VYPR

CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (8,003)

page 35 of 401
  • CVE-2024-21976HigNov 12, 2024
    risk 0.57cvss 8.8epss 0.00

    Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution.

  • CVE-2024-48914CriOct 15, 2024
    risk 0.57cvss 9.1epss 0.60

    Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files,…

  • CVE-2024-45258CriAug 25, 2024
    risk 0.57cvss 9.8epss 0.01

    The req package before 3.43.4 for Go may send an unintended request when a malformed URL is provided, because cleanHost in http.go intentionally uses a "garbage in, garbage out" design.

  • CVE-2024-21810HigAug 14, 2024
    risk 0.57cvss 8.8epss 0.00

    Improper input validation in the Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2024-2746HigMay 8, 2024
    risk 0.57cvss 8.8epss 0.00

    Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this…

  • CVE-2022-4886HigOct 25, 2023
    risk 0.57cvss 8.8epss 0.02

    Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.

  • CVE-2023-38218HigOct 13, 2023
    risk 0.57cvss 8.8epss 0.01

    Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Incorrect Authorization . An authenticated attacker can exploit this to achieve information exposure and privilege escalation.

  • CVE-2023-40743CriSep 5, 2023
    risk 0.57cvss 9.8epss 0.02

    ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API…

  • CVE-2023-39532CriAug 8, 2023
    risk 0.57cvss 9.8epss 0.01

    SES is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. In version 0.18.0 prior to 0.18.7, 0.17.0 prior to 0.17.1, 0.16.0 prior to 0.16.1, 0.15.0 prior to 0.15.24, 0.14.0 prior to 0.14.5, an 0.13.0 prior to 0.13.5, there is a hole in the…

  • CVE-2023-37415HigJul 13, 2023
    risk 0.57cvss 8.8epss 0.01

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider. Patching on top of CVE-2023-35797 Before 6.1.2 the proxy_user option can also inject semicolon. This issue affects Apache Airflow Apache Hive Provider: before 6.1.2. …

  • CVE-2023-35797CriJul 3, 2023
    risk 0.57cvss 9.8epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Hive Provider. This issue affects Apache Airflow Apache Hive Provider: before 6.1.1. Before version 6.1.1 it was possible to bypass the security check to RCE via principal parameter. For this…

  • CVE-2023-22886HigJun 29, 2023
    risk 0.57cvss 8.8epss 0.02

    Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s [Connection URL] parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain…

  • CVE-2023-31047CriMay 7, 2023
    risk 0.57cvss 9.8epss 0.01

    In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was…

  • CVE-2023-1789CriApr 1, 2023
    risk 0.57cvss 9.8epss 0.00

    Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.

  • CVE-2023-27586CriMar 20, 2023
    risk 0.57cvss 9.9epss 0.01

    CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or…

  • CVE-2023-25696CriFeb 24, 2023
    risk 0.57cvss 9.8epss 0.02

    Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

  • CVE-2023-25693CriFeb 24, 2023
    risk 0.57cvss 9.8epss 0.02

    Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider. This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.

  • CVE-2023-25691CriFeb 24, 2023
    risk 0.57cvss 9.8epss 0.02

    Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

  • CVE-2023-0299CriJan 14, 2023
    risk 0.57cvss 9.8epss 0.01

    Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.

  • CVE-2022-40145CriDec 21, 2022
    risk 0.57cvss 9.8epss 0.02

    This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName)…