The Vulnerability History Project


Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.

Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.

Discovered tags are about how the vulnerability was originally found.

Lifetime tags indicate how long we believe the vulnerability remained in the system.

CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.

Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected.

Project tags are the case study the vulnerability is from.

Language tags are what type of source code was fixed.

Severity tags are based on the NVD's CVSS.

CWE-16: Configuration CWE-641: Improper Restriction of Names for Files and Other Resources Project: Django Fix: Big CWE-311: Missing Encryption of Sensitive Data Lesson: Complex Inputs CWE-703: Improper Check or Handling of Exceptional Conditions Chromium subsystem: content Django subsystem: middleware Chromium subsystem: renderer Struts subsystem: interceptor CWE-185: Incorrect Regular Expression Chromium subsystem: pdf Lesson: You Ain't Gonna Need It CWE-749: Exposed Dangerous Method or Function Lesson: Environment Variables CWE-476: NULL Pointer Dereference CWE-664: Improper Control of a Resource Through its Lifetime CWE-269: Improper Privilege Management Language: C++ CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-252: Unchecked Return Value CWE-184: Incomplete Blacklist systemd subsystem: resolve Chromium subsystem: dom CWE-131: Incorrect Calculation of Buffer Size CWE-404: Improper Resource Shutdown or Release CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') Severity: Attack Vector - Local Chromium subsystem: blink svg Lesson: Distrust Input CWE-384: Session Fixation Chromium subsystem: platform>extensions CWE-125: Out-of-bounds Read Lesson: Reverting Codebase Discussion: Security Lifetime: 2 to 5 years CWE-352: Cross-Site Request Forgery (CSRF) Linux Kernel subsystem: crypto CWE-294: Authentication Bypass by Capture-replay Lifetime: 30 to 90 days Util CWE-732: Incorrect Permission Assignment for Critical Resource Severity: Attack Complexity - High CWE-680: Integer Overflow to Buffer Overflow Severity: Integrity Impact - Complete CWE-183: Permissive Whitelist Struts subsystem: validator Dependency Issue Chromium subsystem: webgl Chromium subsystem: chrome Chromium subsystem: service worker Lesson: Too Many Cooks Severity: Attack Vector - Physical Lesson: Lacked Test Tomcat subsystem: core CWE-763: Release of Invalid Pointer or Reference Sandbox CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-209: Information Exposure Through an Error Message Chromium subsystem: extensions - renderer Not Auto Discoverable CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') HTTPD subsystem: mod_ssl CWE-681: Incorrect Conversion between Numeric Types Tomcat subsystem: resources CWE-290: Authentication Bypass by Spoofing Django subsystem: sessions CWE-653: Insufficient Compartmentalization Project: Chromium CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-20: Improper Input Validation FFmpeg subsystem: avformat CWE-770: Allocation of Resources Without Limits or Throttling Tomcat subsystem: authentication Severity: Availability Impact - Partial Chromium subsystem: blink Severity: Attack Complexity - Medium CWE-908: Use of Uninitialized Resource Language: Javascript CWE-667: Improper Locking CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Chromium subsystem: harfbuzz CWE-451: User Interface (UI) Misrepresentation of Critical Information Chromium subsystem: safebrowsing CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-361: 7PK - Time and State systemd subsystem: shared FFmpeg subsystem: libavcodec CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Lifetime: 5+ years HTTPD subsystem: proxy Order of Operations CWE-754: Improper Check for Unusual or Exceptional Conditions Chromium subsystem: webkit Lifetime: 1 to 2 years Stacktrace: With Fix Lesson: Fix Untested HTTPD subsystem: ssl HTTPD subsystem: server CWE-668: Exposure of Resource to Wrong Sphere Chromium subsystem: ffmpeg CWE-193: Off-by-one Error systemd subsystem: vconsole Language: Java CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-295: Improper Certificate Validation Linux Kernel subsystem: btrfs Lesson: Code Refactors Chromium subsystem: cc Severity: Availability Impact - Low Discovered in Contest CWE-129: Improper Validation of Array Index CWE-697: Incorrect Comparison CWE-267: Privilege Defined With Unsafe Actions CWE-787: Out-of-bounds Write Severity: Privileges Required - Low CWE-909: Missing Initialization of Resource Chromium subsystem: audio CWE-824: Access of Uninitialized Pointer Struts subsystem: xwork core Chromium subsystem: media Chromium subsystem: extensions Chromium subsystem: v8 Chromium subsystem: websockets FFmpeg subsystem: avfilter Tomcat subsystem: catalina CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax Linux Kernel subsystem: bluetooth CWE-416: Use After Free CWE-617: Reachable Assertion CWE-354: Improper Validation of Integrity Check Value Severity: Attack Complexity - Low CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Project: Struts Severity: Confidentiality Impact - Low Language: Python Linux Kernel subsystem: kvm CWE-665: Improper Initialization Bounty Awarded Severity: Privileges Required - None Chromium subsystem: speech Language: C Struts subsystem: ognl. Chromium subsystem: webkit blink i18n CWE-122: Heap-based Buffer Overflow Chromium subsystem: devtools Lesson: Frameworks are Optional CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE-266: Incorrect Privilege Assignment Lesson: Secure By Default CWE-502: Deserialization of Untrusted Data Linux Kernel subsystem: drivers FFmpeg subsystem: avcodec Chromium subsystem: appcache Chromium subsystem: gpu Lesson: Escaped Test CWE-862: Missing Authorization Django subsystem: model CWE-327: Use of a Broken or Risky Cryptographic Algorithm Struts subsystem: xwork Chromium subsystem: pdfium Severity: Scope - Unchanged Lesson: Least Privilege CWE-201: Information Exposure Through Sent Data Struts subsystem: xwork2 Severity: Integrity Impact - Partial Chromium subsystem: blink/storage CWE-287: Improper Authentication Django subsystem: forms CWE-250: Execution with Unnecessary Privileges Chromium subsystem: browser Severity: User Interaction - Required Severity: Privileges Required - Low Project: Tomcat Linux Kernel subsystem: bpf CWE-126: Buffer Over-read CWE-310: Cryptographic Issues Severity: Confidentiality Impact - Partial CWE-457: Use of Uninitialized Variable CWE-434: Unrestricted Upload of File with Dangerous Type CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') Severity: Availability Impact - High systemd subsystem: systemd-journald Chromium subsystem: skia Discovered Automatically CWE-707: Improper Enforcement of Message or Data Structure Lifetime: Less than 30 days Chromium subsystem: common Linux Kernel subsystem: lib Django subsystem: utils Chromium subsystem: video Chromium subsystem: svg CWE-682: Incorrect Calculation Chromium subsystem: webdata Django subsystem: ui Severity: Attack Vector - Adjacent Network CWE-807: Reliance on Untrusted Inputs in a Security Decision CWE-347: Improper Verification of Cryptographic Signature Chromium subsystem: autofill Discovered Manually CWE-755: Improper Handling of Exceptional Conditions Tomcat subsystem: startup Discovered Internally systemd subsystem: journald CWE-330: Use of Insufficiently Random Values CWE-345: Insufficient Verification of Data Authenticity Linux Kernel subsystem: arch Severity: Privileges Required - High Stacktrace: Any Severity: Confidentiality Impact - Complete Lifetime: 90 to 180 days Project: systemd Discovered Externally CWE-459: Incomplete Cleanup CWE-863: Incorrect Authorization Severity: Scope - Changed Linux Kernel subsystem: fs CWE-284: Improper Access Control Lesson: Changing Owners CWE-834: Excessive Iteration CWE-189: Numeric Errors CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Lifetime: 180 days to 1 year Tomcat subsystem: authenticator systemd subsystem: polkit Lesson: Security By Obscurity CWE-121: Stack-based Buffer Overflow CWE-255: Credentials Management Errors Forgotten Check HTTPD subsystem: cache Project: FFmpeg Severity: Confidentiality Impact - High Lesson: Defense in Depth Severity: Integrity Impact - High CWE-19: Data Processing Errors Project: HTTPD Django subsystem: views Lesson: Serial Killer VCC CWE-264: Permissions, Privileges, and Access Controls CWE-359: Exposure of Private Information ('Privacy Violation') CWE-276: Incorrect Default Permissions Discussion: Any CWE-791: Incomplete Filtering of Special Elements Severity: User Interaction - None CWE-606: Unchecked Input for Loop Condition systemd subsystem: dbus CWE-399: Resource Management Errors CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Severity: Availability Impact - Complete CWE-190: Integer Overflow or Wraparound CWE-319: Cleartext Transmission of Sensitive Information CWE-366: Race Condition within a Thread Specification Chromium subsystem: webcore Linux Kernel subsystem: usb Severity: Privileges Required - None Tomcat subsystem: http2 CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-426: Untrusted Search Path CWE-285: Improper Authorization Fix: Small CWE-159: Failure to Sanitize Special Element Severity: Attack Vector - Network CWE-279: Incorrect Execution-Assigned Permissions Project: Linux Kernel Chromium subsystem: plugins CWE-825: Expired Pointer Dereference Lesson: Native Wrappers CWE-358: Improperly Implemented Security Check for Standard CWE-297: Improper Validation of Certificate with Host Mismatch CWE-704: Incorrect Type Conversion or Cast CWE-200: Information Exposure CWE-789: Uncontrolled Memory Allocation HTTPD subsystem: http Chromium subsystem: openjpeg Chromium subsystem: serviceworker Linux Kernel subsystem: net Chromium subsystem: internals CWE-203: Information Exposure Through Discrepancy Chromium subsystem: omnibox Struts subsystem: mapper CWE-281: Improper Preservation of Permissions Chromium subsystem: libxml Severity: Integrity Impact - Low CWE-346: Origin Validation Error CWE-254: 7PK - Security Features CWE-23: Relative Path Traversal CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Django subsystem: admin CWE-488: Exposure of Data Element to Wrong Session Vouch CWE-415: Double Free CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability. Full Article

Let's Just Undo That

A revert is when a commit is reversed, indicating that developers have decided to roll back changes that were originally approved and integrated into the system. Full Article

Beware of complex inputs

Don't just think about code complexity, think about *input* complexity. Full Article

Bad things happen when integers wrap around

Loop counters, file sizes, malloc arguments, session tokens, primary keys... numbers are everywhere in our code. What happens when our numbers get very, _very_ big? Integer overflow, or wraparound, is much more dangerous than it seems. Full Article