CWE-344
AllowedUse of Invariant Value in Dynamically Changing Context
Abstraction: Base · Status: Draft
The product uses a constant value, name, or reference, but this value can (or should) vary across different environments.
5 vulnerabilities reference this CWE, most recent first.
CVE-2026-42961 (GCVE-0-2026-42961)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:02 – Updated: 2026-05-13 15:04- CWE-344 - Use of Invariant Value in Dynamically Changing Context
| Vendor | Product | Version | |
|---|---|---|---|
| ELECOM CO.,LTD. | WAB-BE187-M |
Affected:
v1.1.10 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE72-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-M |
Affected:
v1.1.3 and earlier
|
|
| ELECOM CO.,LTD. | WAB-BE36-S |
Affected:
v1.1.3 and earlier
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T15:03:53.658856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T15:04:39.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WAB-BE187-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.10 and earlier"
}
]
},
{
"product": "WAB-BE72-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-M",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
},
{
"product": "WAB-BE36-S",
"vendor": "ELECOM CO.,LTD.",
"versions": [
{
"status": "affected",
"version": "v1.1.3 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-344",
"description": "Use of Invariant Value in Dynamically Changing Context",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:02:22.642Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.elecom.co.jp/news/security/20260512-01/"
},
{
"url": "https://jvn.jp/en/jp/JVN03037325/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-42961",
"datePublished": "2026-05-13T12:02:22.642Z",
"dateReserved": "2026-05-07T05:47:12.897Z",
"dateUpdated": "2026-05-13T15:04:39.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-22746 (GCVE-0-2023-22746)
Vulnerability from cvelistv5 – Published: 2023-02-03 21:07 – Updated: 2025-03-10 21:16| URL | Tags |
|---|---|
| https://github.com/ckan/ckan/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/ckan/ckan/commit/44af0f0a148fc… | x_refsource_MISC |
| https://github.com/ckan/ckan/commit/4c22c135fa486… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x"
},
{
"name": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b"
},
{
"name": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:04.838038Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:16:37.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ckan",
"vendor": "ckan",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.7"
},
{
"status": "affected",
"version": "\u003c 2.8.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn\u0027t set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)\nkeitaroinc/docker-ckan (keitaro/ckan images).\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-344",
"description": "CWE-344: Use of Invariant Value in Dynamically Changing Context",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T21:07:11.551Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ckan/ckan/security/advisories/GHSA-pr8j-v4c8-h62x"
},
{
"name": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ckan/ckan/commit/44af0f0a148fcc0e0fbcf02fe69b7db13459a84b"
},
{
"name": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ckan/ckan/commit/4c22c135fa486afa13855d1cdb9765eaf418d2aa"
}
],
"source": {
"advisory": "GHSA-pr8j-v4c8-h62x",
"discovery": "UNKNOWN"
},
"title": "CKAN is vulnerable to session secret shared across instances using Docker images"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22746",
"datePublished": "2023-02-03T21:07:11.551Z",
"dateReserved": "2023-01-06T14:21:05.894Z",
"dateUpdated": "2025-03-10T21:16:37.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36022 (GCVE-0-2022-36022)
Vulnerability from cvelistv5 – Published: 2022-11-10 00:00 – Updated: 2025-04-23 16:39- CWE-344 - Use of Invariant Value in Dynamically Changing Context
| Vendor | Product | Version | |
|---|---|---|---|
| eclipse | deeplearning4j |
Affected:
<= 1.0.0-M2.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:06.754394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:39:29.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deeplearning4j",
"vendor": "eclipse",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.0.0-M2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deeplearning4J is a suite of tools for deploying and training deep learning models using the JVM. Packages org.deeplearning4j:dl4j-examples and org.deeplearning4j:platform-tests through version 1.0.0-M2.1 may use some unclaimed S3 buckets in tests in examples. This is likely affect people who use some older NLP examples that reference an old S3 bucket. The problem has been patched. Users should upgrade to snapshots as Deeplearning4J plan to publish a release with the fix at a later date. As a workaround, download a word2vec google news vector from a new source using git lfs from here."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-344",
"description": "CWE-344: Use of Invariant Value in Dynamically Changing Context",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
},
{
"url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
}
],
"source": {
"advisory": "GHSA-rc39-g977-687w",
"discovery": "UNKNOWN"
},
"title": "Some Deeplearning4J packages use unclaimed s3 bucket in tests and examples"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36022",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:39:29.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-9Q5W-FVXJ-WGPQ
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.
{
"affected": [],
"aliases": [
"CVE-2026-42961"
],
"database_specific": {
"cwe_ids": [
"CWE-344"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T13:16:44Z",
"severity": "MODERATE"
},
"details": "ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens. If a user views a malicious page while logged in, the user may be tricked to do unintended operations.",
"id": "GHSA-9q5w-fvxj-wgpq",
"modified": "2026-05-13T18:30:53Z",
"published": "2026-05-13T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42961"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN03037325"
},
{
"type": "WEB",
"url": "https://www.elecom.co.jp/news/security/20260512-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RC39-G977-687W
Vulnerability from github – Published: 2022-11-10 21:27 – Updated: 2022-11-10 21:27Impact
People who use some older NLP examples that reference the old S3 bucket.
Patches
The problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 class in the actual code base.
Workarounds
Download a word2vec google news vector from a new source using git lfs
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.deeplearning4j:platform-tests"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0-M2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.deeplearning4j:dl4j-examples"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0-M2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36022"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-344"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-10T21:27:55Z",
"nvd_published_at": "2022-11-10T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nPeople who use some older NLP examples that reference the old S3 bucket.\n\n### Patches\nThe problem has been patched. Upgrade to snapshots for now. A release will be published later to address this due to the vulnerability mostly being examples and 1 class in the actual code base.\n\n### Workarounds\nDownload a word2vec google news vector from a new source using git lfs ",
"id": "GHSA-rc39-g977-687w",
"modified": "2022-11-10T21:27:55Z",
"published": "2022-11-10T21:27:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/deeplearning4j/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
},
{
"type": "WEB",
"url": "https://github.com/eclipse/deeplearning4j/security/advisories/GHSA-rc39-g977-687w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36022"
},
{
"type": "PACKAGE",
"url": "https://github.com/deeplearning4j/deeplearning4j"
},
{
"type": "WEB",
"url": "https://github.com/mmihaltz/word2vec-GoogleNews-vectors"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of unclaimed s3 bucket in tests and examples"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.