CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
686 vulnerabilities reference this CWE, most recent first.
GHSA-58P8-F8CP-3H6P
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Improper check or handling of exceptional conditions in LOGITEC LAN-W300N/PR5B allows a remote attacker to cause a denial-of-service (DoS) condition by sending a specially crafted URL.
{
"affected": [],
"aliases": [
"CVE-2021-20637"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-12T07:15:00Z",
"severity": "MODERATE"
},
"details": "Improper check or handling of exceptional conditions in LOGITEC LAN-W300N/PR5B allows a remote attacker to cause a denial-of-service (DoS) condition by sending a specially crafted URL.",
"id": "GHSA-58p8-f8cp-3h6p",
"modified": "2022-05-24T17:42:03Z",
"published": "2022-05-24T17:42:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20637"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN96783542/index.html"
},
{
"type": "WEB",
"url": "https://www.elecom.co.jp/news/security/20210126-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58QW-VFCJ-X2HG
Vulnerability from github – Published: 2024-02-15 09:30 – Updated: 2024-10-10 18:31Comarch ERP XL client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.
This issue affects ERP XL: from 2020.2.2 through 2023.2.
{
"affected": [],
"aliases": [
"CVE-2023-4537"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-15T09:15:33Z",
"severity": "HIGH"
},
"details": "Comarch ERP XL client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification.\n\nThis issue affects ERP XL: from 2020.2.2 through 2023.2.",
"id": "GHSA-58qw-vfcj-x2hg",
"modified": "2024-10-10T18:31:07Z",
"published": "2024-02-15T09:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4537"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2024/02/CVE-2023-4537"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2023/02/CVE-2023-4537"
},
{
"type": "WEB",
"url": "https://cert.pl/posts/2024/02/CVE-2023-4537"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CRP-9R3C-P9VR
Vulnerability from github – Published: 2022-06-22 15:08 – Updated: 2024-01-03 20:06Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS).
The serialization and deserialization path have different properties regarding the issue.
Deserializing methods (like JsonConvert.DeserializeObject) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (>10kk, or 9.5MB of {a:{a:{... input) is needed to achieve the latency over 10 seconds, depending on the hardware.
Serializing methods (like JsonConvert.Serialize or JObject.ToString) will throw StackOverFlow exception with the nesting level of around 20k.
To mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set MaxDepth parameter in the JsonSerializerSettings. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with Newtonsoft.Json.JsonReaderException:
JsonConvert.DefaultSettings = () => new JsonSerializerSettings { MaxDepth = 128 };
Repro code:
//Create a string representation of an highly nested object (JSON serialized)
int nRep = 25000;
string json = string.Concat(Enumerable.Repeat("{a:", nRep)) + "1" +
string.Concat(Enumerable.Repeat("}", nRep));
//Parse this object (leads to high CPU/RAM consumption)
var parsedJson = JsonConvert.DeserializeObject(json);
// Methods below all throw stack overflow with nRep around 20k and higher
// string a = parsedJson.ToString();
// string b = JsonConvert.SerializeObject(parsedJson);
Additional affected product and version information
The original statement about the problem only affecting IIS applications is misleading. Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Newtonsoft.Json"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "13.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21907"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-22T15:08:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial Of Service (DoS). \n\nThe serialization and deserialization path have different properties regarding the issue.\n\nDeserializing methods (like `JsonConvert.DeserializeObject`) will process the input that results in burning the CPU, allocating memory, and consuming a thread of execution. Quite high nesting level (\u003e10kk, or 9.5MB of `{a:{a:{...` input) is needed to achieve the latency over 10 seconds, depending on the hardware.\n\nSerializing methods (like `JsonConvert.Serialize` or `JObject.ToString`) will throw StackOverFlow exception with the nesting level of around 20k.\n\nTo mitigate the issue one either need to update Newtonsoft.Json to 13.0.1 or set `MaxDepth` parameter in the `JsonSerializerSettings`. This can be done globally with the following statement. After that the parsing of the nested input will fail fast with `Newtonsoft.Json.JsonReaderException`:\n\n``` \nJsonConvert.DefaultSettings = () =\u003e new JsonSerializerSettings { MaxDepth = 128 };\n```\n\nRepro code:\n```\n//Create a string representation of an highly nested object (JSON serialized)\nint nRep = 25000;\nstring json = string.Concat(Enumerable.Repeat(\"{a:\", nRep)) + \"1\" +\n string.Concat(Enumerable.Repeat(\"}\", nRep));\n\n//Parse this object (leads to high CPU/RAM consumption)\nvar parsedJson = JsonConvert.DeserializeObject(json);\n\n// Methods below all throw stack overflow with nRep around 20k and higher\n// string a = parsedJson.ToString();\n// string b = JsonConvert.SerializeObject(parsedJson);\n```\n\n### Additional affected product and version information\n**The original statement about the problem only affecting IIS applications is misleading.** Any application is affected, however the IIS has a behavior that stops restarting the instance after some time resulting in a harder-to-fix DoS.**",
"id": "GHSA-5crp-9r3c-p9vr",
"modified": "2024-01-03T20:06:36Z",
"published": "2022-06-22T15:08:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JamesNK/Newtonsoft.Json/issues/2457"
},
{
"type": "WEB",
"url": "https://github.com/JamesNK/Newtonsoft.Json/pull/2462"
},
{
"type": "WEB",
"url": "https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66"
},
{
"type": "WEB",
"url": "https://alephsecurity.com/2018/10/22/StackOverflowException"
},
{
"type": "WEB",
"url": "https://alephsecurity.com/vulns/aleph-2018004"
},
{
"type": "PACKAGE",
"url": "https://github.com/JamesNK/Newtonsoft.Json"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-DOTNET-NEWTONSOFTJSON-2774678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Handling of Exceptional Conditions in Newtonsoft.Json"
}
GHSA-5FHF-CVQM-HG98
Vulnerability from github – Published: 2022-10-08 00:00 – Updated: 2022-10-12 19:00In wlan, there is a possible use after free due to an incorrect status check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07299425; Issue ID: ALPS07299425.
{
"affected": [],
"aliases": [
"CVE-2022-32590"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-07T20:15:00Z",
"severity": "MODERATE"
},
"details": "In wlan, there is a possible use after free due to an incorrect status check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07299425; Issue ID: ALPS07299425.",
"id": "GHSA-5fhf-cvqm-hg98",
"modified": "2022-10-12T19:00:40Z",
"published": "2022-10-08T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32590"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/October-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5FJ7-F8X3-Q2MC
Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-01-12 23:10simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/simplesamlphp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2011-4625"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T23:10:19Z",
"nvd_published_at": "2019-11-06T15:15:00Z",
"severity": "HIGH"
},
"details": "simplesamlphp before 1.6.3 (squeeze) and before 1.8.2 (sid) incorrectly handles XML encryption which could allow remote attackers to decrypt or forge messages.",
"id": "GHSA-5fj7-f8x3-q2mc",
"modified": "2024-01-12T23:10:19Z",
"published": "2022-04-22T00:24:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4625"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/simplesamlphp"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/simplesamlphp/blob/b3059c51a915910c6631fb2ee597c0fb6ad9162b/docs/simplesamlphp-changelog-1.x.md?plain=1#L1624"
},
{
"type": "WEB",
"url": "https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202330-1"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-4625"
},
{
"type": "WEB",
"url": "https://www.mageni.net/vulnerability/debian-security-advisory-dsa-2330-1-simplesamlphp-70545"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "simpleSAMLphp incorrectly handles XML encryption"
}
GHSA-5GJ6-WWJQ-FRJH
Vulnerability from github – Published: 2024-08-08 18:31 – Updated: 2024-08-08 18:31NVIDIA Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt. A successful exploit of this vulnerability may lead to denial of service, code execution, and escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2024-0108"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-08T17:15:18Z",
"severity": "HIGH"
},
"details": "NVIDIA Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt. A successful exploit of this vulnerability may lead to denial of service, code execution, and escalation of privileges.",
"id": "GHSA-5gj6-wwjq-frjh",
"modified": "2024-08-08T18:31:20Z",
"published": "2024-08-08T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0108"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5555"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5GPX-8GPR-WPJ2
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-26 00:01A vulnerability in the AppNav-XE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of certain TCP segments. An attacker could exploit this vulnerability by sending a stream of crafted TCP traffic at a high rate through an interface of an affected device. That interface would need to have AppNav interception enabled. A successful exploit could allow the attacker to cause the device to reload.
{
"affected": [],
"aliases": [
"CVE-2022-20678"
],
"database_specific": {
"cwe_ids": [
"CWE-413",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the AppNav-XE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of certain TCP segments. An attacker could exploit this vulnerability by sending a stream of crafted TCP traffic at a high rate through an interface of an affected device. That interface would need to have AppNav interception enabled. A successful exploit could allow the attacker to cause the device to reload.",
"id": "GHSA-5gpx-8gpr-wpj2",
"modified": "2022-04-26T00:01:02Z",
"published": "2022-04-16T00:00:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20678"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JVH-86Q2-FRFQ
Vulnerability from github – Published: 2022-06-08 00:00 – Updated: 2022-06-12 00:00Broadcasting Intent including the BluetoothDevice object without proper restriction of receivers in sendIntentSessionCompleted function of Bluetooth prior to SMR Jun-2022 Release 1 leaks MAC address of the connected Bluetooth device.
{
"affected": [],
"aliases": [
"CVE-2022-30724"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-07T18:15:00Z",
"severity": "MODERATE"
},
"details": "Broadcasting Intent including the BluetoothDevice object without proper restriction of receivers in sendIntentSessionCompleted function of Bluetooth prior to SMR Jun-2022 Release 1 leaks MAC address of the connected Bluetooth device.",
"id": "GHSA-5jvh-86q2-frfq",
"modified": "2022-06-12T00:00:47Z",
"published": "2022-06-08T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30724"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5Q4M-GGR9-2RQH
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:58An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
{
"affected": [],
"aliases": [
"CVE-2019-9009"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-17T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.",
"id": "GHSA-5q4m-ggr9-2rqh",
"modified": "2024-04-04T01:58:03Z",
"published": "2022-05-24T16:56:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9009"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=12941\u0026token=50fabe3870c7bdc41701eb1799dddeec103de40c\u0026download="
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-255-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5QF9-CF9C-HJC6
Vulnerability from github – Published: 2026-06-08 15:33 – Updated: 2026-06-12 19:06When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.15.1"
},
"package": {
"ecosystem": "crates.io",
"name": "routinator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.15.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49235"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-755",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T19:06:16Z",
"nvd_published_at": "2026-06-08T15:16:48Z",
"severity": "HIGH"
},
"details": "When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.",
"id": "GHSA-5qf9-cf9c-hjc6",
"modified": "2026-06-12T19:06:16Z",
"published": "2026-06-08T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49235"
},
{
"type": "PACKAGE",
"url": "https://github.com/NLnetLabs/routinator"
},
{
"type": "WEB",
"url": "https://github.com/NLnetLabs/routinator/releases/tag/v0.15.2"
},
{
"type": "WEB",
"url": "https://www.nlnetlabs.nl/downloads/routinator/CVE-2026-49235.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Routinator crashes when encountering maliciously crafted RRDP XML files"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.