VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 122 of 401
  • CVE-2023-4197HigNov 1, 2023
    risk 0.44cvss 7.5epss 0.33

    Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

  • CVE-2023-45805HigOct 20, 2023
    risk 0.44cvss 7.8epss 0.01

    pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another…

  • CVE-2023-4680MedSep 15, 2023
    risk 0.44cvss 6.8epss 0.00

    HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially…

  • CVE-2023-39137HigAug 30, 2023
    risk 0.44cvss 7.8epss 0.00

    An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

  • CVE-2022-38900HigNov 28, 2022
    risk 0.44cvss 7.5epss 0.25

    decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

  • CVE-2021-4041HigAug 24, 2022
    risk 0.44cvss 7.8epss 0.00

    A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host…

  • CVE-2021-44832MedDec 28, 2021
    risk 0.44cvss 6.6epss 0.98

    Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP…

  • CVE-2021-25738MedOct 11, 2021
    risk 0.44cvss 6.7epss 0.00

    Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

  • CVE-2021-37665HigAug 12, 2021
    risk 0.44cvss 7.8epss 0.00

    TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in MKL implementation of requantization, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the…

  • CVE-2021-37663HigAug 12, 2021
    risk 0.44cvss 7.8epss 0.00

    TensorFlow is an end-to-end open source platform for machine learning. In affected versions due to incomplete validation in `tf.raw_ops.QuantizeV2`, an attacker can trigger undefined behavior via binding a reference to a null pointer or can access data outside the bounds of heap…

  • CVE-2018-19295HigDec 17, 2018
    risk 0.44cvss 7.8epss 0.00

    Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.

  • CVE-2018-15428MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.02

    A vulnerability in the implementation of Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of certain BGP update…

  • CVE-2018-15369MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.02

    A vulnerability in the TACACS+ client subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling…

  • CVE-2018-15368MedOct 5, 2018
    risk 0.44cvss 6.7epss 0.00

    A vulnerability in the CLI parser of Cisco IOS XE Software could allow an authenticated, local attacker to gain access to the underlying Linux shell of an affected device and execute arbitrary commands with root privileges on the device. The vulnerability is due to the affected…

  • CVE-2018-10920MedAug 2, 2018
    risk 0.44cvss 6.8epss 0.03

    Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache.

  • CVE-2017-2614MedJul 27, 2018
    risk 0.44cvss 6.8epss 0.00

    When updating a password in the rhvm database the ovirt-aaa-jdbc-tool tools before 1.1.3 fail to correctly check for the current password if it is expired. This would allow access to an attacker with access to change the password on accounts with expired passwords, gaining…

  • CVE-2018-10874HigJul 2, 2018
    risk 0.44cvss 7.8epss 0.00

    In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

  • CVE-2014-0593HigJun 8, 2018
    risk 0.44cvss 7.8epss 0.02

    The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user, allowing for code execution on the executing server.

  • CVE-2018-1268MedJun 6, 2018
    risk 0.44cvss 6.8epss 0.01

    Cloud Foundry Loggregator, versions 89.x prior to 89.5 or 96.x prior to 96.1 or 99.x prior to 99.1 or 101.x prior to 101.9 or 102.x prior to 102.2, does not validate app GUID structure in requests. A remote authenticated malicious user knowing the GUID of an app may construct…

  • CVE-2018-1321HigMar 20, 2018
    risk 0.44cvss 7.2epss 0.18

    An administrator with report and template entitlements in Apache Syncope 1.2.x before 1.2.11, 2.0.x before 2.0.8, and unsupported releases 1.0.x and 1.1.x which may be also affected, can use XSL Transformations (XSLT) to perform malicious operations, including but not limited to…