Common Weakness Enumeration

CWE-755

Discouraged

Improper Handling of Exceptional Conditions

Abstraction: Class · Status: Incomplete

The product does not handle or incorrectly handles an exceptional condition.

685 vulnerabilities reference this CWE, most recent first.

GHSA-PH7H-74XQ-935C

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176610.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4302"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-12T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to execute arbitrary code on the system, caused by a CSV injection. By persuading a victim to open a specially-crafted excel file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 176610.",
  "id": "GHSA-ph7h-74xq-935c",
  "modified": "2022-05-24T17:30:29Z",
  "published": "2022-05-24T17:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4302"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/176610"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6346922"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PRP9-Q697-6CF2

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58
VLAI
Details

SSL-Proxy feature on SRX devices fails to handle a hardware resource limitation which can be exploited by remote SSL/TLS servers to crash the flowd daemon. Repeated crashes of the flowd daemon can result in an extended denial of service condition. For this issue to occur, clients protected by the SRX device must initiate a connection to the malicious server. This issue affects: Juniper Networks Junos OS on SRX5000 Series: 12.3X48 versions prior to 12.3X48-D85; 15.1X49 versions prior to 15.1X49-D180; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "SSL-Proxy feature on SRX devices fails to handle a hardware resource limitation which can be exploited by remote SSL/TLS servers to crash the flowd daemon. Repeated crashes of the flowd daemon can result in an extended denial of service condition. For this issue to occur, clients protected by the SRX device must initiate a connection to the malicious server. This issue affects: Juniper Networks Junos OS on SRX5000 Series: 12.3X48 versions prior to 12.3X48-D85; 15.1X49 versions prior to 15.1X49-D180; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R2-S6, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R2.",
  "id": "GHSA-prp9-q697-6cf2",
  "modified": "2022-05-24T16:58:11Z",
  "published": "2022-05-24T16:58:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0051"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA10973"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PV78-Q37W-R4JP

Vulnerability from github – Published: 2025-05-06 09:31 – Updated: 2025-05-06 09:31
VLAI
Details

Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-390",
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-06T09:15:21Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption during memory assignment to headless peripheral VM due to incorrect error code handling.",
  "id": "GHSA-pv78-q37w-r4jp",
  "modified": "2025-05-06T09:31:33Z",
  "published": "2025-05-06T09:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49841"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVC4-6V97-6F49

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, the Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash if a malformed DHCPv6 packet is received, resulting in a restart of the daemon. The daemon automatically restarts without intervention, but continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects DHCPv6. DHCPv4 is not affected by this issue. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R3-S7; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R3-S2; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "On Juniper Networks Junos OS platforms configured as DHCPv6 local server or DHCPv6 Relay Agent, the Juniper Networks Dynamic Host Configuration Protocol Daemon (JDHCPD) process might crash if a malformed DHCPv6 packet is received, resulting in a restart of the daemon. The daemon automatically restarts without intervention, but continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects DHCPv6. DHCPv4 is not affected by this issue. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R1-S8, 18.4R3-S7; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R3-S2; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R2-S3, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2.",
  "id": "GHSA-pvc4-6v97-6f49",
  "modified": "2022-05-24T17:48:12Z",
  "published": "2022-05-24T17:48:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0240"
    },
    {
      "type": "WEB",
      "url": "https://kb.juniper.net/JSA11168"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PVCH-4X5X-P3QC

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-10-21 19:01
VLAI
Details

In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-10604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-25T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "In OSIsoft PI System multiple products and versions, a remote, unauthenticated attacker could crash PI Network Manager service through specially crafted requests. This can result in blocking connections and queries to PI Data Archive.",
  "id": "GHSA-pvch-4x5x-p3qc",
  "modified": "2022-10-21T19:01:12Z",
  "published": "2022-05-24T17:24:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10604"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-133-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVQ5-77H5-RGW5

Vulnerability from github – Published: 2022-12-25 00:30 – Updated: 2022-12-31 00:30
VLAI
Details

Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that references the IPFS scheme. This vulnerability is caused by an uncaught exception in the function ipfs::OnBeforeURLRequest_IPFSRedirectWork() in ipfs_redirect_network_delegate_helper.cc.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-24T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Brave Browser before 1.42.51 allowed a remote attacker to cause a denial of service via a crafted HTML file that references the IPFS scheme. This vulnerability is caused by an uncaught exception in the function ipfs::OnBeforeURLRequest_IPFSRedirectWork() in ipfs_redirect_network_delegate_helper.cc.",
  "id": "GHSA-pvq5-77h5-rgw5",
  "modified": "2022-12-31T00:30:23Z",
  "published": "2022-12-25T00:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brave/brave-browser/issues/23646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brave/brave-browser/issues/24378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brave/brave-core/pull/13989"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brave/brave-core/commit/7ef8cb2f232abdf59ec9c3c99a086a14b972bc56"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1610343"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWFR-8PQ7-X9QV

Vulnerability from github – Published: 2023-12-16 00:52 – Updated: 2023-12-16 00:52
VLAI
Summary
Unauthenticated Denial of Service in the octokit/webhooks library
Details

Impact

Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.

Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.

The problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.

Credit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery).

Patches

Maintenance releases for the Error being thrown by the verify method in octokit/webhooks.js * v12 - v12.0.4 * v11 - v11.1.2 * v10 -v10.9.2 * v9 - v9.26.3

Maintenance release for the reference for octokit/webhooks.js in app.js * v14.0.2

Maintenance release for the reference for octokit/webhooks.js in octokit.js * v3.1.2

Maintenance release for the reference for octokit/webhooks.js in Protobot * v12.3.3

Workarounds

It is recommend that all users upgrade to the latest version of octokit/webhooks.js or use one of the updated back ported versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.26.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/webhooks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0.1"
            },
            {
              "fixed": "14.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "14.0.1"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "octokit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "probot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-16T00:52:19Z",
    "nvd_published_at": "2023-12-15T22:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nVersions [v9.26.0](https://github.com/octokit/webhooks.js/releases/tag/v9.26.0), [v10.9.x](https://github.com/octokit/webhooks.js/releases/tag/v10.9.1)), [v11.1.x](https://github.com/octokit/webhooks.js/releases/tag/v11.1.1), [v12.0.x](https://github.com/octokit/webhooks.js/releases/tag/v12.0.3) all contained the code that would throw the error.\n\nSpecifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.\n\nThe problem is caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases.\n\nCredit goes to @pb82 (for the early analysis) and @rh-tguittet (for discovery). \n\n### Patches\n\nMaintenance releases for the Error being thrown by the verify method in [octokit/webhooks.js](https://github.com/octokit/webhooks.js)\n* v12 - [v12.0.4](https://github.com/octokit/webhooks.js/releases/tag/v12.0.4)\n* v11 - [v11.1.2](https://github.com/octokit/webhooks.js/releases/tag/v11.1.2)\n* v10 -[v10.9.2](https://github.com/octokit/webhooks.js/releases/tag/v10.9.2)\n* v9 - [v9.26.3](https://github.com/octokit/webhooks.js/releases/tag/v9.26.3)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [app.js](https://github.com/octokit/app.js)\n* [v14.0.2](https://github.com/octokit/app.js/releases/tag/v14.0.2)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [octokit.js](https://github.com/octokit/octokit.js)\n* [v3.1.2](https://github.com/octokit/octokit.js/releases/tag/v3.1.2)\n\nMaintenance release for the reference for [octokit/webhooks.js](https://github.com/octokit/webhooks.js) in [Protobot](https://github.com/probot/probot)\n* [v12.3.3](https://github.com/probot/probot/releases/tag/v12.3.3)\n\n\n### Workarounds\nIt is recommend that all users upgrade to the latest version of  [octokit/webhooks.js](https://github.com/octokit/webhooks.js) or use one of the updated back ported versions.\n\n",
  "id": "GHSA-pwfr-8pq7-x9qv",
  "modified": "2023-12-16T00:52:19Z",
  "published": "2023-12-16T00:52:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/security/advisories/GHSA-pwfr-8pq7-x9qv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/app.js/releases/tag/v14.0.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/octokit.js/releases/tag/v3.1.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octokit/webhooks.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v10.9.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v11.1.2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v12.0.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/webhooks.js/releases/tag/v9.26.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/probot/probot/releases/tag/v12.3.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated Denial of Service in the octokit/webhooks library"
}

GHSA-PWFW-MGFJ-7G3G

Vulnerability from github – Published: 2019-10-08 16:30 – Updated: 2024-09-20 16:47
VLAI
Summary
ecdsa Denial of Service vulnerability in signature verification and signature malleability
Details

possible DoS in signature verification and signature malleability

Impact

Code using VerifyingKey.verify() and VerifyingKey.verify_digest() may receive exceptions other than the documented BadSignatureError when signatures are malformed. If those other exceptions are not caught, they may lead to program termination and thus Denial of Service

Code using VerifyingKey.verify() and VerifyingKey.verify_digest() with sigdecode option using ecdsa.util.sigdecode_der will accept signatures even if they are not properly formatted DER. This makes the signatures malleable. It impacts only applications that later sign the signatures or verify signatures of signatures, e.g. Bitcoin.

All versions between 0.5 and 0.13.2 (inclusive) are thought to be vulnerable. Code before 0.5 may be vulnerable but didn't receive extended analysis to rule this issue out.

Patches

The patches have been merged to master branch in https://github.com/warner/python-ecdsa/pull/115. The backported patches for a release in the 0.13 branch are in https://github.com/warner/python-ecdsa/pull/124

They are part of the 0.13.3 release.

There are no plans to backport them to earlier releases.

Workarounds

It may be possible to prevent the Denial of Service by catching also UnexpectedDER, IndexError and AssertionError exceptions. That list hasn't been verified to be complete though. If those exceptions are raised, the signature verification process should consider the signature to be invalid.

To remediate signature malleability and the Denial of Service vulnerability, it may be possible to first verify that the signature is properly DER formatted ECDSA-Sig-Value, as defined in RFC3279, before passing it to verify() or verify_digest() methods. If the signature is determined to not follow the DER or encode a different structure, the signature verification process should consider the signature to be invalid.

References

https://en.bitcoinwiki.org/wiki/Transaction_Malleability

For more information

If you have any questions or comments about this advisory please open an issue in python-ecdsa project.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ecdsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14853"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-391",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:41:53Z",
    "nvd_published_at": "2019-11-26T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "## possible DoS in signature verification and signature malleability \n\n### Impact\nCode using `VerifyingKey.verify()` and `VerifyingKey.verify_digest()` may receive exceptions other than the documented `BadSignatureError` when signatures are malformed. If those other exceptions are not caught, they may lead to program termination and thus Denial of Service\n\nCode using `VerifyingKey.verify()` and `VerifyingKey.verify_digest()` with `sigdecode` option using `ecdsa.util.sigdecode_der` will accept signatures even if they are not properly formatted DER. This makes the signatures malleable. It impacts only applications that later sign the signatures or verify signatures of signatures, e.g. Bitcoin.\n\nAll versions between 0.5 and 0.13.2 (inclusive) are thought to be vulnerable. Code before 0.5 may be vulnerable but didn\u0027t receive extended analysis to rule this issue out.\n\n### Patches\nThe patches have been merged to `master` branch in https://github.com/warner/python-ecdsa/pull/115.\nThe backported patches for a release in the 0.13 branch are in https://github.com/warner/python-ecdsa/pull/124\n\nThey are part of the 0.13.3 release.\n\nThere are no plans to backport them to earlier releases.\n\n### Workarounds\nIt may be possible to prevent the Denial of Service by catching also `UnexpectedDER`, `IndexError` and `AssertionError` exceptions. That list hasn\u0027t been verified to be complete though. If those exceptions are raised, the signature verification process should consider the signature to be invalid.\n\nTo remediate signature malleability and the Denial of Service vulnerability, it may be possible to first verify that the signature is properly DER formatted ECDSA-Sig-Value, as defined in [RFC3279](https://tools.ietf.org/html/rfc3279), before passing it to `verify()` or `verify_digest()` methods. If the signature is determined to not follow the DER or encode a different structure, the signature verification process should consider the signature to be invalid.\n\n### References\nhttps://en.bitcoinwiki.org/wiki/Transaction_Malleability\n\n### For more information\nIf you have any questions or comments about this advisory please open an issue in [python-ecdsa](https://github.com/warner/python-ecdsa/issues) project.\n",
  "id": "GHSA-pwfw-mgfj-7g3g",
  "modified": "2024-09-20T16:47:14Z",
  "published": "2019-10-08T16:30:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/warner/python-ecdsa/security/advisories/GHSA-pwfw-mgfj-7g3g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14853"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2019-177.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/warner/python-ecdsa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/Dec/33"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4588"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ecdsa Denial of Service vulnerability in signature verification and signature malleability"
}

GHSA-PWW6-PFX4-8P5C

Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06
VLAI
Details

A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. The vulnerability exists because the application fails to handle a crafted DWG file, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-25T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. The vulnerability exists because the application fails to handle a crafted DWG file, which causes an unhandled exception. An attacker can leverage this vulnerability to execute arbitrary code.",
  "id": "GHSA-pww6-pfx4-8p5c",
  "modified": "2022-05-24T19:06:19Z",
  "published": "2022-05-24T19:06:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27042"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-446"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PX2P-9R77-W9CQ

Vulnerability from github – Published: 2024-11-22 12:39 – Updated: 2024-11-22 12:39
VLAI
Details

A potential security vulnerability has been identified in the HPE NonStop DISK UTIL (T9208) product. This vulnerability could be exploited to cause a denial of service (DoS) to NonStop server. It exists in all prior DISK UTIL product versions of L-series and J-series.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T12:15:19Z",
    "severity": "MODERATE"
  },
  "details": "A potential security vulnerability has been identified in the HPE NonStop DISK UTIL (T9208) product. This vulnerability could be exploited to cause a denial of service (DoS) to NonStop server. It exists in all prior DISK UTIL product versions of L-series and J-series.",
  "id": "GHSA-px2p-9r77-w9cq",
  "modified": "2024-11-22T12:39:09Z",
  "published": "2024-11-22T12:39:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51766"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbns04759en_us\u0026docLocale=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.