Common Weakness Enumeration

CWE-344

Allowed

Use of Invariant Value in Dynamically Changing Context

Abstraction: Base · Status: Draft

The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.

5 vulnerabilities reference this CWE, most recent first.

CVE-2026-42961 (GCVE-0-2026-42961)

Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:04
VLAI
Summary
ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-344 - Use of Invariant Value in Dynamically Changing Context
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42961",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:03:53.658856Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T15:04:39.032Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WAB-BE187-M",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "v1.1.10 and earlier"
            }
          ]
        },
        {
          "product": "WAB-BE72-M",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "v1.1.3 and earlier"
            }
          ]
        },
        {
          "product": "WAB-BE36-M",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "v1.1.3 and earlier"
            }
          ]
        },
        {
          "product": "WAB-BE36-S",
          "vendor": "ELECOM CO.,LTD.",
          "versions": [
            {
              "status": "affected",
              "version": "v1.1.3 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-344",
              "description": "Use of Invariant Value in Dynamically Changing Context",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T12:02:22.642Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.elecom.co.jp/news/security/20260512-01/"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN03037325/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2026-42961",
    "datePublished": "2026-05-13T12:02:22.642Z",
    "dateReserved": "2026-05-07T05:47:12.897Z",
    "dateUpdated": "2026-05-13T15:04:39.032Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-22746 (GCVE-0-2023-22746)

Vulnerability from cvelistv5 – Published: 2023-02-03 21:07 – Updated: 2025-03-10 21:16
VLAI
Title
CKAN is vulnerable to session secret shared across instances using Docker images
Summary
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images).
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-344 - Use of Invariant Value in Dynamically Changing Context
  • CWE-330 - Use of Insufficiently Random Values
Assigner
Impacted products
Vendor Product Version
ckan ckan Affected: >= 2.9.0, < 2.9.7
Affected: < 2.8.12
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:20:30.220Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x"
          },
          {
            "name": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b"
          },
          {
            "name": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-22746",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:59:04.838038Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:16:37.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ckan",
          "vendor": "ckan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.7"
            },
            {
              "status": "affected",
              "version": "\u003c 2.8.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn\u0027t set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)\nkeitaroinc/docker-ckan (keitaro/ckan images).\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-344",
              "description": "CWE-344: Use of Invariant Value in Dynamically Changing Context",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-03T21:07:11.551Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x"
        },
        {
          "name": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b"
        },
        {
          "name": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa"
        }
      ],
      "source": {
        "advisory": "GHSA-pr8j-v4c8-h62x",
        "discovery": "UNKNOWN"
      },
      "title": "CKAN is vulnerable to session secret shared across instances using Docker images"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-22746",
    "datePublished": "2023-02-03T21:07:11.551Z",
    "dateReserved": "2023-01-06T14:21:05.894Z",
    "dateUpdated": "2025-03-10T21:16:37.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-36022 (GCVE-0-2022-36022)

Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:39
VLAI
Title
Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples
Summary
Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-344 - Use of Invariant Value in Dynamically Changing Context
Assigner
Impacted products
Vendor Product Version
eclipse deeplearning4j Affected: <= 1.0.0-M2.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:51:59.879Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-36022",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:49:06.754394Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:39:29.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "deeplearning4j",
          "vendor": "eclipse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.0.0-M2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-344",
              "description": "CWE-344: Use of Invariant Value in Dynamically Changing Context",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-10T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
        },
        {
          "url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
        }
      ],
      "source": {
        "advisory": "GHSA-rc39-g977-687w",
        "discovery": "UNKNOWN"
      },
      "title": "Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-36022",
    "datePublished": "2022-11-10T00:00:00.000Z",
    "dateReserved": "2022-07-15T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:39:29.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-9Q5W-FVXJ-WGPQ

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-344"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T13:16:44Z",
    "severity": "MODERATE"
  },
  "details": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.",
  "id": "GHSA-9q5w-fvxj-wgpq",
  "modified": "2026-05-13T18:30:53Z",
  "published": "2026-05-13T18:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42961"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN03037325"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20260512-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RC39-G977-687W

Vulnerability from github – Published: 2022-11-10 21:27 – Updated: 2022-11-10 21:27
VLAI
Summary
Use of unclaimed s3 bucket in tests and examples
Details

Impact

People who use some older NLP examples that reference the old S3 bucket.

Patches

The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 class in the actual code base.

Workarounds

Download a word2vec google news vector from a new source using git lfs

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.deeplearning4j:platform-tests"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0-M2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.deeplearning4j:dl4j-examples"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.0-M2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-344"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T21:27:55Z",
    "nvd_published_at": "2022-11-10T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPeople who use some older NLP examples that reference the old S3 bucket.\n\n### Patches\nThe problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the  vulnerability mostly being examples and 1 class in the actual code base.\n\n### Workarounds\nDownload a word2vec google news vector from a new source using git lfs ",
  "id": "GHSA-rc39-g977-687w",
  "modified": "2022-11-10T21:27:55Z",
  "published": "2022-11-10T21:27:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/deeplearning4j/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/deeplearning4j/deeplearning4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of unclaimed s3 bucket in tests and examples"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.