CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
905 vulnerabilities reference this CWE, most recent first.
GHSA-GV5R-5X6R-P8J8
Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2023-12-12 12:30A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). Affected software does not correctly validate the response received by an UMC server. An attacker can use this to crash the affected software by providing and configuring a malicious UMC server or by manipulating the traffic from a legitimate UMC server (i.e. leveraging CVE-2023-48427).
{
"affected": [],
"aliases": [
"CVE-2023-48431"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T12:15:15Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SINEC INS (All versions \u003c V1.0 SP2 Update 2). Affected software does not correctly validate the response received by an UMC server. An attacker can use this to crash the affected software by providing and configuring a malicious UMC server or by manipulating the traffic from a legitimate UMC server (i.e. leveraging CVE-2023-48427).",
"id": "GHSA-gv5r-5x6r-p8j8",
"modified": "2023-12-12T12:30:54Z",
"published": "2023-12-12T12:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48431"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-077170.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GVW6-PHVJ-CHMF
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2022-09-04 00:00A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause disconnection of active connections when an unusually high number of IEC 60870- 5-104 packets are received by the module on port 2404/TCP.
{
"affected": [],
"aliases": [
"CVE-2019-6831"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-17T20:15:00Z",
"severity": "HIGH"
},
"details": "A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in BMXNOR0200H Ethernet / Serial RTU module (all firmware versions), which could cause disconnection of active connections when an unusually high number of IEC 60870- 5-104 packets are received by the module on port 2404/TCP.",
"id": "GHSA-gvw6-phvj-chmf",
"modified": "2022-09-04T00:00:23Z",
"published": "2022-05-24T16:56:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6831"
},
{
"type": "WEB",
"url": "https://security.cse.iitk.ac.in/responsible-disclosure"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/en/download/document/SEVD-2019-225-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GVW8-8FQ4-QMW5
Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31An Unexpected Status Code or Return Value vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated attacker with physical access to the device to cause a Denial of Service (DoS). When certain USB devices are connected to a USB port of the routing-engine (RE), the kernel will crash leading to a reboot of the device. The device will continue to crash as long as the USB device is connected. This issue affects Juniper Networks Junos OS: All versions prior to 19.4R3-S10; 20.2 versions prior to 20.2R3-S7; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S2; 22.1 versions prior to 22.1R2-S2, 22.1R3; 22.2 versions prior to 22.2R2, 22.2R3; 22.3 versions prior to 22.3R1-S1, 22.3R2; 22.4 versions prior to 22.4R2.
{
"affected": [],
"aliases": [
"CVE-2023-28975"
],
"database_specific": {
"cwe_ids": [
"CWE-394",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-17T22:15:09Z",
"severity": "MODERATE"
},
"details": "An Unexpected Status Code or Return Value vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated attacker with physical access to the device to cause a Denial of Service (DoS). When certain USB devices are connected to a USB port of the routing-engine (RE), the kernel will crash leading to a reboot of the device. The device will continue to crash as long as the USB device is connected. This issue affects Juniper Networks Junos OS: All versions prior to 19.4R3-S10; 20.2 versions prior to 20.2R3-S7; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S2; 22.1 versions prior to 22.1R2-S2, 22.1R3; 22.2 versions prior to 22.2R2, 22.2R3; 22.3 versions prior to 22.3R1-S1, 22.3R2; 22.4 versions prior to 22.4R2.",
"id": "GHSA-gvw8-8fq4-qmw5",
"modified": "2024-04-04T03:31:39Z",
"published": "2023-04-18T00:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28975"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA70600"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GW7X-G9XX-WMM2
Vulnerability from github – Published: 2026-03-24 15:30 – Updated: 2026-06-30 03:35Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9.
{
"affected": [],
"aliases": [
"CVE-2026-4687"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-501",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T13:16:04Z",
"severity": "HIGH"
},
"details": "Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox \u003c 149, Firefox ESR \u003c 115.34, and Firefox ESR \u003c 140.9.",
"id": "GHSA-gw7x-g9xx-wmm2",
"modified": "2026-06-30T03:35:58Z",
"published": "2026-03-24T15:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5930"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8287"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8288"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8289"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8290"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8315"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8427"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8850"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4687"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016368"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450757"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4687.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-21"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-24"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5931"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:5932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6188"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:6917"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7837"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7838"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7840"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7841"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7842"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7843"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8284"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8285"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:8286"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWCX-JRX4-92W2
Vulnerability from github – Published: 2022-02-09 23:32 – Updated: 2024-11-13 22:16Impact
The simplifyBroadcast function in the MLIR-TFRT infrastructure in TensorFlow is vulnerable to a segfault (hence, denial of service), if called with scalar shapes.
size_t maxRank = 0;
for (auto shape : llvm::enumerate(shapes)) {
auto found_shape = analysis.dimensionsForShapeTensor(shape.value());
if (!found_shape) return {};
shapes_found.push_back(*found_shape);
maxRank = std::max(maxRank, found_shape->size());
}
SmallVector<const ShapeComponentAnalysis::SymbolicDimension*>
joined_dimensions(maxRank);
If all shapes are scalar, then maxRank is 0, so we build an empty SmallVector.
Patches
We have patched the issue in GitHub commit 35f0fabb4c178253a964d7aabdbb15c6a398b69a.
The fix will be included in TensorFlow 2.8.0. This is the only affected version.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0-rc0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.8.0-rc0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0-rc0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.8.0-rc0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0-rc0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.8.0-rc0"
]
}
],
"aliases": [
"CVE-2022-23593"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T18:15:07Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe [`simplifyBroadcast` function in the MLIR-TFRT infrastructure in TensorFlow](https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/mlir/tfrt/jit/transforms/tf_cpurt_symbolic_shape_optimization.cc#L149-L205) is vulnerable to a segfault (hence, denial of service), if called with scalar shapes.\n\n```cc \n size_t maxRank = 0;\n for (auto shape : llvm::enumerate(shapes)) {\n auto found_shape = analysis.dimensionsForShapeTensor(shape.value());\n if (!found_shape) return {};\n shapes_found.push_back(*found_shape);\n maxRank = std::max(maxRank, found_shape-\u003esize());\n } \n\n SmallVector\u003cconst ShapeComponentAnalysis::SymbolicDimension*\u003e\n joined_dimensions(maxRank);\n```\n\nIf all shapes are scalar, then `maxRank` is 0, so we build an empty `SmallVector`.\n\n### Patches\nWe have patched the issue in GitHub commit [35f0fabb4c178253a964d7aabdbb15c6a398b69a](https://github.com/tensorflow/tensorflow/commit/35f0fabb4c178253a964d7aabdbb15c6a398b69a).\n\nThe fix will be included in TensorFlow 2.8.0. This is the only affected version.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-gwcx-jrx4-92w2",
"modified": "2024-11-13T22:16:35Z",
"published": "2022-02-09T23:32:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-gwcx-jrx4-92w2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23593"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/35f0fabb4c178253a964d7aabdbb15c6a398b69a"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-102.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-157.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/274df9b02330b790aa8de1cee164b70f72b9b244/tensorflow/compiler/mlir/tfrt/jit/transforms/tf_cpurt_symbolic_shape_optimization.cc#L149-L205"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Segfault in `simplifyBroadcast` in Tensorflow"
}
GHSA-GX29-8G9G-89W4
Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-05-02 18:30The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the 'openssl' php extension is not loaded on the server.
{
"affected": [],
"aliases": [
"CVE-2024-3729"
],
"database_specific": {
"cwe_ids": [
"CWE-636",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T17:15:30Z",
"severity": "CRITICAL"
},
"details": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the \u0027fea_encrypt\u0027 function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the \u0027openssl\u0027 php extension is not loaded on the server.",
"id": "GHSA-gx29-8g9g-89w4",
"modified": "2024-05-02T18:30:55Z",
"published": "2024-05-02T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3729"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.18.15/main/helpers.php#L617"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3073379/acf-frontend-form-element#file4"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d22c5d-5ef5-4920-a1b5-e8284394c7e8?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GX38-8H33-PMXR
Vulnerability from github – Published: 2026-04-14 20:00 – Updated: 2026-04-24 20:35Summary
A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify/{subsId} PUT handler to continue processing requests even after request body retrieval or deserialization errors.
This may allow unintended modification of existing Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.
Details
The endpoint PUT /nudr-dr/v2/policy-data/subs-to-notify/{subsId} is intended to update an existing Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid PolicyDataSubscription object. [file:93]
In the free5GC UDR implementation, the function HandlePolicyDataSubsToNotifySubsIdPut inNFs/udr/internal/sbi/api_datarepository.go does not terminate execution after input-processing failures. [file:93]
The request flow is:
- The handler calls
c.GetRawData()to read the HTTP request body. [file:93] - If
GetRawData()fails, the handler sends an HTTP 500 error response, but does not return. [file:93] - The handler then calls
openapi.Deserialize(policyDataSubscription, reqBody, "application/json"). [file:93] - If deserialization fails, the handler sends an HTTP 400 error response, but again does not return. [file:93]
- Execution continues and the handler still invokes
s.Processor().PolicyDataSubsToNotifySubsIdPutProcedure(c, subsId, policyDataSubscription). [file:93]
As a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]
The issue is compounded by the handler's deserialization call, which passes policyDataSubscription directly to openapi.Deserialize(...) instead of passing a pointer to the destination object. This inconsistent usage further increases the risk that request processing continues with an empty, partially initialized, or otherwise unintended subscription object. [file:93]
This differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]
Security Impact
This issue affects a write-capable API that updates Policy Data notification subscriptions identified by subsId. [file:93]
Because execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended PolicyDataSubscription object for persistence. [file:93]
The exact runtime impact depends on downstream processor behavior and storage validation. [file:93]
At minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling or unintended modification attempts; under certain runtime conditions it may allow updates that should not be processed after an input error. [file:93]
Reproduction Status
The code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription modification after
GetRawData() or deserialization failure has not yet been established. [file:93]
Patch
The handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]
A minimal fix is to add missing return statements in HandlePolicyDataSubsToNotifySubsIdPut and pass a pointer to the destination
object during deserialization: [file:93]
reqBody, err := c.GetRawData()
if err != nil {
logger.DataRepoLog.Errorf("Get Request Body error: %+v", err)
pd := openapi.ProblemDetailsSystemFailure(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusInternalServerError, pd)
return
}
err = openapi.Deserialize(&policyDataSubscription, reqBody, "application/json")
if err != nil {
logger.DataRepoLog.Errorf("Deserialize Request Body error: %+v", err)
pd := util.ProblemDetailsMalformedReqSyntax(err.Error())
c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
c.JSON(http.StatusBadRequest, pd)
return
}
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/udr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40249"
],
"database_specific": {
"cwe_ids": [
"CWE-636",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T20:00:59Z",
"nvd_published_at": "2026-04-16T22:16:38Z",
"severity": "MODERATE"
},
"details": "### Summary\nA fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify/{subsId}` PUT handler to continue processing requests even after request body retrieval or deserialization errors.\n\nThis may allow unintended modification of existing Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.\n\n### Details\nThe endpoint `PUT /nudr-dr/v2/policy-data/subs-to-notify/{subsId}` is intended to update an existing Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid `PolicyDataSubscription` object. [file:93]\n\nIn the free5GC UDR implementation, the function `HandlePolicyDataSubsToNotifySubsIdPut` in`NFs/udr/internal/sbi/api_datarepository.go` does not terminate execution after input-processing failures. [file:93]\n\nThe request flow is:\n\n1. The handler calls `c.GetRawData()` to read the HTTP request body. [file:93]\n2. If `GetRawData()` fails, the handler sends an HTTP 500 error response, but **does not return**. [file:93]\n3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, \"application/json\")`. [file:93]\n4. If deserialization fails, the handler sends an HTTP 400 error response, but again **does not return**. [file:93]\n5. Execution continues and the handler still invokes `s.Processor().PolicyDataSubsToNotifySubsIdPutProcedure(c, subsId, policyDataSubscription)`. [file:93]\n\nAs a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]\n\nThe issue is compounded by the handler\u0027s deserialization call, which passes `policyDataSubscription` directly to `openapi.Deserialize(...)` instead of passing a pointer to the destination object. This inconsistent usage further increases the risk that request processing continues with an empty, partially initialized, or otherwise unintended subscription object. [file:93]\n\nThis differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]\n\n### Security Impact\nThis issue affects a write-capable API that updates Policy Data notification subscriptions identified by `subsId`. [file:93] \nBecause execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended `PolicyDataSubscription` object for persistence. [file:93]\n\nThe exact runtime impact depends on downstream processor behavior and storage validation. [file:93] \nAt minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling or unintended modification attempts; under certain runtime conditions it may allow updates that should not be processed after an input error. [file:93]\n\n### Reproduction Status\nThe code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription modification after\n`GetRawData()` or deserialization failure has not yet been established. [file:93]\n\n### Patch\nThe handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]\n\nA minimal fix is to add missing `return` statements in `HandlePolicyDataSubsToNotifySubsIdPut` and pass a pointer to the destination\nobject during deserialization: [file:93]\n\n```go\nreqBody, err := c.GetRawData()\nif err != nil {\n logger.DataRepoLog.Errorf(\"Get Request Body error: %+v\", err)\n pd := openapi.ProblemDetailsSystemFailure(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusInternalServerError, pd)\n return\n}\n\nerr = openapi.Deserialize(\u0026policyDataSubscription, reqBody, \"application/json\")\nif err != nil {\n logger.DataRepoLog.Errorf(\"Deserialize Request Body error: %+v\", err)\n pd := util.ProblemDetailsMalformedReqSyntax(err.Error())\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n c.JSON(http.StatusBadRequest, pd)\n return\n}\n```",
"id": "GHSA-gx38-8h33-pmxr",
"modified": "2026-04-24T20:35:11Z",
"published": "2026-04-14T20:00:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-gx38-8h33-pmxr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40249"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/udr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "free5gc UDR fail-open request handling in PolicyDataSubsToNotifySubsIdPut may allow unintended subscription updates after input errors"
}
GHSA-GXXV-QG6G-737Q
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:43A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant.
{
"affected": [],
"aliases": [
"CVE-2018-7803"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-22T21:29:00Z",
"severity": "MODERATE"
},
"details": "A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack only while running in off-line mode. This vulnerability does not exist in Triconex hardware products and therefore has no effect on the operating safety functions in a plant.",
"id": "GHSA-gxxv-qg6g-737q",
"modified": "2024-04-04T00:43:17Z",
"published": "2022-05-24T16:46:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7803"
},
{
"type": "WEB",
"url": "https://www.schneider-electric.com/ww/en/download/document/SEVD-2019-071-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2JP-R7HC-H3MC
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-05-24 16:45An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted set of packets can cause an invalid memory dereference, resulting in a device reboot.
{
"affected": [],
"aliases": [
"CVE-2018-4026"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-13T16:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable denial-of-service vulnerability exists in the XML_GetScreen Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted set of packets can cause an invalid memory dereference, resulting in a device reboot.",
"id": "GHSA-h2jp-r7hc-h3mc",
"modified": "2022-05-24T16:45:32Z",
"published": "2022-05-24T16:45:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4026"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0698"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H2PJ-W259-MFCV
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).
{
"affected": [],
"aliases": [
"CVE-2020-28037"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-02T21:15:00Z",
"severity": "CRITICAL"
},
"details": "is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation).",
"id": "GHSA-h2pj-w259-mfcv",
"modified": "2022-05-24T17:33:01Z",
"published": "2022-05-24T17:33:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28037"
},
{
"type": "WEB",
"url": "https://github.com/WordPress/wordpress-develop/commit/2ca15d1e5ce70493c5c0c096ca0c76503d6da07c"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y"
},
{
"type": "WEB",
"url": "https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/10450"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4784"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.