Common Weakness Enumeration

CWE-221

Allowed-with-Review

Information Loss or Omission

Abstraction: Class · Status: Incomplete

The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.

3 vulnerabilities reference this CWE, most recent first.

GHSA-5F99-WCH4-5W2C

Vulnerability from github – Published: 2023-07-11 09:30 – Updated: 2024-09-30 12:30
VLAI
Details

DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an information loss vulnerability through traffic injection.

An attacker can exploit this vulnerability by injecting, on carefully selected channels, high power spoofed Open Drone ID (ODID) messages which force the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information. Consequently, the MQTT broker, typically operated by a system integrator, will have no access to the drones’ real RID information.

This issue affects the adjacent channel suppression algorithm present in DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-221",
      "CWE-223"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T09:15:09Z",
    "severity": "HIGH"
  },
  "details": "DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an information loss vulnerability through traffic injection.\n\nAn attacker can exploit this vulnerability by injecting, on carefully selected channels, high power spoofed Open Drone ID (ODID) messages which force the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information. Consequently, the MQTT broker, typically operated by a system integrator, will have no access to the drones\u2019 real RID information.\n\nThis issue affects the adjacent channel suppression algorithm present in DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042.",
  "id": "GHSA-5f99-wch4-5w2c",
  "modified": "2024-09-30T12:30:31Z",
  "published": "2023-07-11T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31191"
    },
    {
      "type": "WEB",
      "url": "https://download.bluemark.io/dronescout/firmware/history.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-31191"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CPMJ-H4F6-R6PQ

Vulnerability from github – Published: 2026-02-09 17:19 – Updated: 2026-02-09 22:39
VLAI
Summary
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
Details

Summary

A security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the sendto, sendmsg, and sendmmsg socket system calls can bypass detection and logging when using egress-policy: audit.

Note: This vulnerability only affects audit mode. When using egress-policy: block, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)

Affected Versions

  • Harden-Runner Community Tier: All versions prior to v2.14.2
  • Harden-Runner Enterprise Tier: NOT AFFECTED

Severity

Medium - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow.

Impact

When Harden-Runner is configured in audit mode (egress-policy: audit), attackers with the ability to execute arbitrary code in a workflow can: - Send outbound network traffic without generating audit logs - Bypass network monitoring for UDP-based communications

Important: This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies).

Technical Details

The vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events:

  • sendto()

  • sendmsg()

  • sendmmsg()

An attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels.

Affected Users

This vulnerability ONLY affects users of the Harden-Runner Community Tier.

The Harden-Runner Enterprise Tier is NOT vulnerable to this bypass technique.

Remediation

For Community Tier Users

Upgrade to Harden-Runner v2.14.2 or later. This version includes fixes for the logging bypass vulnerability.

For Enterprise Tier Users

No action required. Enterprise tier customers are not affected by this vulnerability.

Credit

We would like to thank Devansh Batham for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "step-security/harden-runner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25598"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-221",
      "CWE-778",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-09T17:19:14Z",
    "nvd_published_at": "2026-02-09T20:15:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary \n\nA security vulnerability has been identified in the Harden-Runner GitHub Action (Community Tier) that allows outbound network connections to evade audit logging. Specifically, outbound traffic using the `sendto`, `sendmsg`, and `sendmmsg` socket system calls can bypass detection and logging when using `egress-policy: audit`. \n\n**Note:** This vulnerability only affects audit mode. When using `egress-policy: block`, these connections are properly blocked. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies)\n\n## Affected Versions \n\n- Harden-Runner Community Tier: All versions prior to v2.14.2 \n- Harden-Runner Enterprise Tier: **NOT AFFECTED** \n\n## Severity \n\n**Medium** - This vulnerability affects audit logging capabilities but requires the attacker to already have code execution within the workflow. \n\n## Impact \n\nWhen Harden-Runner is configured in audit mode (`egress-policy: audit`), attackers with the ability to execute arbitrary code in a workflow can: \n- Send outbound network traffic without generating audit logs \n- Bypass network monitoring for UDP-based communications \n\n**Important:** This vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow (e.g., through workflow injection or compromised dependencies). \n\n## Technical Details \n\nThe vulnerability stems from incomplete monitoring coverage of certain socket-related system calls. Specifically, the following system calls can be used to send UDP traffic without triggering audit events: \n\n- `sendto()` \n\n- `sendmsg()` \n\n- `sendmmsg()` \n\nAn attacker with code execution in a workflow can compile and execute native code that uses these system calls to establish covert communication channels. \n\n## Affected Users \n\n**This vulnerability ONLY affects users of the Harden-Runner Community Tier.** \n\nThe Harden-Runner Enterprise Tier is **NOT vulnerable** to this bypass technique. \n\n## Remediation \n\n### For Community Tier Users \n \n**Upgrade to Harden-Runner v2.14.2 or later.** This version includes fixes for the logging bypass vulnerability. \n\n### For Enterprise Tier Users \n\nNo action required. Enterprise tier customers are not affected by this vulnerability. \n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process. Devansh was communicative throughout the process and verified the fix before the fix before it was made public.",
  "id": "GHSA-cpmj-h4f6-r6pq",
  "modified": "2026-02-09T22:39:28Z",
  "published": "2026-02-09T17:19:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25598"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/step-security/harden-runner"
    },
    {
      "type": "WEB",
      "url": "https://github.com/step-security/harden-runner/releases/tag/v2.14.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)"
}

GHSA-PGGP-WPFC-2W3C

Vulnerability from github – Published: 2023-07-11 09:30 – Updated: 2024-09-30 12:30
VLAI
Details

DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an information loss vulnerability through traffic injection. An attacker can exploit this vulnerability by injecting, at the right times, spoofed Open Drone ID (ODID) messages which force the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information. Consequently, the MQTT broker, typically operated by a system integrator, will have no access to the drones’ real RID information.

This issue affects DroneScout ds230 in default configuration from firmware version 20211210-1627 through 20230329-1042.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-221",
      "CWE-223"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-11T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "DroneScout ds230 Remote ID receiver from BlueMark Innovations\u00a0is affected by an information loss vulnerability through\u00a0traffic injection.\nAn attacker can exploit this vulnerability by injecting, at the right times, spoofed Open Drone ID (ODID) messages which force the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information.\u00a0Consequently, the\u00a0MQTT broker, typically operated by a system integrator,\u00a0will have no access to the drones\u2019 real RID information.\n\nThis issue affects DroneScout ds230 in default configuration from firmware version 20211210-1627 through 20230329-1042.\n",
  "id": "GHSA-pggp-wpfc-2w3c",
  "modified": "2024-09-30T12:30:31Z",
  "published": "2023-07-11T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29156"
    },
    {
      "type": "WEB",
      "url": "https://download.bluemark.io/dronescout/firmware/history.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-29156"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.