CWE-20
Improper Input Validation
Description
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9
CVEs mapped to this weakness (6,924)
page 198 of 347| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-29530 | — | 0.00 | — | 0.01 | Apr 24, 2023 | Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a… | ||
| CVE-2023-30542 | 0.00 | — | 0.01 | Apr 16, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional… | |||
| CVE-2023-30535 | 0.00 | — | 0.02 | Apr 14, 2023 | Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server… | |||
| CVE-2023-29194 | 0.00 | — | 0.01 | Apr 14, 2023 | Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list… | |||
| CVE-2023-28710 | 0.00 | — | 0.02 | Apr 7, 2023 | Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1. | |||
| CVE-2023-28707 | 0.00 | — | 0.02 | Apr 7, 2023 | Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2. | |||
| CVE-2023-1789 | 0.00 | — | 0.00 | Apr 1, 2023 | Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0. | |||
| CVE-2023-1754 | — | 0.00 | — | 0.01 | Mar 31, 2023 | Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||
| CVE-2023-25661 | 0.00 | — | 0.00 | Mar 27, 2023 | TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose`… | |||
| CVE-2023-28330 | 0.00 | — | 0.01 | Mar 23, 2023 | Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default. | |||
| CVE-2023-1289 | 0.00 | — | 0.01 | Mar 23, 2023 | A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp,"… | |||
| CVE-2023-27586 | 0.00 | — | 0.01 | Mar 20, 2023 | CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or… | |||
| CVE-2023-28113 | — | 0.00 | — | 0.01 | Mar 16, 2023 | russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client… | ||
| CVE-2023-0100 | — | 0.00 | — | 0.01 | Mar 15, 2023 | In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched… | ||
| CVE-2023-27484 | 0.00 | — | 0.01 | Mar 9, 2023 | crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`,… | |||
| CVE-2023-27483 | 0.00 | — | 0.01 | Mar 9, 2023 | crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the `Paved` type's `SetValue` method with user provided… | |||
| CVE-2021-36402 | 0.00 | — | 0.01 | Mar 6, 2023 | In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk. | |||
| CVE-2022-3294 | 0.00 | — | 0.02 | Mar 1, 2023 | Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access… | |||
| CVE-2023-25696 | 0.00 | — | 0.02 | Feb 24, 2023 | Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3. | |||
| CVE-2023-25693 | 0.00 | — | 0.02 | Feb 24, 2023 | Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1. |
- CVE-2023-29530Apr 24, 2023risk 0.00cvss —epss 0.01
Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a…
- CVE-2023-30542Apr 16, 2023risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for secure smart contract development. The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional…
- CVE-2023-30535Apr 14, 2023risk 0.00cvss —epss 0.02
Snowflake JDBC provides a JDBC type 4 driver that supports core functionality, allowing Java program to connect to Snowflake. Users of the Snowflake JDBC driver were vulnerable to a command injection vulnerability. An attacker could set up a malicious, publicly accessible server…
- CVE-2023-29194Apr 14, 2023risk 0.00cvss —epss 0.01
Vitess is a database clustering system for horizontal scaling of MySQL. Users can either intentionally or inadvertently create a keyspace containing `/` characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list…
- CVE-2023-28710Apr 7, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Spark Provider.This issue affects Apache Airflow Spark Provider: before 4.0.1.
- CVE-2023-28707Apr 7, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.This issue affects Apache Airflow Drill Provider: before 2.3.2.
- CVE-2023-1789Apr 1, 2023risk 0.00cvss —epss 0.00
Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.
- CVE-2023-1754Mar 31, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12.
- CVE-2023-25661Mar 27, 2023risk 0.00cvss —epss 0.00
TensorFlow is an Open Source Machine Learning Framework. In versions prior to 2.11.1 a malicious invalid input crashes a tensorflow model (Check Failed) and can be used to trigger a denial of service attack. A proof of concept can be constructed with the `Convolution3DTranspose`…
- CVE-2023-28330Mar 23, 2023risk 0.00cvss —epss 0.01
Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.
- CVE-2023-1289Mar 23, 2023risk 0.00cvss —epss 0.01
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp,"…
- CVE-2023-27586Mar 20, 2023risk 0.00cvss —epss 0.01
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or…
- CVE-2023-28113Mar 16, 2023risk 0.00cvss —epss 0.01
russh is a Rust SSH client and server library. Starting in version 0.34.0 and prior to versions 0.36.2 and 0.37.1, Diffie-Hellman key validation is insufficient, which can lead to insecure shared secrets and therefore breaks confidentiality. Connections between a russh client…
- CVE-2023-0100Mar 15, 2023risk 0.00cvss —epss 0.01
In Eclipse BIRT, starting from version 2.6.2, the default configuration allowed to retrieve a report from the same host using an absolute HTTP path for the report parameter (e.g. __report=http://xyz.com/report.rptdesign). If the host indicated in the __report parameter matched…
- CVE-2023-27484Mar 9, 2023risk 0.00cvss —epss 0.01
crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. In affected versions an already highly privileged user able to create or update Compositions can specify an arbitrarily high index in a patch's `ToFieldPath`,…
- CVE-2023-27483Mar 9, 2023risk 0.00cvss —epss 0.01
crossplane-runtime is a set of go libraries used to build Kubernetes controllers in Crossplane and its related stacks. An out of memory panic vulnerability has been discovered in affected versions. Applications that use the `Paved` type's `SetValue` method with user provided…
- CVE-2021-36402Mar 6, 2023risk 0.00cvss —epss 0.01
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
- CVE-2022-3294Mar 1, 2023risk 0.00cvss —epss 0.02
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access…
- CVE-2023-25696Feb 24, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.
- CVE-2023-25693Feb 24, 2023risk 0.00cvss —epss 0.02
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.