings.as_string(input=[1234], width=6, fill="c")
Out[9]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['\xd26d'], dtype=object)>
In [10]: tf.strings.as_string(input=[1234], width=6, fill="p")
Out[10]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['0x4d26d'], dtype=object)>
In [11]: tf.strings.as_string(input=[1234], width=6, fill='m') 
Out[11]: <tf.Tensor: shape=(1,), dtype=string, numpy=array(['Success6d'], dtype=object)>

However, passing in n or s results in segmentation fault.

Patches

We have patched the issue in 33be22c65d86256e6826666662e40dbdfe70ee83 and will release patch releases for all versions between 1.15 and 2.3.

We recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.2.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-25T17:34:02Z",
    "nvd_published_at": "2020-09-25T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nBy controlling the `fill` argument of [`tf.strings.as_string`](https://www.tensorflow.org/api_docs/python/tf/strings/as_string), a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed: https://github.com/tensorflow/tensorflow/blob/0e68f4d3295eb0281a517c3662f6698992b7b2cf/tensorflow/core/kernels/as_string_op.cc#L68-L74\n\nThis can result in unexpected output:\n```python\nIn [1]: tf.strings.as_string(input=[1234], width=6, fill=\u0027-\u0027)                                                                     \nOut[1]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00271234  \u0027], dtype=object)\u003e                                              \nIn [2]: tf.strings.as_string(input=[1234], width=6, fill=\u0027+\u0027)                                                                     \nOut[2]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027 +1234\u0027], dtype=object)\u003e \nIn [3]: tf.strings.as_string(input=[1234], width=6, fill=\"h\")                                                                     \nOut[3]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027%6d\u0027], dtype=object)\u003e \nIn [4]: tf.strings.as_string(input=[1234], width=6, fill=\"d\")                                                                     \nOut[4]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u002712346d\u0027], dtype=object)\u003e \nIn [5]: tf.strings.as_string(input=[1234], width=6, fill=\"o\")\nOut[5]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u002723226d\u0027], dtype=object)\u003e\nIn [6]: tf.strings.as_string(input=[1234], width=6, fill=\"x\")\nOut[6]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00274d26d\u0027], dtype=object)\u003e\nIn [7]: tf.strings.as_string(input=[1234], width=6, fill=\"g\")\nOut[7]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00278.67458e-3116d\u0027], dtype=object)\u003e\nIn [8]: tf.strings.as_string(input=[1234], width=6, fill=\"a\")\nOut[8]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00270x0.00ff7eebb4d4p-10226d\u0027], dtype=object)\u003e\nIn [9]: tf.strings.as_string(input=[1234], width=6, fill=\"c\")\nOut[9]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027\\xd26d\u0027], dtype=object)\u003e\nIn [10]: tf.strings.as_string(input=[1234], width=6, fill=\"p\")\nOut[10]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u00270x4d26d\u0027], dtype=object)\u003e\nIn [11]: tf.strings.as_string(input=[1234], width=6, fill=\u0027m\u0027) \nOut[11]: \u003ctf.Tensor: shape=(1,), dtype=string, numpy=array([\u0027Success6d\u0027], dtype=object)\u003e\n```\n\nHowever, passing in `n` or `s` results in segmentation fault.\n\n### Patches\nWe have patched the issue in 33be22c65d86256e6826666662e40dbdfe70ee83 and will release patch releases for all versions between 1.15 and 2.3.\n\nWe recommend users to upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by members of the Aivul Team from Qihoo 360.",
  "id": "GHSA-xmq7-7fxm-rr79",
  "modified": "2024-10-28T21:23:19Z",
  "published": "2020-09-25T18:28:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xmq7-7fxm-rr79"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/33be22c65d86256e6826666662e40dbdfe70ee83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2020-283.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2020-318.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2020-126.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/releases/tag/v2.3.1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Denial of Service in Tensorflow"
}

GHSA-XQPV-JVPQ-XJVC

Vulnerability from github – Published: 2023-09-18 03:31 – Updated: 2024-04-04 07:42
VLAI
Details

ASUS router RT-AX88U has a vulnerability of using externally controllable format strings within its Advanced Open VPN function. An authenticated remote attacker can exploit the exported OpenVPN configuration to execute an externally-controlled format string attack, resulting in sensitivity information leakage, or forcing the device to reset and permanent denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "\nASUS router RT-AX88U has a vulnerability of using externally controllable format strings within its Advanced Open VPN function. An authenticated remote attacker can exploit the exported OpenVPN configuration to execute an externally-controlled format string attack, resulting in sensitivity information leakage, or forcing the device to reset and permanent denial of service.\n\n",
  "id": "GHSA-xqpv-jvpq-xjvc",
  "modified": "2024-04-04T07:42:55Z",
  "published": "2023-09-18T03:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41349"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-7371-aecf1-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRQ4-CXFP-74J4

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-29740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Spectrum Scale 5.0.0 through 5.0.5.6 and 5.1.0 through 5.1.0.3 system core component is affected by a format string security vulnerability. An attacker could execute arbitrary code in the context of process memory, potentially escalating their system privileges and taking control over the entire system with root access. IBM X-Force ID: 201474.",
  "id": "GHSA-xrq4-cxfp-74j4",
  "modified": "2022-05-24T19:03:44Z",
  "published": "2022-05-24T19:03:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29740"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/201474"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6457629"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XWHQ-77CP-J75X

Vulnerability from github – Published: 2022-05-17 02:11 – Updated: 2022-05-17 02:11
VLAI
Details

The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-6395"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-03-04T17:30:00Z",
    "severity": "HIGH"
  },
  "details": "The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request.",
  "id": "GHSA-xwhq-77cp-j75x",
  "modified": "2022-05-17T02:11:21Z",
  "published": "2022-05-17T02:11:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6395"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44890"
    },
    {
      "type": "WEB",
      "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064226.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31714"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30988"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.