The Vulnerability History Project


Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.

Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.

Discovered tags are about how the vulnerability was originally found.

Lifetime tags indicate how long we believe the vulnerability remained in the system.

CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.

Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected.

Project tags are the case study the vulnerability is from.

Language tags are what type of source code was fixed.

Severity tags are based on the NVD's CVSS.

CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-190: Integer Overflow or Wraparound Not Auto Discoverable Lesson: Frameworks are Optional Linux Kernel subsystem: kvm CWE-457: Use of Uninitialized Variable Lesson: Least Privilege Lesson: Environment Variables CWE-862: Missing Authorization Chromium subsystem: omnibox Chromium subsystem: navigation Lesson: Defense in Depth CWE-189: Numeric Errors CWE-121: Stack-based Buffer Overflow Lesson: Fix Untested Linux Kernel subsystem: bluetooth Fix: Big CWE-754: Improper Check for Unusual or Exceptional Conditions Language: Python Discovered Manually CWE-116: Improper Encoding or Escaping of Output Severity: Attack Vector - Local CWE-311: Missing Encryption of Sensitive Data CWE-459: Incomplete Cleanup Project: HTTPD CWE-159: Improper Handling of Invalid Use of Special Elements Django subsystem: backends CWE-126: Buffer Over-read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-703: Improper Check or Handling of Exceptional Conditions Order of Operations Linux Kernel subsystem: arch Chromium subsystem: speech Severity: Privileges Required - Low Language: C++ Chromium subsystem: media CWE-641: Improper Restriction of Names for Files and Other Resources CWE-255: Credentials Management Errors CWE-94: Improper Control of Generation of Code ('Code Injection') Lesson: Reverting Codebase CWE-252: Unchecked Return Value Lifetime: 2 to 5 years CWE-400: Uncontrolled Resource Consumption CWE-330: Use of Insufficiently Random Values Lifetime: 30 to 90 days CWE-416: Use After Free Severity: Integrity Impact - High CWE-682: Incorrect Calculation Chromium subsystem: renderer_host CWE-125: Out-of-bounds Read Project: systemd Chromium subsystem: openjpeg Linux Kernel subsystem: lib Dependency Issue Chromium subsystem: chrome Django subsystem: auth Lesson: Too Many Cooks Lesson: Lacked Test Chromium subsystem: frame Severity: Integrity Impact - Complete systemd subsystem: shared CWE-667: Improper Locking Specification CWE-264: Permissions, Privileges, and Access Controls Chromium subsystem: webgl systemd subsystem: systemd-journald CWE-266: Incorrect Privilege Assignment CWE-502: Deserialization of Untrusted Data CWE-653: Improper Isolation or Compartmentalization CWE-434: Unrestricted Upload of File with Dangerous Type CWE-20: Improper Input Validation Linux Kernel subsystem: crypto CWE-254: 7PK - Security Features CWE-704: Incorrect Type Conversion or Cast HTTPD subsystem: mod_ssl CWE-366: Race Condition within a Thread Chromium subsystem: serviceworker HTTPD subsystem: cache Stacktrace: Any CWE-346: Origin Validation Error systemd subsystem: core Django subsystem: files Severity: Attack Vector - Physical Chromium subsystem: pdfium Chromium subsystem: autofill CWE-404: Improper Resource Shutdown or Release Lesson: Security By Obscurity CWE-287: Improper Authentication Stacktrace: With Fix CWE-755: Improper Handling of Exceptional Conditions CWE-201: Insertion of Sensitive Information Into Sent Data Django subsystem: models CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-606: Unchecked Input for Loop Condition CWE-384: Session Fixation Struts subsystem: xwork Chromium subsystem: sfntly Lifetime: 5+ years Project: Linux Kernel CWE-347: Improper Verification of Cryptographic Signature Lesson: Secure By Default Lifetime: 1 to 2 years Django subsystem: forms Struts subsystem: mapper Struts subsystem: validator FFmpeg subsystem: avfilter Lesson: Complex Inputs CWE-476: NULL Pointer Dereference Linux Kernel subsystem: bpf Severity: Attack Vector - Adjacent Network Chromium subsystem: video Chromium subsystem: translate CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages Chromium subsystem: browser CWE-122: Heap-based Buffer Overflow Linux Kernel subsystem: btrfs Lesson: Code Refactors Chromium subsystem: blink svg Severity: Availability Impact - High Severity: Privileges Required - High CWE-697: Incorrect Comparison CWE-269: Improper Privilege Management Chromium subsystem: ui Severity: Confidentiality Impact - Complete CWE-294: Authentication Bypass by Capture-replay CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Chromium subsystem: workers Chromium subsystem: gpu CWE-358: Improperly Implemented Security Check for Standard Chromium subsystem: third_party HTTPD subsystem: server Chromium subsystem: web_contents Lesson: Serial Killer Chromium subsystem: parser Chromium subsystem: audio Project: Tomcat Tomcat subsystem: catalina Chromium subsystem: clipboard CWE-665: Improper Initialization CWE-681: Incorrect Conversion between Numeric Types Django subsystem: urls CWE-488: Exposure of Data Element to Wrong Session CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-319: Cleartext Transmission of Sensitive Information Chromium subsystem: extensions Chromium subsystem: cc Lesson: Distrust Input Severity: Availability Impact - Complete Discovered Automatically Django subsystem: xml_parsers Vouch systemd subsystem: vconsole Bounty Awarded Chromium subsystem: ffmpeg Project: FFmpeg Severity: Privileges Required - None Chromium subsystem: base HTTPD subsystem: proxy Severity: Availability Impact - Low Util Discovered in Contest CWE-456: Missing Initialization of a Variable i18n Django subsystem: admin Chromium subsystem: ssl Chromium subsystem: safebrowsing Chromium subsystem: plugins Django subsystem: contrib CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition Project: Struts Django subsystem: authentication Severity: Integrity Impact - Partial Discovered Externally CWE-707: Improper Neutralization HTTPD subsystem: core CWE-303: Incorrect Implementation of Authentication Algorithm CWE-183: Permissive List of Allowed Inputs Struts subsystem: interceptor Chromium subsystem: appcache CWE-361: 7PK - Time and State CWE-250: Execution with Unnecessary Privileges Lesson: You Ain't Gonna Need It Severity: User Interaction - Required CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-791: Incomplete Filtering of Special Elements Severity: Scope - Unchanged Chromium subsystem: content Sandbox CWE-824: Access of Uninitialized Pointer Chromium subsystem: tab_contents CWE-1284: Improper Validation of Specified Quantity in Input CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Chromium subsystem: internals CWE-749: Exposed Dangerous Method or Function Severity: Attack Complexity - Medium Severity: Confidentiality Impact - Low CWE-789: Memory Allocation with Excessive Size Value Lifetime: Less than 30 days CWE-834: Excessive Iteration FFmpeg subsystem: avformat Django subsystem: views Fix: Small CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Chromium subsystem: blink Chromium subsystem: websockets CWE-354: Improper Validation of Integrity Check Value Forgotten Check HTTPD subsystem: http2 Django subsystem: middleware Severity: Attack Complexity - Low CWE-664: Improper Control of a Resource Through its Lifetime Severity: Integrity Impact - Low Chromium subsystem: harfbuzz CWE-401: Missing Release of Memory after Effective Lifetime HTTPD subsystem: http Severity: Privileges Required - Low CWE-909: Missing Initialization of Resource CWE-770: Allocation of Resources Without Limits or Throttling Django subsystem: http Chromium subsystem: libxml Chromium subsystem: v8 systemd subsystem: journald Severity: Attack Complexity - High systemd subsystem: dbus Chromium subsystem: pdf Lifetime: 90 to 180 days Severity: Confidentiality Impact - High CWE-680: Integer Overflow to Buffer Overflow CWE-668: Exposure of Resource to Wrong Sphere Severity: Scope - Changed Chromium subsystem: views Lesson: Changing Owners CWE-787: Out-of-bounds Write Linux Kernel subsystem: net CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-807: Reliance on Untrusted Inputs in a Security Decision Lifetime: 180 days to 1 year FFmpeg subsystem: libavcodec Chromium subsystem: downloads Chromium subsystem: devtools CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Language: Javascript Django subsystem: utils CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Chromium subsystem: webdata Linux Kernel subsystem: drivers CWE-426: Untrusted Search Path CWE-617: Reachable Assertion Chromium subsystem: common Chromium subsystem: permissions Severity: Availability Impact - Partial Discovered Internally Chromium subsystem: renderer CWE-908: Use of Uninitialized Resource CWE-203: Observable Discrepancy Chromium subsystem: storage Severity: Privileges Required - None CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax Struts subsystem: ognl. Tomcat subsystem: authenticator Chromium subsystem: dom Language: Java CWE-399: Resource Management Errors CWE-415: Double Free FFmpeg subsystem: avcodec CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-193: Off-by-one Error Severity: Confidentiality Impact - Partial systemd subsystem: resolve systemd subsystem: polkit CWE-352: Cross-Site Request Forgery (CSRF) CWE-131: Incorrect Calculation of Buffer Size Chromium subsystem: svg Chromium subsystem: webkit CWE-129: Improper Validation of Array Index Chromium subsystem: CWE-184: Incomplete List of Disallowed Inputs CWE-281: Improper Preservation of Permissions Struts subsystem: xwork core VCC Severity: Attack Vector - Network CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-290: Authentication Bypass by Spoofing CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') Chromium subsystem: network CWE-295: Improper Certificate Validation CWE-451: User Interface (UI) Misrepresentation of Critical Information Linux Kernel subsystem: usb CWE-279: Incorrect Execution-Assigned Permissions CWE-732: Incorrect Permission Assignment for Critical Resource Struts subsystem: xwork2 Chromium subsystem: skia CWE-209: Generation of Error Message Containing Sensitive Information CWE-185: Incorrect Regular Expression CWE-863: Incorrect Authorization Chromium subsystem: webcore Lesson: Native Wrappers CWE-19: Data Processing Errors CWE-284: Improper Access Control CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Language: C CWE-16: Configuration CWE-276: Incorrect Default Permissions CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Chromium subsystem: net Project: Chromium Django subsystem: sessions Discussion: Any CWE-23: Relative Path Traversal CWE-267: Privilege Defined With Unsafe Actions Project: Django CWE-763: Release of Invalid Pointer or Reference Severity: User Interaction - None CWE-345: Insufficient Verification of Data Authenticity CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-310: Cryptographic Issues CWE-285: Improper Authorization CWE-297: Improper Validation of Certificate with Host Mismatch CWE-CWE-ID: Name Discussion: Security CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') HTTPD subsystem: ssl Linux Kernel subsystem: fs CWE-825: Expired Pointer Dereference CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability. Full Article

Let's Just Undo That

A revert is when a commit is reversed, indicating that developers have decided to roll back changes that were originally approved and integrated into the system. Full Article

Beware of complex inputs

Don't just think about code complexity, think about *input* complexity. Full Article

Bad things happen when integers wrap around

Loop counters, file sizes, malloc arguments, session tokens, primary keys... numbers are everywhere in our code. What happens when our numbers get very, _very_ big? Integer overflow, or wraparound, is much more dangerous than it seems. Full Article