CVE & Exploit Intelligence Database

CVE-2023-39948 7.5 HIGH EPSS 0.00

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.10.0 and 2.6.5, the `BadParamException` thrown by Fast CDR is not caught in Fast DDS. This can remotely crash any Fast DDS process. Versions 2.10.0 and 2.6.5 contain a patch for this issue.

CWE-248 Aug 11, 2023

CVE-2023-39945 8.2 HIGH 1 Writeup EPSS 0.00

eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5, a data submessage sent to PDP port raises unhandled `BadParamException` in fastcdr, which in turn crashes fastdds. Versions 2.11.0, 2.10.2, 2.9.2, and 2.6.5 contain a patch for this issue.

CWE-248 Aug 11, 2023

CVE-2023-3774 4.9 MEDIUM EPSS 0.01

An unhandled error in Vault Enterprise's namespace creation may cause the Vault process to crash, potentially resulting in denial of service. Fixed in 1.14.1, 1.13.5, and 1.12.9.

CWE-755 Jul 28, 2023

CVE-2023-38504 7.5 HIGH 1 Writeup EPSS 0.00

Sails is a realtime MVC Framework for Node.js. In Sails apps prior to version 1.5.7,, an attacker can send a virtual request that will cause the node process to crash. This behavior was fixed in Sails v1.5.7. As a workaround, disable the sockets hook and remove the `sails.io.js` client.

CWE-248 Jul 27, 2023

CVE-2023-1691 7.5 HIGH EPSS 0.00

Vulnerability of failures to capture exceptions in the communication framework. Successful exploitation of this vulnerability may cause features to perform abnormally.

CWE-248 Jul 06, 2023

CVE-2023-3405 7.5 HIGH EPSS 0.00

Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service

CWE-248 Jun 27, 2023

CVE-2023-31125 6.5 MEDIUM 1 Writeup EPSS 0.01

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the `engine.io` package, including those who use depending packages like `socket.io`. This issue was fixed in version 6.4.2 of Engine.IO. There is no known workaround except upgrading to a safe version.

CWE-248 May 08, 2023

CVE-2023-2251 7.5 HIGH 1 Writeup EPSS 0.00

Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5.

CWE-248 Apr 24, 2023

CVE-2023-21087 5.5 MEDIUM EPSS 0.00

In PreferencesHelper.java, an uncaught exception may cause the device to get stuck in a boot loop. This could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261723753

CWE-248 Apr 19, 2023

CVE-2023-29520 4.3 MEDIUM EPSS 0.00

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to break many translations coming from wiki pages by creating a corrupted document containing a translation object. This will lead to a broken page. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no workarounds other than fixing any way to create a document that fail to load.

CWE-755 Apr 19, 2023

CVE-2023-20628 6.7 MEDIUM EPSS 0.00

In thermal, there is a possible memory corruption due to an uncaught exception. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07494460; Issue ID: ALPS07494460.

CWE-248 Mar 07, 2023

CVE-2023-22941 6.5 MEDIUM 1 PoC Analysis EPSS 0.01

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).

CWE-248 Feb 14, 2023

CVE-2023-0790 7.6 HIGH 1 Writeup EPSS 0.00

Uncaught Exception in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

CWE-248 Feb 12, 2023

CVE-2023-23932 5.3 MEDIUM EPSS 0.00

OpenDDS is an open source C++ implementation of the Object Management Group (OMG) Data Distribution Service (DDS). OpenDDS applications that are exposed to untrusted RTPS network traffic may crash when parsing badly-formed input. This issue has been patched in version 3.23.1.

CWE-248 Feb 03, 2023

CVE-2023-0158 7.5 HIGH EPSS 0.00

NLnet Labs Krill supports direct access to the RRDP repository content through its built-in web server at the "/rrdp" endpoint. Prior to 0.12.1 a direct query for any existing directory under "/rrdp/", rather than an RRDP file such as "/rrdp/notification.xml" as would be expected, causes Krill to crash. If the built-in "/rrdp" endpoint is exposed directly to the internet, then malicious remote parties can cause the publication server to crash. The repository content is not affected by this, but the availability of the server and repository can cause issues if this attack is persistent and is not mitigated.

CWE-248 Jan 17, 2023

CVE-2023-22477 5.3 MEDIUM EPSS 0.00

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to `/graphql`. This issue was patched in #940. As a workaround, users can disable subscriptions.

CWE-248 Jan 09, 2023

CVE-2022-38166 7.5 HIGH EPSS 0.00

In F-Secure Endpoint Protection for Windows and macOS before channel with Capricorn database 2022-11-22_07, the aerdl.dll unpacker handler crashes. This can lead to a scanning engine crash, triggerable remotely by an attacker for denial of service.

CWE-248 Nov 25, 2022

CVE-2022-3500 5.1 MEDIUM EPSS 0.00

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore.

CWE-248 Nov 22, 2022

CVE-2022-41940 7.1 HIGH 1 Writeup EPSS 0.02

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io package, including those who uses depending packages like socket.io. There is no known workaround except upgrading to a safe version. There are patches for this issue released in versions 3.6.1 and 6.2.1.

CWE-248 Nov 22, 2022

CVE-2022-39386 7.5 HIGH EPSS 0.00

@fastify/websocket provides WebSocket support for Fastify. Any application using @fastify/websocket could crash if a specific, malformed packet is sent. All versions of fastify-websocket are also impacted. That module is deprecated, so it will not be patched. This has been patched in version 7.1.1 (fastify v4) and version 5.0.1 (fastify v3). There are currently no known workarounds. However, it should be possible to attach the error handler manually. The recommended path is upgrading to the patched versions.

CWE-248 Nov 08, 2022