CWE-155
AllowedImproper Neutralization of Wildcards or Matching Symbols
Abstraction: Variant · Status: Draft
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component.
31 vulnerabilities reference this CWE, most recent first.
GHSA-477Q-5HXF-4XR2
Vulnerability from github – Published: 2024-03-19 09:30 – Updated: 2024-11-08 09:30Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-0054"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T07:15:07Z",
"severity": "MODERATE"
},
"details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs local_list.cgi, create_overlay.cgi and irissetup.cgi\u00a0was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS\nversions for the highlighted flaw. Please refer to the Axis security advisory\nfor more information and solution.\n\n",
"id": "GHSA-477q-5hxf-4xr2",
"modified": "2024-11-08T09:30:30Z",
"published": "2024-03-19T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0054"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/76/f3/1d/cve-2024-0054-en-US-432116.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59RF-FQ39-RH6X
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2023-08-31 03:30It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2020-1772"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-27T13:15:00Z",
"severity": "MODERATE"
},
"details": "It\u0027s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.",
"id": "GHSA-59rf-fq39-rh6x",
"modified": "2023-08-31T03:30:36Z",
"published": "2022-05-24T17:12:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1772"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2020-09"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F55-V7C2-39W2
Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-10-03 00:30An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.
{
"affected": [],
"aliases": [
"CVE-2024-8688"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T17:15:14Z",
"severity": "MODERATE"
},
"details": "An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators) with access to the CLI to to read arbitrary files on the firewall.",
"id": "GHSA-5f55-v7c2-39w2",
"modified": "2024-10-03T00:30:40Z",
"published": "2024-09-11T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8688"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2024-8688"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-5PPP-5MCP-FQFV
Vulnerability from github – Published: 2024-03-19 09:30 – Updated: 2024-03-19 09:30Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-0055"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-19T07:15:08Z",
"severity": "MODERATE"
},
"details": "Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.\n",
"id": "GHSA-5ppp-5mcp-fqfv",
"modified": "2024-03-19T09:30:32Z",
"published": "2024-03-19T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0055"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/c4/00/c5/cve-2024-0055-en-US-432117.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-78FX-H6XR-VCH4
Vulnerability from github – Published: 2025-03-05 19:09 – Updated: 2025-03-12 21:29When using wildcard validation to validate a given file or image field array (files.*), a user-crafted malicious request could potentially bypass the validation rules.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0"
},
{
"fixed": "12.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.44.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "laravel/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.48.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27515"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-05T19:09:39Z",
"nvd_published_at": "2025-03-05T19:15:39Z",
"severity": "MODERATE"
},
"details": "When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass the validation rules.",
"id": "GHSA-78fx-h6xr-vch4",
"modified": "2025-03-12T21:29:27Z",
"published": "2025-03-05T19:09:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/laravel/framework/security/advisories/GHSA-78fx-h6xr-vch4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27515"
},
{
"type": "WEB",
"url": "https://github.com/laravel/framework/commit/2d133034fefddfb047838f4caca3687a3ba811a5"
},
{
"type": "WEB",
"url": "https://github.com/laravel/framework/commit/a4f7a8f9b83e21882abeef78c3174c66b0f4a26b"
},
{
"type": "PACKAGE",
"url": "https://github.com/laravel/framework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Laravel has a File Validation Bypass"
}
GHSA-7P8F-8HJM-WM92
Vulnerability from github – Published: 2022-01-13 15:05 – Updated: 2022-01-13 15:02Impact
Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion.
For example, given schema:
definition user {}
definition resource {
relation viewer: user
relation banned: user | user:*
permission view = viewer - banned
}
If user:* is placed into the banned relation for a particular resource, view should return false for all resources. in v1.3.0, the wildcard is ignored entirely in lookup's dispatch, resulting in the banned wildcard being ignored in the exclusion.
Workarounds
Don't make use of wildcards on the right side of intersections or within exclusions.
References
https://github.com/authzed/spicedb/issues/358
For more information
If you have any questions or comments about this advisory: * Open an issue in SpiceDB * Ask a question in the SpiceDB Discord
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authzed/spicedb"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0"
]
}
],
"aliases": [
"CVE-2022-21646"
],
"database_specific": {
"cwe_ids": [
"CWE-155",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-11T21:06:45Z",
"nvd_published_at": "2022-01-11T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nAny user making use of a wildcard relationship under the right hand branch of an `exclusion` or within an `intersection` operation will see `Lookup`/`LookupResources` return a resource as \"accessible\" if it is *not* accessible by virtue of the inclusion of the wildcard in the intersection or the right side of the exclusion.\n\nFor example, given schema:\n\n```zed\ndefinition user {}\n\ndefinition resource {\n relation viewer: user\n relation banned: user | user:*\n permission view = viewer - banned\n}\n```\n\nIf `user:*` is placed into the `banned` relation for a particular resource, `view` should return false for *all* resources. in `v1.3.0`, the wildcard is ignored entirely in lookup\u0027s dispatch, resulting in the `banned` wildcard being ignored in the exclusion.\n\n### Workarounds\nDon\u0027t make use of wildcards on the right side of intersections or within exclusions. \n\n### References\nhttps://github.com/authzed/spicedb/issues/358\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [SpiceDB](https://github.com/authzed/spicedb)\n* Ask a question in the [SpiceDB Discord](https://authzed.com/discord)\n",
"id": "GHSA-7p8f-8hjm-wm92",
"modified": "2022-01-13T15:02:31Z",
"published": "2022-01-13T15:05:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/security/advisories/GHSA-7p8f-8hjm-wm92"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21646"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/issues/358"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/commit/15bba2e2d2a4bda336a37a7fe8ef8a35028cd970"
},
{
"type": "PACKAGE",
"url": "https://github.com/authzed/spicedb"
},
{
"type": "WEB",
"url": "https://github.com/authzed/spicedb/releases/tag/v1.4.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Lookup operations do not take into account wildcards in SpiceDB"
}
GHSA-CCRR-HX7G-HMM4
Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-11-29 06:35Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
{
"affected": [],
"aliases": [
"CVE-2024-6509"
],
"database_specific": {
"cwe_ids": [
"CWE-155",
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T05:15:12Z",
"severity": "MODERATE"
},
"details": "Marinus Pfund, member of the AXIS OS Bug Bounty Program, \nhas found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. \nAxis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.",
"id": "GHSA-ccrr-hx7g-hmm4",
"modified": "2024-11-29T06:35:28Z",
"published": "2024-09-10T06:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6509"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/47/bf/2c/cve-2024-6509-en-US-448996.pdf"
},
{
"type": "WEB",
"url": "https://www.axis.com/dam/public/f6/c6/f5/cve-2024-6509-en-US-458043.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F339-MQQR-7GVR
Vulnerability from github – Published: 2024-12-06 21:30 – Updated: 2024-12-06 21:30Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.
{
"affected": [],
"aliases": [
"CVE-2024-47791"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T19:15:12Z",
"severity": "HIGH"
},
"details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and from devices.",
"id": "GHSA-f339-mqqr-7gvr",
"modified": "2024-12-06T21:30:39Z",
"published": "2024-12-06T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47791"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FC89-JGHX-8PVG
Vulnerability from github – Published: 2025-01-30 17:52 – Updated: 2025-02-05 16:23Impact
By design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy. There might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature. For example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See this section of Kubewarden’s documentation for more details about PolicyReport resources. An attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources. Moreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.
Patches
Starting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources. The new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.
Workarounds
On clusters running Kubewarden < 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: "deny-interaction-with-policyreport"
spec:
module: registry://ghcr.io/kubewarden/policies/cel-policy:latest
settings:
variables:
- name: hasWildcardInsideOfApiGroup
expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == '*'))"
- name: hasWildcardInsideOfResources
expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == '*' || ag == '*/*' || ag == 'policyreports/*'))"
- name: dealsWithPolicyReportApiGroup
expression: "object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == 'wgpolicyk8s.io'))"
- name: dealsWithPolicyReportResource
expression: "object.spec.rules.exists(r, r.resources.exists(ag, ag == 'policyreports' || ag == 'policyreports/'))"
- name: isPendingDeletion
expression: "has(object.metadata.deletionTimestamp)"
validations:
- expression: |
!( variables.hasWildcardInsideOfApiGroup ||
variables.hasWildcardInsideOfResources ||
variables.dealsWithPolicyReportResource ||
variables.dealsWithPolicyReportApiGroup
) || variables.isPendingDeletion
message: "cannot target PolicyReport resources or use wildcards in apiGroups or resources"
rules:
- apiGroups: ["policies.kubewarden.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["admissionpolicies", "admissionpolicygroups"]
mutating: false
backgroundAudit: true
For more information
If you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the “security disclosure“ guidelines of the Kubewarden project.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kubewarden/kubewarden-controller"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.21.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24376"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-30T17:52:37Z",
"nvd_published_at": "2025-01-30T16:15:31Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nBy design, AdmissionPolicy and AdmissionPolicyGroup can evaluate only namespaced resources. The resources to be evaluated are determined by the rules provided by the user when defining the policy.\nThere might be Kubernetes namespaced resources that should not be validated by AdmissionPolicy and by the AdmissionPolicyGroup policies because of their sensitive nature.\nFor example, PolicyReport are namespaced resources that contain the list of non compliant objects found inside of a namespace. See [this section](https://docs.kubewarden.io/explanations/audit-scanner/policy-reports) of Kubewarden\u2019s documentation for more details about PolicyReport resources.\nAn attacker can use either an AdmissionPolicy or an AdmissionPolicyGroup to prevent the creation and update of PolicyReport objects to hide non-compliant resources.\nMoreover, the same attacker might use a mutating AdmissionPolicy to alter the contents of the PolicyReport created inside of the namespace.\n\n### Patches\n\nStarting from the 1.21.0 release, the validation rules applied to AdmissionPolicy and AdmissionPolicyGroup have been tightened to prevent them from validating sensitive types of namespaced resources.\nThe new validation will also restrict the usage of wildcards when defining apiGroups and resources rules for AdmissionPolicy and AdmissionPolicyGroup objects.\n\n### Workarounds\n\nOn clusters running Kubewarden \u003c 1.21.0, the following Kubewarden policy can be applied to prevent the creation of AdmissionPolicy and AdmissionPolicyGroup resources that interact with PolicyReport resources:\n\n```yaml\napiVersion: policies.kubewarden.io/v1\nkind: ClusterAdmissionPolicy\nmetadata:\n name: \"deny-interaction-with-policyreport\"\nspec:\n module: registry://ghcr.io/kubewarden/policies/cel-policy:latest\n settings:\n variables:\n - name: hasWildcardInsideOfApiGroup\n expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027*\u0027))\"\n - name: hasWildcardInsideOfResources\n expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027*\u0027 || ag == \u0027*/*\u0027 || ag == \u0027policyreports/*\u0027))\"\n - name: dealsWithPolicyReportApiGroup\n expression: \"object.spec.rules.exists(r, r.apiGroups.exists(ag, ag == \u0027wgpolicyk8s.io\u0027))\"\n - name: dealsWithPolicyReportResource\n expression: \"object.spec.rules.exists(r, r.resources.exists(ag, ag == \u0027policyreports\u0027 || ag == \u0027policyreports/\u0027))\"\n - name: isPendingDeletion\n expression: \"has(object.metadata.deletionTimestamp)\"\n validations:\n - expression: |\n !( variables.hasWildcardInsideOfApiGroup ||\n variables.hasWildcardInsideOfResources ||\n variables.dealsWithPolicyReportResource ||\n variables.dealsWithPolicyReportApiGroup\n ) || variables.isPendingDeletion\n message: \"cannot target PolicyReport resources or use wildcards in apiGroups or resources\"\n rules:\n - apiGroups: [\"policies.kubewarden.io\"]\n apiVersions: [\"v1\"]\n operations: [\"CREATE\", \"UPDATE\"]\n resources: [\"admissionpolicies\", \"admissionpolicygroups\"]\n mutating: false\n backgroundAudit: true\n```\n\n### For more information\n\nIf you have any questions or comments about this advisory you can contact the Kubewarden team using the procedures described under the \u201c[security disclosure](https://docs.kubewarden.io/disclosure)\u201c guidelines of the Kubewarden project.",
"id": "GHSA-fc89-jghx-8pvg",
"modified": "2025-02-05T16:23:59Z",
"published": "2025-01-30T17:52:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kubewarden/kubewarden-controller/security/advisories/GHSA-fc89-jghx-8pvg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24376"
},
{
"type": "WEB",
"url": "https://github.com/kubewarden/kubewarden-controller/commit/8124039b5f0c955d0ee8c8ca12d4415282f02d2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubewarden/kubewarden-controller"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "KubeWarden\u0027s AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources"
}
GHSA-R6WV-X735-W2V5
Vulnerability from github – Published: 2025-01-11 03:30 – Updated: 2026-01-23 22:06A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem.
{
"affected": [],
"aliases": [
"CVE-2025-0106"
],
"database_specific": {
"cwe_ids": [
"CWE-155"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-11T03:15:22Z",
"severity": "MODERATE"
},
"details": "A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem.",
"id": "GHSA-r6wv-x735-w2v5",
"modified": "2026-01-23T22:06:23Z",
"published": "2025-01-11T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0106"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Green",
"type": "CVSS_V4"
}
]
}
Mitigation
Developers should anticipate that wildcard or matching elements will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Strategy: Output Encoding
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.