CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (5,727)

page 90 of 287

CVE	Vendor / Product	Sev	Risk	CVSS	Published	Description
CVE-2017-13685	SQLite SQLite	Med	0.36	5.5	Aug 29, 2017	The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVE-2017-0724	Google Android	Med	0.36	5.5	Aug 9, 2017	A denial of service vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36819262.
CVE-2017-7045	Apple Inc. Mac Os X	Med	0.36	5.5	Jul 20, 2017	An issue was discovered in certain Apple products. macOS before 10.12.6 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
CVE-2017-0696	Google Android	Med	0.36	5.5	Jul 6, 2017	A denial of service vulnerability in the Android media framework. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37207120.
CVE-2017-0694	Google Android	Med	0.36	5.5	Jul 6, 2017	A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37093318.
CVE-2017-0689	Google Android	Med	0.36	5.5	Jul 6, 2017	A denial of service vulnerability in the Android media framework. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36215950.
CVE-2017-0672	Google Android	Med	0.36	5.5	Jul 6, 2017	A denial of service vulnerability in the Android libraries. Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID: A-34778578.
CVE-2017-10674	Antiy Antivirus Engine	Med	0.36	5.5	Jun 30, 2017	Antiy Antivirus Engine 5.0.0.06281654 allows local users to cause a denial of service (BSOD) via a long third argument in a DeviceIoControl call.
CVE-2017-9778	GNU Gdb	Med	0.36	5.5	Jun 21, 2017	GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.
CVE-2017-7366	Google Android	Med	0.36	5.5	Jun 13, 2017	In all Android releases from CAF using the Linux kernel, a KGSL ioctl was not validating all of its parameters.
CVE-2016-10337	Google Android	Med	0.36	5.5	Jun 13, 2017	In all Android releases from CAF using the Linux kernel, some validation of secure applications was not being performed.
CVE-2017-4897	VMware Horizon Daas	Med	0.36	5.5	May 31, 2017	VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download a specially crafted RDP file through DaaS client by clicking on a malicious link.
CVE-2017-9242	Linux Kernel	Med	0.36	5.5	May 27, 2017	The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
CVE-2017-2540	Apple Inc. Mac Os X	Med	0.36	5.5	May 22, 2017	An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "WindowServer" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
CVE-2017-8934	Pcmanfm Project Pcmanfm	Med	0.36	5.5	May 15, 2017	PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (application unavailability).
CVE-2016-10371	LibTIFF Libtiff	Med	0.36	5.5	May 10, 2017	The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file.
CVE-2017-0355	—	Med	0.36	5.5	May 9, 2017	All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgkDdiEscape where it may access paged memory while holding a spinlock, leading to a denial of service.
CVE-2017-0353	Nvidia GPU Driver	Med	0.36	5.5	May 9, 2017	All versions of the NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where due to improper locking on certain conditions may lead to a denial of service
CVE-2015-7740	—	Med	0.36	5.5	Apr 13, 2017	Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P8 ALE-UL00 before ALE-UL00B211 allows local users to cause a denial of service (OS crash) via vectors involving an application that passes crafted input to the GPU driver.
CVE-2016-1517	—	Med	0.36	5.5	Apr 10, 2017	OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks.

CVE-2017-13685MedAug 29, 2017
SQLite
SQLite
risk 0.36cvss 5.5epss 0.00
The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.
CVE-2017-0724MedAug 9, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36819262.
CVE-2017-7045MedJul 20, 2017
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
An issue was discovered in certain Apple products. macOS before 10.12.6 is affected. The issue involves the "Intel Graphics Driver" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
CVE-2017-0696MedJul 6, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in the Android media framework. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37207120.
CVE-2017-0694MedJul 6, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in the Android media framework. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-37093318.
CVE-2017-0689MedJul 6, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in the Android media framework. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36215950.
CVE-2017-0672MedJul 6, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in the Android libraries. Product: Android. Versions: 7.0, 7.1.1, 7.1.2. Android ID: A-34778578.
CVE-2017-10674MedJun 30, 2017
Antiy
Antivirus Engine
risk 0.36cvss 5.5epss 0.00
Antiy Antivirus Engine 5.0.0.06281654 allows local users to cause a denial of service (BSOD) via a long third argument in a DeviceIoControl call.
CVE-2017-9778MedJun 21, 2017
GNU
Gdb
risk 0.36cvss 5.5epss 0.00
GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB.
CVE-2017-7366MedJun 13, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
In all Android releases from CAF using the Linux kernel, a KGSL ioctl was not validating all of its parameters.
CVE-2016-10337MedJun 13, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
In all Android releases from CAF using the Linux kernel, some validation of secure applications was not being performed.
CVE-2017-4897MedMay 31, 2017
VMware
Horizon Daas
risk 0.36cvss 5.5epss 0.00
VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists due to insufficient validation of data. An attacker may exploit this issue by tricking DaaS client users into connecting to a malicious server and sharing all their drives and devices. Successful exploitation of this vulnerability requires a victim to download a specially crafted RDP file through DaaS client by clicking on a malicious link.
CVE-2017-9242MedMay 27, 2017
Linux
Kernel
risk 0.36cvss 5.5epss 0.00
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls.
CVE-2017-2540MedMay 22, 2017
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
An issue was discovered in certain Apple products. macOS before 10.12.5 is affected. The issue involves the "WindowServer" component. It allows attackers to bypass intended memory-read restrictions via a crafted app.
CVE-2017-8934MedMay 15, 2017
Pcmanfm Project
Pcmanfm
risk 0.36cvss 5.5epss 0.00
PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (application unavailability).
CVE-2016-10371MedMay 10, 2017
LibTIFF
Libtiff
risk 0.36cvss 5.5epss 0.00
The TIFFWriteDirectoryTagCheckedRational function in tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file.
CVE-2017-0355MedMay 9, 2017
risk 0.36cvss 5.5epss 0.00
All versions of the NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgkDdiEscape where it may access paged memory while holding a spinlock, leading to a denial of service.
CVE-2017-0353MedMay 9, 2017
Nvidia
GPU Driver
risk 0.36cvss 5.5epss 0.00
All versions of the NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where due to improper locking on certain conditions may lead to a denial of service
CVE-2015-7740MedApr 13, 2017
risk 0.36cvss 5.5epss 0.00
Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P8 ALE-UL00 before ALE-UL00B211 allows local users to cause a denial of service (OS crash) via vectors involving an application that passes crafted input to the GPU driver.
CVE-2016-1517MedApr 10, 2017
risk 0.36cvss 5.5epss 0.00
OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks.