angler-fishThe Vulnerability History Project

Tags are one of the main ways we use organize vulnerabilities in VHP. Tags can be gathered automatically, or manually, or with a combination of both. Here are a few different types of tags below.

Lesson tags are about broader lessons that can be learned from that vulnerability. These are security principles and engineering pitfalls that we believe should be taught to all software engineers.

Discovered tags are about how the vulnerability was originally found.

Lifetime tags indicate how long we believe the vulnerability remained in the system.

CWE, or Common Weakness Enumeration, tags are manually assigned by curators to describe the particular type of vulnerability.

Subsystem tags are the curators' best efforts at determining what part of the system this vulnerability affected .

Project tags are the case study the vulnerability is from.

Language tags are what type of source code was fixed.

Severity tags are based on the NVD's CVSS.

Severity: Availability Impact - Low Struts subsystem: plugins Chromium subsystem: pdfium CWE-641: Improper Restriction of Names for Files and Other Resources Severity: Privileges Required - High CWE-19: Data Processing Errors CWE-CWE-ID: Name Chromium subsystem: gpu Struts subsystem: validator Discovered Internally systemd subsystem: shared Chromium subsystem: ffmpeg Lesson: Security By Obscurity Severity: Availability Impact - High CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Language: C++ CWE-129: Improper Validation of Array Index Severity: Integrity Impact - Low Severity: Integrity Impact - High Linux Kernel subsystem: perf CWE-909: Missing Initialization of Resource CWE-704: Incorrect Type Conversion or Cast CWE-665: Improper Initialization Severity: Availability Impact - Partial CWE-134: Use of Externally-Controlled Format String CWE-908: Use of Uninitialized Resource CWE-532: Insertion of Sensitive Information into Log File CWE-121: Stack-based Buffer Overflow Tomcat subsystem: http2 CWE-159: Improper Handling of Invalid Use of Special Elements CWE-311: Missing Encryption of Sensitive Data CWE-502: Deserialization of Untrusted Data Linux Kernel subsystem: drivers Linux Kernel subsystem: arch Chromium subsystem: autofill Chromium subsystem: media Severity: Privileges Required - Low Chromium subsystem: plugins Chromium subsystem: tab_contents Chromium subsystem: dom CWE-384: Session Fixation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Lesson: Reverting Codebase CWE-456: Missing Initialization of a Variable Lifetime: 2 to 5 years CWE-416: Use After Free Lifetime: 30 to 90 days CWE-209: Generation of Error Message Containing Sensitive Information CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax CWE-191: Integer Underflow (Wrap or Wraparound) Tomcat subsystem: startup Language: Python Chromium subsystem: blink svg Linux Kernel subsystem: bpf Chromium subsystem: openjpeg Dependency Issue HTTPD subsystem: proxy Lesson: Too Many Cooks CWE-264: Permissions, Privileges, and Access Controls CWE-749: Exposed Dangerous Method or Function CWE-184: Incomplete List of Disallowed Inputs Chromium subsystem: content Tomcat subsystem: core CWE-703: Improper Check or Handling of Exceptional Conditions CWE-326: Inadequate Encryption Strength Chromium subsystem: Chromium subsystem: v8 CWE-833: Deadlock Chromium subsystem: harfbuzz Django subsystem: authentication CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-680: Integer Overflow to Buffer Overflow CWE-834: Excessive Iteration CWE-681: Incorrect Conversion between Numeric Types CWE-279: Incorrect Execution-Assigned Permissions CWE-295: Improper Certificate Validation CWE-252: Unchecked Return Value Struts subsystem: xwork-core Struts subsystem: xwork2 CWE-354: Improper Validation of Integrity Check Value CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-653: Improper Isolation or Compartmentalization Project: Struts HTTPD subsystem: dav Lesson: Environment Variables HTTPD subsystem: http Struts subsystem: dispatcher Chromium subsystem: browser CWE-667: Improper Locking Order of Operations Severity: Privileges Required - None HTTPD subsystem: core Chromium subsystem: common CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-755: Improper Handling of Exceptional Conditions CWE-488: Exposure of Data Element to Wrong Session Discovered Automatically FFmpeg subsystem: avfilter CWE-358: Improperly Implemented Security Check for Standard Chromium subsystem: webgl CWE-664: Improper Control of a Resource Through its Lifetime Chromium subsystem: storage CWE-457: Use of Uninitialized Variable CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-203: Observable Discrepancy Tomcat subsystem: connector CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Lifetime: 5+ years systemd subsystem: journald Chromium subsystem: net CWE-361: 7PK - Time and State Linux Kernel subsystem: kvm Discovered Externally Lifetime: 1 to 2 years Struts subsystem: rest Linux Kernel subsystem: sctp Language: C CWE-285: Improper Authorization Struts subsystem: mapper Severity: User Interaction - Required Chromium subsystem: webkit CWE-787: Out-of-bounds Write Lesson: Least Privilege CWE-254: 7PK - Security Features Project: Linux Kernel Lesson: Code Refactors Severity: Attack Complexity - Medium Severity: Confidentiality Impact - Partial CWE-319: Cleartext Transmission of Sensitive Information CWE-193: Off-by-one Error Lesson: You Ain't Gonna Need It CWE-269: Improper Privilege Management Project: FFmpeg CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-122: Heap-based Buffer Overflow CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Chromium subsystem: chrome Chromium subsystem: omnibox Django subsystem: views HTTPD subsystem: loggers Chromium subsystem: cc Struts subsystem: ognl Linux Kernel subsystem: mm CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') CWE-266: Incorrect Privilege Assignment FFmpeg subsystem: libavcodec Lesson: Defense in Depth Linux Kernel subsystem: btrfs Django subsystem: utils Chromium subsystem: ui CWE-662: Improper Synchronization Discovered Manually Lesson: Native Wrappers HTTPD subsystem: authentication and authorization CWE-287: Improper Authentication Stacktrace Chromium subsystem: pdf Language: Java CWE-94: Improper Control of Generation of Code ('Code Injection') Chromium subsystem: ssl CWE-183: Permissive List of Allowed Inputs Django subsystem: xml_parsers CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') systemd subsystem: vconsole CWE-824: Access of Uninitialized Pointer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Chromium subsystem: video Severity: Attack Vector - Physical CWE-1284: Improper Validation of Specified Quantity in Input Severity: Scope - Unchanged Bounty Awarded HTTPD subsystem: server Lesson: Serial Killer Chromium subsystem: skia Chromium subsystem: translate CWE-791: Incomplete Filtering of Special Elements Chromium subsystem: audio Chromium subsystem: workers Severity: Integrity Impact - Partial Chromium subsystem: base CWE-415: Double Free Severity: User Interaction - None CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Chromium subsystem: safebrowsing CWE-116: Improper Encoding or Escaping of Output CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Severity: Confidentiality Impact - High CWE-20: Improper Input Validation Team Discussed HTTPD subsystem: http2 Django subsystem: forms Project: Tomcat Chromium subsystem: frame Util CWE-601: URL Redirection to Untrusted Site ('Open Redirect') Chromium subsystem: internals Chromium subsystem: devtools Django subsystem: models Small Fix Known Origin (VCC) Chromium subsystem: sfntly CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-366: Race Condition within a Thread Severity: Attack Complexity - High CWE-401: Missing Release of Memory after Effective Lifetime Django subsystem: files Linux Kernel subsystem: bluetooth HTTPD subsystem: modules systemd subsystem: resolve Chromium subsystem: webcore CWE-459: Incomplete Cleanup Linux Kernel subsystem: scsi CWE-770: Allocation of Resources Without Limits or Throttling Discovered in Contest CWE-617: Reachable Assertion Chromium subsystem: web_contents CWE-434: Unrestricted Upload of File with Dangerous Type Lesson: Distrust Input CWE-310: Cryptographic Issues CWE-185: Incorrect Regular Expression CWE-255: Credentials Management Errors Big Fix CWE-789: Memory Allocation with Excessive Size Value CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1188: Insecure Default Initialization of Resource FFmpeg subsystem: avcodec Severity: Confidentiality Impact - Complete Lifetime: Less than 30 days CWE-347: Improper Verification of Cryptographic Signature Django subsystem: backends Lesson: Fix Untested Language: Javascript Project: systemd Linux Kernel subsystem: lib Struts subsystem: resources Lesson: Complex Inputs Chromium subsystem: third_party FFmpeg subsystem: avformat CWE-290: Authentication Bypass by Spoofing CWE-281: Improper Preservation of Permissions Chromium subsystem: speech Severity: Integrity Impact - Complete CWE-125: Out-of-bounds Read Chromium subsystem: appcache Severity: Availability Impact - Complete systemd subsystem: core Linux Kernel subsystem: usb CWE-460: Improper Cleanup on Thrown Exception CWE-697: Incorrect Comparison Stacktrace with Fix CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Chromium subsystem: views Lesson: Lacked Test CWE-327: Use of a Broken or Risky Cryptographic Algorithm Chromium subsystem: renderer_host Lifetime: 90 to 180 days Linux Kernel subsystem: net Severity: Attack Complexity - Low CWE-825: Expired Pointer Dereference Django subsystem: http Severity: Privileges Required - None Team Discussed if Security Project: Django Project: HTTPD CWE-346: Origin Validation Error Lesson: Changing Owners CWE-672: Operation on a Resource after Expiration or Release CWE-303: Incorrect Implementation of Authentication Algorithm CWE-426: Untrusted Search Path Lifetime: 180 days to 1 year Django subsystem: urls Chromium subsystem: permissions Severity: Scope - Changed CWE-330: Use of Insufficiently Random Values CWE-23: Relative Path Traversal CWE-772: Missing Release of Resource after Effective Lifetime CWE-754: Improper Check for Unusual or Exceptional Conditions Chromium subsystem: svg Tomcat subsystem: catalina CWE-606: Unchecked Input for Loop Condition Django subsystem: admin Severity: Privileges Required - Low Chromium subsystem: websockets CWE-668: Exposure of Resource to Wrong Sphere CWE-674: Uncontrolled Recursion CWE-863: Incorrect Authorization Struts subsystem: interceptor Linux Kernel subsystem: svm Sandbox Lesson: Frameworks are Optional Severity: Confidentiality Impact - Low Tomcat subsystem: manager CWE-294: Authentication Bypass by Capture-replay systemd subsystem: basic Not Auto Discoverable Django subsystem: contrib CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-807: Reliance on Untrusted Inputs in a Security Decision HTTPD subsystem: cache CWE-126: Buffer Over-read Tomcat subsystem: http11 Tomcat subsystem: authenticator CWE-189: Numeric Errors Chromium subsystem: parser HTTPD subsystem: ssl Chromium subsystem: clipboard Chromium subsystem: webdata Vouch CWE-399: Resource Management Errors CWE-476: NULL Pointer Dereference Linux Kernel subsystem: crypto CWE-16: Configuration CWE-276: Incorrect Default Permissions CWE-345: Insufficient Verification of Data Authenticity CWE-284: Improper Access Control Chromium subsystem: serviceworker Chromium subsystem: renderer systemd subsystem: systemd-journald i18n CWE-369: Divide By Zero CWE-190: Integer Overflow or Wraparound CWE-707: Improper Neutralization systemd subsystem: dbus Lesson: Secure By Default CWE-267: Privilege Defined With Unsafe Actions Severity: Attack Vector - Adjacent Network Chromium subsystem: extensions CWE-404: Improper Resource Shutdown or Release Chromium subsystem: downloads Django subsystem: auth Tomcat subsystem: coyote Django subsystem: middleware Linux Kernel subsystem: fs Severity: Attack Vector - Local CWE-297: Improper Validation of Certificate with Host Mismatch CWE-250: Execution with Unnecessary Privileges Chromium subsystem: network Chromium subsystem: libxml CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Forgotten Check Project: Chromium Chromium subsystem: navigation Chromium subsystem: blink Severity: Attack Vector - Network CWE-201: Insertion of Sensitive Information Into Sent Data Specification CWE-400: Uncontrolled Resource Consumption Django subsystem: sessions CWE-352: Cross-Site Request Forgery (CSRF) CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages CWE-763: Release of Invalid Pointer or Reference CWE-131: Incorrect Calculation of Buffer Size systemd subsystem: polkit CWE-682: Incorrect Calculation CWE-862: Missing Authorization CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

Tags are sized by the number of times they have been applied. Tags with zero or one vulnerability are not shown.

What is a VCC?

A **Vulnerability-Contributing Commit** is the change to source code that is likely the origin of a vulnerability. Finding a VCC is our attempt at finding the original mistake that was made... and missed... that led to a vulnerability. Full Article

Let's Just Undo That

A revert is when a commit is reversed, indicating that developers have decided to roll back changes that were originally approved and integrated into the system. Full Article

Beware of complex inputs

Don't just think about code complexity, think about *input* complexity. Full Article

Bad things happen when integers wrap around

Loop counters, file sizes, malloc arguments, session tokens, primary keys... numbers are everywhere in our code. What happens when our numbers get very, _very_ big? Integer overflow, or wraparound, is much more dangerous than it seems. Full Article