CWE-391
ProhibitedUnchecked Error Condition
Abstraction: Base · Status: Incomplete
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
47 vulnerabilities reference this CWE, most recent first.
GHSA-R2P4-PWJJ-HQR4
Vulnerability from github – Published: 2024-11-15 18:30 – Updated: 2024-11-15 18:30A vulnerability in the Broadband Network Gateway PPP over Ethernet (PPPoE) feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the PPPoE process to continually crash. This vulnerability exists because the PPPoE feature does not properly handle an error condition within a specific crafted packet sequence. An attacker could exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled customer premises equipment (CPE). A successful exploit could allow the attacker to cause the PPPoE process to continually restart, resulting in a denial of service condition (DoS).Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2022 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .
{
"affected": [],
"aliases": [
"CVE-2022-20849"
],
"database_specific": {
"cwe_ids": [
"CWE-391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T16:15:23Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Broadband Network Gateway PPP over Ethernet (PPPoE) feature of Cisco\u0026nbsp;IOS XR Software could allow an unauthenticated, adjacent attacker to cause the PPPoE process to continually crash.\nThis vulnerability exists because the PPPoE feature does not properly handle an error condition within a specific crafted packet sequence. An attacker could exploit this vulnerability by sending a sequence of specific PPPoE packets from controlled customer premises equipment (CPE). A successful exploit could allow the attacker to cause the PPPoE process to continually restart, resulting in a denial of service condition (DoS).Cisco\u0026nbsp;has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2022 release of the Cisco\u0026nbsp;IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .",
"id": "GHSA-r2p4-pwjj-hqr4",
"modified": "2024-11-15T18:30:50Z",
"published": "2024-11-15T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20849"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bng-Gmg5Gxt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RRJ3-QMH8-72PF
Vulnerability from github – Published: 2019-02-18 23:39 – Updated: 2022-08-03 23:53Versions of grunt-gh-pages prior to 0.10.0 are affected by a vulnerability which may cause unencrypted GitHub credentials to be written to a log file in certain circumstances.
In the grunt-gh-pages deployment scenario where authentication is performed by injecting a GitHub token directly into the auth portion of the URL, grunt-gh-pages will write the token to a log file, unencrypted.
Recommendation
Update to version 0.10.0 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.9.1"
},
"package": {
"ecosystem": "npm",
"name": "grunt-gh-pages"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-10526"
],
"database_specific": {
"cwe_ids": [
"CWE-391"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:55:45Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of `grunt-gh-pages` prior to 0.10.0 are affected by a vulnerability which may cause unencrypted GitHub credentials to be written to a log file in certain circumstances.\n\nIn the `grunt-gh-pages` deployment scenario where authentication is performed by injecting a GitHub token directly into the auth portion of the URL, `grunt-gh-pages` will write the token to a log file, unencrypted.\n\n\n## Recommendation\n\nUpdate to version 0.10.0 or later.",
"id": "GHSA-rrj3-qmh8-72pf",
"modified": "2022-08-03T23:53:09Z",
"published": "2019-02-18T23:39:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10526"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/grunt-gh-pages/pull/41"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/grunt-gh-pages/pull/41/commits/590f69767203d8c379fe18cded93bd5ad6cb53cb"
},
{
"type": "WEB",
"url": "https://github.com/tschaub/grunt-gh-pages/commit/2d277e3e969ccd4c2d493f3795400fa77e6b6342"
},
{
"type": "PACKAGE",
"url": "https://github.com/tschaub/grunt-gh-pages"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/85"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "grunt-gh-pages before 0.10.0 may allow unencrypted GitHub credentials to be written to a log file"
}
GHSA-V69H-29MG-RP95
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2017-12181"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-24T15:29:00Z",
"severity": "CRITICAL"
},
"details": "xorg-x11-server before 1.19.5 was missing length validation in XFree86 DGA extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.",
"id": "GHSA-v69h-29mg-rp95",
"modified": "2022-05-13T01:38:13Z",
"published": "2022-05-13T01:38:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12181"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1509222"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-05"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4FF-3F7V-Q327
Vulnerability from github – Published: 2022-01-20 00:02 – Updated: 2022-01-29 00:01An Unchecked Error Condition vulnerability in the subscriber management daemon (smgd) of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to cause a crash of and thereby a Denial of Service (DoS). In a subscriber management / broadband edge environment if a single session group configuration contains dual-stack and a pp0 interface, smgd will crash and restart every time a PPPoE client sends a specific message. This issue affects Juniper Networks Junos OS on MX Series: 16.1 version 16.1R1 and later versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S3; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S2; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 16.1R1.
{
"affected": [],
"aliases": [
"CVE-2022-22160"
],
"database_specific": {
"cwe_ids": [
"CWE-391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-19T01:15:00Z",
"severity": "MODERATE"
},
"details": "An Unchecked Error Condition vulnerability in the subscriber management daemon (smgd) of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to cause a crash of and thereby a Denial of Service (DoS). In a subscriber management / broadband edge environment if a single session group configuration contains dual-stack and a pp0 interface, smgd will crash and restart every time a PPPoE client sends a specific message. This issue affects Juniper Networks Junos OS on MX Series: 16.1 version 16.1R1 and later versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S3; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S2; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 16.1R1.",
"id": "GHSA-x4ff-3f7v-q327",
"modified": "2022-01-29T00:01:21Z",
"published": "2022-01-20T00:02:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22160"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11268"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XCPR-7MR4-H4XQ
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2025-11-03 21:31Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.96"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.30"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-M26"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52316"
],
"database_specific": {
"cwe_ids": [
"CWE-391",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-18T23:48:03Z",
"nvd_published_at": "2024-11-18T12:15:18Z",
"severity": "CRITICAL"
},
"details": "Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC)\u00a0ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta\u00a0Authentication components that behave in this way.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100.\n\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.",
"id": "GHSA-xcpr-7mr4-h4xq",
"modified": "2025-11-03T21:31:37Z",
"published": "2024-11-18T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52316"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/6d097a66746635df6880fe7662a792156b0eca14"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/7532f9dc4a8c37ec958f79dc82c4924a6c539223"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/acc2f01395f895980f5d8a64573fcc1bade13369"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250124-0003"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/11/18/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Tomcat - Authentication Bypass"
}
GHSA-XH78-Q5HH-9C6H
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2017-12180"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-24T15:29:00Z",
"severity": "CRITICAL"
},
"details": "xorg-x11-server before 1.19.5 was missing length validation in XFree86 VidModeExtension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.",
"id": "GHSA-xh78-q5hh-9c6h",
"modified": "2022-05-13T01:38:13Z",
"published": "2022-05-13T01:38:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12180"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1509221"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201711-05"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XQJX-GG86-XXX4
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2017-12187"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-391"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-24T15:29:00Z",
"severity": "CRITICAL"
},
"details": "xorg-x11-server before 1.19.5 was missing length validation in RENDER extension allowing malicious X client to cause X server to crash or possibly execute arbitrary code.",
"id": "GHSA-xqjx-gg86-xxx4",
"modified": "2022-05-13T01:38:11Z",
"published": "2022-05-13T01:38:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12187"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1509217"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4000"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
The choice between a language which has named or unnamed exceptions needs to be done. While unnamed exceptions exacerbate the chance of not properly dealing with an exception, named exceptions suffer from the up call version of the weak base class problem.
Mitigation
A language can be used which requires, at compile time, to catch all serious exceptions. However, one must make sure to use the most current version of the API as new exceptions could be added.
Mitigation
Catch all relevant exceptions. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
No CAPEC attack patterns related to this CWE.