CWE-20

Improper Input Validation

ClassStableLikelihood: High

Description

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Hierarchy (View 1000)

Parents

CWE-707

Children

Related attack patterns (CAPEC)

CAPEC-10 · CAPEC-101 · CAPEC-104 · CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-120 · CAPEC-13 · CAPEC-135 · CAPEC-136 · CAPEC-14 · CAPEC-153 · CAPEC-182 · CAPEC-209 · CAPEC-22 · CAPEC-23 · CAPEC-230 · CAPEC-231 · CAPEC-24 · CAPEC-250 · CAPEC-261 · CAPEC-267 · CAPEC-28 · CAPEC-3 · CAPEC-31 · CAPEC-42 · CAPEC-43 · CAPEC-45 · CAPEC-46 · CAPEC-47 · CAPEC-473 · CAPEC-52 · CAPEC-53 · CAPEC-588 · CAPEC-63 · CAPEC-64 · CAPEC-664 · CAPEC-67 · CAPEC-7 · CAPEC-71 · CAPEC-72 · CAPEC-73 · CAPEC-78 · CAPEC-79 · CAPEC-8 · CAPEC-80 · CAPEC-81 · CAPEC-83 · CAPEC-85 · CAPEC-88 · CAPEC-9

CVEs mapped to this weakness (5,727)

page 92 of 287

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-9390	—	Med	0.36	5.5	0.00	Mar 23, 2017	The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
CVE-2017-6837	Audiofile Audiofile	Med	0.36	5.5	0.06	Mar 20, 2017	WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients.
CVE-2017-6961	Apng2gif Project Apng2gif	Med	0.36	5.5	0.00	Mar 17, 2017	An issue was discovered in apng2gif 1.7. There is improper sanitization of user input causing huge memory allocations, resulting in a crash. This is related to the read_chunk function using the pChunk->size value (within the PNG file) to determine the amount of memory to allocate.
CVE-2017-0007	Microsoft Windows Server 2016	Med	0.36	5.5	0.01	Mar 17, 2017	Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."
CVE-2016-10167	Libgd Libgd	Med	0.36	5.5	0.01	Mar 15, 2017	The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
CVE-2014-9645	Busybox Busybox	Med	0.36	5.5	0.00	Mar 12, 2017	The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
CVE-2017-0499	Google Android	Med	0.36	5.5	0.00	Mar 8, 2017	A denial of service vulnerability in Audioserver could enable a local malicious application to cause a device hang or reboot. This issue is rated as Low due to the possibility of a temporary denial of service. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32095713.
CVE-2017-0488	Google Android	Med	0.36	5.5	0.00	Mar 8, 2017	A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34097213.
CVE-2017-0484	Google Android	Med	0.36	5.5	0.00	Mar 8, 2017	A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33298089.
CVE-2017-0483	Google Android	Med	0.36	5.5	0.00	Mar 8, 2017	A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33137046.
CVE-2016-6247	OpenBSD OpenBSD	Med	0.36	5.5	0.00	Mar 7, 2017	OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist.
CVE-2016-6243	OpenBSD OpenBSD	Med	0.36	5.5	0.00	Mar 7, 2017	thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a crafted value in the tsp parameter of the __thrsleep system call.
CVE-2016-6239	—	Med	0.36	5.5	0.00	Mar 7, 2017	The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows attackers to cause a denial of service (kernel panic and crash) via a large size value.
CVE-2017-6498	Debian Debian Linux	Med	0.36	5.5	0.00	Mar 6, 2017	An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.
CVE-2016-10069	—	Med	0.36	5.5	0.01	Mar 2, 2017	coders/mat.c in ImageMagick before 6.9.4-5 allows remote attackers to cause a denial of service (application crash) via a mat file with an invalid number of frames.
CVE-2016-10068	—	Med	0.36	5.5	0.01	Mar 2, 2017	The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted XML file.
CVE-2016-9830	Debian Debian Linux	Med	0.36	5.5	0.01	Mar 1, 2017	The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image.
CVE-2016-5240	Graphicsmagick Graphicsmagick	Med	0.36	5.5	0.01	Feb 27, 2017	The DrawDashPolygon function in magick/render.c in GraphicsMagick before 1.3.24 and the SVG renderer in ImageMagick allow remote attackers to cause a denial of service (infinite loop) by converting a circularly defined SVG file.
CVE-2017-6188	Debian Debian Linux	Med	0.36	5.5	0.00	Feb 22, 2017	Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
CVE-2017-6078	Faststone Maxview	Med	0.36	5.5	0.00	Feb 21, 2017	FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause a denial of service (application crash) via a malformed BMP image with a crafted biSize field in the BITMAPINFOHEADER section.

CVE-2016-9390MedMar 23, 2017
risk 0.36cvss 5.5epss 0.00
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
CVE-2017-6837MedMar 20, 2017
Audiofile
Audiofile
risk 0.36cvss 5.5epss 0.06
WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of service (crash) via vectors related to a large number of coefficients.
CVE-2017-6961MedMar 17, 2017
Apng2gif Project
Apng2gif
risk 0.36cvss 5.5epss 0.00
An issue was discovered in apng2gif 1.7. There is improper sanitization of user input causing huge memory allocations, resulting in a crash. This is related to the read_chunk function using the pChunk->size value (within the PNG file) to determine the amount of memory to allocate.
CVE-2017-0007MedMar 17, 2017
Microsoft
Windows Server 2016
risk 0.36cvss 5.5epss 0.01
Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Server 2016 allows remote attackers to modify PowerShell script without invalidating associated signatures, aka "PowerShell Security Feature Bypass Vulnerability."
CVE-2016-10167MedMar 15, 2017
Libgd
Libgd
risk 0.36cvss 5.5epss 0.01
The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted image file.
CVE-2014-9645MedMar 12, 2017
Busybox
Busybox
risk 0.36cvss 5.5epss 0.00
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
CVE-2017-0499MedMar 8, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in Audioserver could enable a local malicious application to cause a device hang or reboot. This issue is rated as Low due to the possibility of a temporary denial of service. Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32095713.
CVE-2017-0488MedMar 8, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-34097213.
CVE-2017-0484MedMar 8, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33298089.
CVE-2017-0483MedMar 8, 2017
Google
Android
risk 0.36cvss 5.5epss 0.00
A denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33137046.
CVE-2016-6247MedMar 7, 2017
OpenBSD
OpenBSD
risk 0.36cvss 5.5epss 0.00
OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist.
CVE-2016-6243MedMar 7, 2017
OpenBSD
OpenBSD
risk 0.36cvss 5.5epss 0.00
thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a crafted value in the tsp parameter of the __thrsleep system call.
CVE-2016-6239MedMar 7, 2017
risk 0.36cvss 5.5epss 0.00
The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows attackers to cause a denial of service (kernel panic and crash) via a large size value.
CVE-2017-6498MedMar 6, 2017
Debian
Debian Linux
risk 0.36cvss 5.5epss 0.00
An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.
CVE-2016-10069MedMar 2, 2017
risk 0.36cvss 5.5epss 0.01
coders/mat.c in ImageMagick before 6.9.4-5 allows remote attackers to cause a denial of service (application crash) via a mat file with an invalid number of frames.
CVE-2016-10068MedMar 2, 2017
risk 0.36cvss 5.5epss 0.01
The MSL interpreter in ImageMagick before 6.9.6-4 allows remote attackers to cause a denial of service (segmentation fault and application crash) via a crafted XML file.
CVE-2016-9830MedMar 1, 2017
Debian
Debian Linux
risk 0.36cvss 5.5epss 0.01
The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image.
CVE-2016-5240MedFeb 27, 2017
Graphicsmagick
Graphicsmagick
risk 0.36cvss 5.5epss 0.01
The DrawDashPolygon function in magick/render.c in GraphicsMagick before 1.3.24 and the SVG renderer in ImageMagick allow remote attackers to cause a denial of service (infinite loop) by converting a circularly defined SVG file.
CVE-2017-6188MedFeb 22, 2017
Debian
Debian Linux
risk 0.36cvss 5.5epss 0.00
Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled. Setting multiple upper_limit GET parameters allows overwriting any file accessible to the www-data user.
CVE-2017-6078MedFeb 21, 2017
Faststone
Maxview
risk 0.36cvss 5.5epss 0.00
FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause a denial of service (application crash) via a malformed BMP image with a crafted biSize field in the BITMAPINFOHEADER section.