The Vulnerability History Project


Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.

Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.

Discovered tags are about how the vulnerability was originally found.

Lifetime tags indicate how long we believe the vulnerability remained in the system.

CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.

Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected.

Project tags are the case study the vulnerability is from.

Language tags are what type of source code was fixed.

Severity tags are based on the NVD's CVSS.

CWE-361: 7PK - Time and State CWE-346: Origin Validation Error Chromium subsystem: internals CWE-664: Improper Control of a Resource Through its Lifetime Discussion: Any Chromium subsystem: audio CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Language: Python Lesson: Reverting Codebase Chromium subsystem: websockets Chromium subsystem: appcache CWE-287: Improper Authentication Lesson: Native Wrappers CWE-285: Improper Authorization CWE-295: Improper Certificate Validation CWE-415: Double Free Lesson: Frameworks are Optional Chromium subsystem: service worker Project: systemd Chromium subsystem: pdfium CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-193: Off-by-one Error Lifetime: 180 days to 1 year HTTPD subsystem: mod_ssl CWE-264: Permissions, Privileges, and Access Controls Lifetime: 2 to 5 years CWE-129: Improper Validation of Array Index Forgotten Check Chromium subsystem: dom CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Chromium subsystem: speech CWE-19: Data Processing Errors CWE-294: Authentication Bypass by Capture-replay Lesson: Changing Owners Lifetime: 30 to 90 days Chromium subsystem: v8 CWE-653: Insufficient Compartmentalization Lesson: Secure By Default Severity: Availability Impact - Partial i18n Language: C CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Chromium subsystem: webkit CWE-269: Improper Privilege Management Lesson: Serial Killer CWE-311: Missing Encryption of Sensitive Data Chromium subsystem: blink CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Project: Tomcat CWE-703: Improper Check or Handling of Exceptional Conditions CWE-189: Numeric Errors Struts subsystem: xwork CWE-416: Use After Free Chromium subsystem: net Chromium subsystem: openjpeg CWE-352: Cross-Site Request Forgery (CSRF) FFmpeg subsystem: avcodec Severity: Integrity Impact - Complete Chromium subsystem: webkit/blink Chromium subsystem: harfbuzz Chromium subsystem: webdata HTTPD subsystem: http Discussion: Security Fix: Small HTTPD subsystem: server Chromium subsystem: webcore Lesson: Too Many Cooks CWE-159: Failure to Sanitize Special Element CWE-23: Relative Path Traversal Specification CWE-426: Untrusted Search Path CWE-617: Reachable Assertion CWE-763: Release of Invalid Pointer or Reference CWE-297: Improper Validation of Certificate with Host Mismatch CWE-404: Improper Resource Shutdown or Release Order of Operations Language: C++ Dependency Issue Struts subsystem: xwork-core Struts subsystem: mapper Project: Struts CWE-457: Use of Uninitialized Variable systemd subsystem: polkit CWE-121: Stack-based Buffer Overflow Chromium subsystem: omnibox Not Auto Discoverable CWE-200: Information Exposure CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Lifetime: 90 to 180 days Lesson: Fix Untested Chromium subsystem: extensions - renderer Lesson: Environment Variables CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') Discovered in Contest Severity: Attack Complexity - Low CWE-255: Credentials Management Errors CWE-641: Improper Restriction of Names for Files and Other Resources Sandbox HTTPD subsystem: cache CWE-279: Incorrect Execution-Assigned Permissions Lesson: Complex Inputs Lesson: You Ain't Gonna Need It CWE-366: Race Condition within a Thread Chromium subsystem: media CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak') FFmpeg subsystem: avfilter systemd subsystem: systemd-journald CWE-284: Improper Access Control Severity: Attack Complexity - High Chromium subsystem: cc CWE-310: Cryptographic Issues Chromium subsystem: common systemd subsystem: shared CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences Severity: Privileges Required - None systemd subsystem: dbus CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') Util Language: Javascript Chromium subsystem: gpu Chromium subsystem: serviceworker CWE-254: 7PK - Security Features CWE-126: Buffer Over-read Struts subsystem: interceptor Chromium subsystem: webgl CWE-749: Exposed Dangerous Method or Function CWE-122: Heap-based Buffer Overflow Project: HTTPD Severity: Privileges Required - Low Project: FFmpeg Struts subsystem: ognl Severity: Attack Complexity - Medium Fix: Big Chromium subsystem: svg Severity: Attack Vector - Local Severity: Confidentiality Impact - Complete Chromium subsystem: browser Discovered Internally Chromium subsystem: platform > extensions CWE-682: Incorrect Calculation Tomcat subsystem: catalina CWE-358: Improperly Implemented Security Check for Standard CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-16: Configuration Chromium subsystem: blink/storage Chromium subsystem: devtools Chromium subsystem: safebrowsing CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Chromium subsystem: content HTTPD subsystem: core CWE-787: Out-of-bounds Write CWE-459: Incomplete Cleanup Chromium subsystem: ffmpeg Lifetime: 1 to 2 years Lesson: Lacked Test Chromium subsystem: libxml Chromium subsystem: ui Chromium subsystem: renderer Stacktrace: Any HTTPD subsystem: proxy Chromium subsystem: ssl CWE-203: Information Exposure Through Discrepancy systemd subsystem: journald CWE-20: Improper Input Validation CWE-266: Incorrect Privilege Assignment Language: Java FFmpeg subsystem: avformat Lesson: Code Refactors Chromium subsystem: video systemd subsystem: vconsole Lifetime: 5+ years Lesson: Least Privilege Project: Django CWE-94: Improper Control of Generation of Code ('Code Injection') Lifetime: Less than 30 days CWE-704: Incorrect Type Conversion or Cast CWE-276: Incorrect Default Permissions Chromium subsystem: autofill Bounty Awarded CWE-665: Improper Initialization CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax CWE-754: Improper Check for Unusual or Exceptional Conditions Lesson: Escaped Test Lesson: Distrust Input CWE-807: Reliance on Untrusted Inputs in a Security Decision Tomcat subsystem: http11 HTTPD subsystem: http2 CWE-347: Improper Verification of Cryptographic Signature Tomcat subsystem: authenticator VCC CWE-345: Insufficient Verification of Data Authenticity Struts subsystem: validator FFmpeg subsystem: libavcodec CWE-359: Exposure of Private Information ('Privacy Violation') CWE-824: Access of Uninitialized Pointer Chromium subsystem: pdf Discovered Automatically HTTPD subsystem: ssl Chromium subsystem: skia Origin Vulnerability CWE-732: Incorrect Permission Assignment for Critical Resource CWE-184: Incomplete Blacklist Struts subsystem: xwork2 CWE-668: Exposure of Resource to Wrong Sphere CWE-707: Improper Enforcement of Message or Data Structure CWE-789: Uncontrolled Memory Allocation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-267: Privilege Defined With Unsafe Actions CWE-190: Integer Overflow or Wraparound Vouch systemd subsystem: resolve CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data CWE-825: Expired Pointer Dereference Lesson: Security By Obscurity Lesson: Defense in Depth CWE-290: Authentication Bypass by Spoofing CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Chromium subsystem: chrome CWE-476: NULL Pointer Dereference CWE-488: Exposure of Data Element to Wrong Session Project: Chromium CWE-201: Information Exposure Through Sent Data Chromium subsystem: plugins Discovered Externally Severity: Confidentiality Impact - Partial Chromium subsystem: extensions Severity: Attack Vector - Network CWE-125: Out-of-bounds Read Chromium subsystem: blink svg Severity: Integrity Impact - Partial CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-680: Integer Overflow to Buffer Overflow Severity: Availability Impact - Complete systemd subsystem: core CWE-399: Resource Management Errors Discovered Manually

Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability. Full Article

Let's Just Undo That

A revert is when a commit is reversed, indicating that developers have decided to roll back changes that were originally approved and integrated into the system. Full Article

Beware of complex inputs

Don't just think about code complexity, think about *input* complexity. Full Article

Bad things happen when integers wrap around

Loop counters, file sizes, malloc arguments, session tokens, primary keys... numbers are everywhere in our code. What happens when our numbers get very, _very_ big? Integer overflow, or wraparound, is much more dangerous than it seems. Full Article