CWE-351
Insufficient Type Distinction
The product does not properly distinguish between different types of elements in a way that leads to insecure behavior.
CVE-2020-10134 (GCVE-0-2020-10134)
Vulnerability from cvelistv5
Published
2020-05-19 15:50
Modified
2024-09-16 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates different pairing methods in each peer device and an end-user erroneously completes both pairing procedures with the MITM using the confirmation number of one peer as the passkey of the other. An adjacent, unauthenticated attacker could be able to initiate any Bluetooth operation on either attacked device exposed by the enabled Bluetooth profiles. This exposure may be limited when the user must authorize certain access explicitly, but so long as a user assumes that it is the intended remote device requesting permissions, device-local protections may be weakened.
References
► | URL | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T10:50:57.888Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "VU#534195", "tags": [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred" ], "url": "https://kb.cert.org/vuls/id/534195/" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "LE", "vendor": "Bluetooth", "versions": [ { "lessThanOrEqual": "5.2", "status": "affected", "version": "5.2", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Thanks to Ludwig Peuckert and Maximilian von Tschirschnitz for reporting this vulnerability." } ], "datePublic": "2020-05-18T00:00:00", "descriptions": [ { "lang": "en", "value": "Pairing in Bluetooth\u00ae Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates different pairing methods in each peer device and an end-user erroneously completes both pairing procedures with the MITM using the confirmation number of one peer as the passkey of the other. An adjacent, unauthenticated attacker could be able to initiate any Bluetooth operation on either attacked device exposed by the enabled Bluetooth profiles. This exposure may be limited when the user must authorize certain access explicitly, but so long as a user assumes that it is the intended remote device requesting permissions, device-local protections may be weakened." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-05-19T15:50:14", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc" }, "references": [ { "name": "VU#534195", "tags": [ "third-party-advisory", "x_refsource_CERT-VN" ], "url": "https://kb.cert.org/vuls/id/534195/" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/" } ], "source": { "discovery": "UNKNOWN" }, "title": "Bluetooth devices supporting LE and specific BR/EDR implementations are vulnerable to method confusion attacks", "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cert@cert.org", "DATE_PUBLIC": "2020-05-18T00:00:00.000Z", "ID": "CVE-2020-10134", "STATE": "PUBLIC", "TITLE": "Bluetooth devices supporting LE and specific BR/EDR implementations are vulnerable to method confusion attacks" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "LE", "version": { "version_data": [ { "version_affected": "\u003c=", "version_name": "5.2", "version_value": "5.2" } ] } } ] }, "vendor_name": "Bluetooth" } ] } }, "credit": [ { "lang": "eng", "value": "Thanks to Ludwig Peuckert and Maximilian von Tschirschnitz for reporting this vulnerability." } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Pairing in Bluetooth\u00ae Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates different pairing methods in each peer device and an end-user erroneously completes both pairing procedures with the MITM using the confirmation number of one peer as the passkey of the other. An adjacent, unauthenticated attacker could be able to initiate any Bluetooth operation on either attacked device exposed by the enabled Bluetooth profiles. This exposure may be limited when the user must authorize certain access explicitly, but so long as a user assumes that it is the intended remote device requesting permissions, device-local protections may be weakened." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-351" } ] } ] }, "references": { "reference_data": [ { "name": "VU#534195", "refsource": "CERT-VN", "url": "https://kb.cert.org/vuls/id/534195/" }, { "name": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/", "refsource": "CONFIRM", "url": "https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/method-vulnerability/" } ] }, "source": { "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2020-10134", "datePublished": "2020-05-19T15:50:14.117011Z", "dateReserved": "2020-03-05T00:00:00", "dateUpdated": "2024-09-16T20:01:34.146Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-1642 (GCVE-0-2022-1642)
Vulnerability from cvelistv5
Published
2022-06-16 16:39
Modified
2024-08-03 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Swift Project | Swift Corelib-Foundation |
Version: 5.5.0 < unspecified Version: unspecified < |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T00:10:03.820Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-239c-6cv2-wwx8" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Swift Corelib-Foundation", "vendor": "Swift Project", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "5.5.0", "versionType": "custom" }, { "lessThanOrEqual": "5.6.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it\u0027s possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-241", "description": "CWE-241: Improper Handling of Unexpected Data Type", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351: Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-704", "description": "CWE-704: Incorrect Type Conversion or Cast", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-06-16T16:39:46", "orgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0", "shortName": "Swift" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-239c-6cv2-wwx8" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@forums.swift.org", "ID": "CVE-2022-1642", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Swift Corelib-Foundation", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "5.5.0" }, { "version_affected": "\u003c=", "version_value": "5.6.1" } ] } } ] }, "vendor_name": "Swift Project" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it\u0027s possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-241: Improper Handling of Unexpected Data Type" } ] }, { "description": [ { "lang": "eng", "value": "CWE-351: Insufficient Type Distinction" } ] }, { "description": [ { "lang": "eng", "value": "CWE-704: Incorrect Type Conversion or Cast" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-239c-6cv2-wwx8", "refsource": "MISC", "url": "https://github.com/apple/swift-corelibs-foundation/security/advisories/GHSA-239c-6cv2-wwx8" } ] } } } }, "cveMetadata": { "assignerOrgId": "e4a1ddda-f4f5-496e-96c8-82c37d06abd0", "assignerShortName": "Swift", "cveId": "CVE-2022-1642", "datePublished": "2022-06-16T16:39:46", "dateReserved": "2022-05-09T00:00:00", "dateUpdated": "2024-08-03T00:10:03.820Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2023-2866 (GCVE-0-2023-2866)
Vulnerability from cvelistv5
Published
2023-06-07 20:12
Modified
2025-01-16 21:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Advantech | WebAccess/SCADA |
Version: 8.4.5 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T06:33:06.094Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-2866", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-01-16T21:20:42.928189Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-01-16T21:32:10.686Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "WebAccess/SCADA", "vendor": "Advantech", "versions": [ { "status": "affected", "version": "8.4.5" } ] } ], "credits": [ { "lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Marlon Luis Petry reported this vulnerability to CISA." } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIf an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. \u003c/span\u003e\n\n" } ], "value": "\nIf an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the SCADA server. \n\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351 Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-06-07T20:12:46.824Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech released a new \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.advantech.com/en/support/details/installation?id=1-MS9MJV\"\u003eversion V9.1.4\u003c/a\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to address the problem by not including these files.\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "\nAdvantech released a new version V9.1.4 https://www.advantech.com/en/support/details/installation \u00a0to address the problem by not including these files.\n\n\n" } ], "source": { "discovery": "EXTERNAL" }, "title": "Advantech WebAccess Insufficient Type Distinction", "workarounds": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\n\u003cp\u003eAdvantech recommends users locate and delete the \u201cWADashboardSetup.msi\u201d file to avoid this issue.\u003c/p\u003e\u003cp\u003eIf\n users wish to remedy this problem in version 8.4.5, they can uninstall \n\"WebAccess Dashboard\" from the control panel. Delete all the files:\u003c/p\u003e\u003cp\u003e\\Inetpub\\wwwroot\\broadweb\\WADashboard\u003c/p\u003e\u003cp\u003e\\WebAccess\\Node\\WADashboardSetup.msi\u003c/p\u003e\n\n\u003cbr\u003e" } ], "value": "Advantech recommends users locate and delete the \u201cWADashboardSetup.msi\u201d file to avoid this issue.\n\nIf\n users wish to remedy this problem in version 8.4.5, they can uninstall \n\"WebAccess Dashboard\" from the control panel. Delete all the files:\n\n\\Inetpub\\wwwroot\\broadweb\\WADashboard\n\n\\WebAccess\\Node\\WADashboardSetup.msi\n\n\n\n\n" } ], "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2023-2866", "datePublished": "2023-06-07T20:12:46.824Z", "dateReserved": "2023-05-24T14:09:39.667Z", "dateUpdated": "2025-01-16T21:32:10.686Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-45676 (GCVE-0-2024-45676)
Vulnerability from cvelistv5
Published
2024-12-03 17:08
Modified
2024-12-03 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
IBM Cognos Controller 11.0.0 and 11.0.1
could allow an authenticated user to upload insecure files, due to insufficient file type distinction.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
IBM | Cognos Controller |
Version: 11.0.0, 11.0.1 cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:* |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-45676", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-12-03T17:49:24.107791Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-12-03T17:55:03.449Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "cpes": [ "cpe:2.3:a:ibm:cognos_controller:11.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_controller:11.0.1:*:*:*:*:*:*:*" ], "defaultStatus": "unaffected", "product": "Cognos Controller", "vendor": "IBM", "versions": [ { "status": "affected", "version": "11.0.0, 11.0.1" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIBM Cognos Controller 11.0.0 and 11.0.1 \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecould allow an authenticated user to upload insecure files, due to insufficient file type distinction.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e" } ], "value": "IBM Cognos Controller 11.0.0 and 11.0.1 \n\n\n\n\n\n\n\ncould allow an authenticated user to upload insecure files, due to insufficient file type distinction." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351 Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-12-03T17:08:51.441Z", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm" }, "references": [ { "url": "https://www.ibm.com/support/pages/node/7177220" } ], "source": { "discovery": "UNKNOWN" }, "title": "IBM Cognos Controller file upload", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2024-45676", "datePublished": "2024-12-03T17:08:51.441Z", "dateReserved": "2024-09-03T13:50:43.964Z", "dateUpdated": "2024-12-03T17:55:03.449Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-30510 (GCVE-0-2025-30510)
Vulnerability from cvelistv5
Published
2025-04-15 21:36
Modified
2025-04-16 14:41
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
An attacker can upload an arbitrary file instead of a plant image.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Growatt | Cloud portal |
Version: 0 < 3.6.0 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-30510", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-04-16T14:21:31.082742Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-16T14:41:51.796Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Cloud portal", "vendor": "Growatt", "versions": [ { "lessThan": "3.6.0", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Forescout Technologies reported these vulnerabilities to CISA." } ], "datePublic": "2025-04-15T16:00:00.000Z", "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker can upload an arbitrary file instead of a plant image.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003cbr\u003e" } ], "value": "An attacker can upload an arbitrary file instead of a plant image." } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351 Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-04-15T21:36:07.191Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert" }, "references": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eGrowatt reports the cloud-based vulnerabilities were patched and no user action is needed. Additionally, Growatt strongly recommends that their users take proactive steps in securing their devices and take the following actions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate all devices to the latest firmware version when available. (Updates are automatic, no user action needed.)\u003c/li\u003e\u003cli\u003eUse strong passwords and enable multi-factor authentication where applicable.\u003c/li\u003e\u003cli\u003eReport any security concerns to \u003ca target=\"_blank\" rel=\"nofollow\"\u003eService@Growatt.com\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eStay vigilant. Users and installers should regularly review security settings, follow best practices, and report any unusual activity.\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e" } ], "value": "Growatt reports the cloud-based vulnerabilities were patched and no user action is needed. Additionally, Growatt strongly recommends that their users take proactive steps in securing their devices and take the following actions:\n\n * Update all devices to the latest firmware version when available. (Updates are automatic, no user action needed.)\n * Use strong passwords and enable multi-factor authentication where applicable.\n * Report any security concerns to Service@Growatt.com.\n * Stay vigilant. Users and installers should regularly review security settings, follow best practices, and report any unusual activity." } ], "source": { "advisory": "ICSA-25-105-04", "discovery": "EXTERNAL" }, "title": "Growatt Cloud portal Insufficient Type Distinction", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2025-30510", "datePublished": "2025-04-15T21:36:07.191Z", "dateReserved": "2025-04-01T17:19:07.814Z", "dateUpdated": "2025-04-16T14:41:51.796Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-32035 (GCVE-0-2025-32035)
Vulnerability from cvelistv5
Published
2025-04-08 18:00
Modified
2025-04-08 18:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
dnnsoftware | Dnn.Platform |
Version: < 9.13.2 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-32035", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-08T18:27:46.434338Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-08T18:27:55.670Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "Dnn.Platform", "vendor": "dnnsoftware", "versions": [ { "status": "affected", "version": "\u003c 9.13.2" } ] } ], "descriptions": [ { "lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it\u0027s an allowed file type but the actual contents of the file aren\u0027t checked. This means that it\u0027s possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351: Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-04-08T18:00:41.460Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-8q89-mqw7-9pp7", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-8q89-mqw7-9pp7" }, { "name": "https://github.com/dnnsoftware/Dnn.Platform/commit/a5c13c3836cfbde374dc19dac032cd51af41050a", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/dnnsoftware/Dnn.Platform/commit/a5c13c3836cfbde374dc19dac032cd51af41050a" } ], "source": { "advisory": "GHSA-8q89-mqw7-9pp7", "discovery": "UNKNOWN" }, "title": "DNN does not check the contents of a file when uploading files" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-32035", "datePublished": "2025-04-08T18:00:41.460Z", "dateReserved": "2025-04-01T21:57:32.959Z", "dateUpdated": "2025-04-08T18:27:55.670Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-47939 (GCVE-0-2025-47939)
Vulnerability from cvelistv5
Published
2025-05-20 14:00
Modified
2025-05-20 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.
References
► | URL | Tags | ||||||
---|---|---|---|---|---|---|---|---|
|
Impacted products
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-47939", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-20T14:08:07.393730Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-20T14:08:13.645Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "typo3", "vendor": "TYPO3", "versions": [ { "status": "affected", "version": "\u003e= 9.0.0, \u003c 9.5.51" }, { "status": "affected", "version": "\u003e= 10.0.0, \u003c 10.4.50" }, { "status": "affected", "version": "\u003e= 11.0.0, \u003c 11.5.44" }, { "status": "affected", "version": "\u003e= 12.0.0, \u003c 12.4.31" }, { "status": "affected", "version": "\u003e= 13.0.0, \u003c 13.4.12" } ] } ], "descriptions": [ { "lang": "en", "value": "TYPO3 is an open source, PHP based web content management system. By design, the file management module in TYPO3\u2019s backend user interface has historically allowed the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries (e.g., `.exe` files), or files with inconsistent file extensions and MIME types (for example, a file incorrectly named with a `.png` extension but actually carrying the MIME type `application/zip`) starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS. Although such files are not directly executable through the web server, their presence can introduce indirect risks. For example, third-party services such as antivirus scanners or malware detection systems might flag or block access to the website for end users if suspicious files are found. This could negatively affect the availability or reputation of the site. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351: Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-20T14:00:07.977Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-9hq9-cr36-4wpj" }, { "name": "https://typo3.org/security/advisory/typo3-core-sa-2025-014", "tags": [ "x_refsource_MISC" ], "url": "https://typo3.org/security/advisory/typo3-core-sa-2025-014" } ], "source": { "advisory": "GHSA-9hq9-cr36-4wpj", "discovery": "UNKNOWN" }, "title": "TYPO3 CMS Vulnerable to Unrestricted File Upload in File Abstraction Layer" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-47939", "datePublished": "2025-05-20T14:00:07.977Z", "dateReserved": "2025-05-14T10:32:43.530Z", "dateUpdated": "2025-05-20T14:08:13.645Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-54412 (GCVE-0-2025-54412)
Vulnerability from cvelistv5
Published
2025-07-26 03:29
Modified
2025-07-28 13:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0.
References
► | URL | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-54412", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-28T13:55:45.240203Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-28T13:55:57.057Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "skops", "vendor": "skops-dev", "versions": [ { "status": "affected", "version": "\u003c 0.12.0" } ] } ], "descriptions": [ { "lang": "en", "value": "skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351: Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-26T03:29:10.918Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3" }, { "name": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603" }, { "name": "https://github.com/skops-dev/skops/releases/tag/v0.12.0", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0" } ], "source": { "advisory": "GHSA-m7f4-hrc6-fwg3", "discovery": "UNKNOWN" }, "title": "skops\u0027 Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-54412", "datePublished": "2025-07-26T03:29:10.918Z", "dateReserved": "2025-07-21T23:18:10.280Z", "dateUpdated": "2025-07-28T13:55:57.057Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2025-54413 (GCVE-0-2025-54413)
Vulnerability from cvelistv5
Published
2025-07-26 03:29
Modified
2025-07-28 13:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-351 - Insufficient Type Distinction
Summary
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0.
References
► | URL | Tags |
---|---|---|
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-54413", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-07-28T13:59:46.714447Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-07-28T13:59:58.255Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "skops", "vendor": "skops-dev", "versions": [ { "status": "affected", "version": "\u003c 12.0.0" } ] } ], "descriptions": [ { "lang": "en", "value": "skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0." } ], "metrics": [ { "cvssV4_0": { "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-351", "description": "CWE-351: Insufficient Type Distinction", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-07-26T03:29:43.716Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-4v6w-xpmh-gfgp" }, { "name": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/skops-dev/skops/security/advisories/GHSA-m7f4-hrc6-fwg3" }, { "name": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/skops-dev/skops/commit/0aeca055509dfb48c1506870aabdd9e247adf603" }, { "name": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing", "tags": [ "x_refsource_MISC" ], "url": "https://drive.google.com/drive/folders/1bmVV18mnPbWy21hVYgf51yVJpf78vtB_?usp=sharing" }, { "name": "https://github.com/skops-dev/skops/releases/tag/v0.12.0", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/skops-dev/skops/releases/tag/v0.12.0" } ], "source": { "advisory": "GHSA-4v6w-xpmh-gfgp", "discovery": "UNKNOWN" }, "title": "skops\u0027 MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2025-54413", "datePublished": "2025-07-26T03:29:43.716Z", "dateReserved": "2025-07-21T23:18:10.280Z", "dateUpdated": "2025-07-28T13:59:58.255Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.