The Vulnerability History Project


Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.

Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.

Discovered tags are about how the vulnerability was originally found.

Lifetime tags indicate how long we believe the vulnerability remained in the system.

CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.

Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected.

Project tags are the case study the vulnerability is from.

Language tags are what type of source code was fixed.

Severity tags are based on the NVD's CVSS.

Severity: Confidentiality Impact - Partial Chromium subsystem: plugins CWE-267: Privilege Defined With Unsafe Actions systemd subsystem: polkit Chromium subsystem: net CWE-200: Information Exposure Chromium subsystem: omnibox systemd subsystem: core Severity: Attack Vector - Local Fix: Small Chromium subsystem: service worker Lesson: Secure By Default CWE-404: Improper Resource Shutdown or Release CWE-787: Out-of-bounds Write Project: HTTPD Stacktrace: Any CWE-346: Origin Validation Error CWE-352: Cross-Site Request Forgery (CSRF) Struts subsystem: interceptor i18n Chromium subsystem: webdata CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-284: Improper Access Control Lifetime: 180 days to 1 year Discovered Internally Lesson: Error of Omission CWE-190: Integer Overflow or Wraparound Lesson: Frameworks are Optional Lifetime: 2 to 5 years Severity: Privileges Required - None Chromium subsystem: blink svg Lesson: Reverting Codebase CWE-668: Exposure of Resource to Wrong Sphere Struts subsystem: xwork2 Not Auto Discoverable CWE-94: Improper Control of Generation of Code ('Code Injection') Severity: Confidentiality Impact - Complete Lifetime: 30 to 90 days CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Chromium subsystem: speech CWE-254: 7PK - Security Features systemd subsystem: vconsole Lesson: Lacked Test Specification Chromium subsystem: harfbuzz Project: Chromium Chromium subsystem: content CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Chromium subsystem: websockets Project: FFmpeg CWE-287: Improper Authentication Lesson: Security By Obscurity CWE-193: Off-by-one Error CWE-754: Improper Check for Unusual or Exceptional Conditions Chromium subsystem: safebrowsing Project: Tomcat HTTPD subsystem: http2 Severity: Attack Vector - Network Chromium subsystem: dom Language: Javascript CWE-358: Improperly Implemented Security Check for Standard Lesson: Complex Inputs Discovered Externally Lesson: Native Wrappers CWE-295: Improper Certificate Validation Struts subsystem: xwork CWE-184: Incomplete Blacklist CWE-20: Improper Input Validation HTTPD subsystem: core Chromium subsystem: openjpeg Dependency Issue Severity: Attack Complexity - Low Discovered Manually Struts subsystem: validator CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Lifetime: 90 to 180 days Severity: Availability Impact - Complete Chromium subsystem: internals CWE-476: NULL Pointer Dereference Severity: Attack Complexity - Medium CWE-159: Failure to Sanitize Special Element systemd subsystem: dbus Severity: Attack Complexity - High Struts subsystem: xwork-core Chromium subsystem: cc Tomcat subsystem: http11 Lesson: Changing Owners Language: C CWE-426: Untrusted Search Path CWE-824: Access of Uninitialized Pointer CWE-269: Improper Privilege Management CWE-459: Incomplete Cleanup Sandbox CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Chromium subsystem: blink/storage Chromium subsystem: serviceworker Chromium subsystem: webcore CWE-279: Incorrect Execution-Assigned Permissions Chromium subsystem: libxml CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Vouch Fix: Big CWE-23: Relative Path Traversal HTTPD subsystem: proxy Chromium subsystem: common Lesson: Fix Untested Chromium subsystem: pdf Chromium subsystem: skia Language: Python Chromium subsystem: pdfium Severity: Integrity Impact - Partial HTTPD subsystem: mod_ssl Project: Struts CWE-189: Numeric Errors CWE-434: Unrestricted Upload of File with Dangerous Type Lifetime: 1 to 2 years HTTPD subsystem: cache HTTPD subsystem: server Forgotten Check Lesson: Too Many Cooks Lesson: Defense in Depth Severity: Availability Impact - Partial CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Lesson: Escaped Test CWE-641: Improper Restriction of Names for Files and Other Resources Chromium subsystem: v8 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Lesson: Distrust Input CWE-16: Configuration Chromium subsystem: extensions Chromium subsystem: chrome Lifetime: 5+ years CWE-789: Uncontrolled Memory Allocation CWE-311: Missing Encryption of Sensitive Data Chromium subsystem: audio CWE-310: Cryptographic Issues Lifetime: Less than 30 days Lesson: Least Privilege Bounty Awarded VCC CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-19: Data Processing Errors Chromium subsystem: renderer Chromium subsystem: svg CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Struts subsystem: ognl Chromium subsystem: ui Severity: Privileges Required - Low Chromium subsystem: webgl CWE-294: Authentication Bypass by Capture-replay Lesson: You Ain't Gonna Need It CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') Lesson: Environment Variables Project: Django Chromium subsystem: ffmpeg Discovered in Contest Chromium subsystem: ssl Chromium subsystem: media Origin Vulnerability CWE-416: Use After Free systemd subsystem: systemd-journald Struts subsystem: mapper Chromium subsystem: extensions - renderer CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data CWE-704: Incorrect Type Conversion or Cast HTTPD subsystem: http Discussion: Any Chromium subsystem: autofill Chromium subsystem: webkit blink CWE-125: Out-of-bounds Read Discussion: Security CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') Lesson: Code Refactors Language: Java Tomcat subsystem: catalina systemd subsystem: shared Chromium subsystem: devtools Lesson: Serial Killer Tomcat subsystem: authenticator CWE-399: Resource Management Errors Chromium subsystem: gpu CWE-682: Incorrect Calculation Chromium subsystem: browser Project: systemd CWE-126: Buffer Over-read Chromium subsystem: appcache Language: C++ Chromium subsystem: video Chromium subsystem: blink Severity: Integrity Impact - Complete CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Chromium subsystem: webkit Discovered Automatically HTTPD subsystem: ssl systemd subsystem: journald CWE-415: Double Free Chromium subsystem: platform>extensions

Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability. Full Article

Let's Just Undo That

A revert is when a commit is reversed, indicating that developers have decided to roll back changes that were originally approved and integrated into the system. Full Article

Beware of complex inputs

Don't just think about code complexity, think about *input* complexity. Full Article

Bad things happen when integers wrap around

Loop counters, file sizes, malloc arguments, session tokens, primary keys... numbers are everywhere in our code. What happens when our numbers get very, _very_ big? Integer overflow, or wraparound, is much more dangerous than it seems. Full Article