CVEbaza.plSłownik CWECWE-459
Common Weakness Enumeration

CWE-459

Incomplete Cleanup

Kategoria: BaseCVE: 225
Opis

Produkt nie czyści prawidłowo i nie usuwa zasobów tymczasowych lub pomocniczych po ich użyciu. Może to prowadzić do wycieków zasobów, gromadzenia się niepotrzebnych plików lub danych wrażliwych pozostających w systemie.

Description (EN)

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Podatności CVE z CWE-459 (225)
9.9
CVSS
CRITICAL
CVE-2023-36468

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction steps so remote code execution is possible even after upgrading. Therefore, this affects the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability also affects manually added script macros that contained security vulnerabilities that were later fixed by changing the script macro without deleting the versions with the security vulnerability from the history. This vulnerability doesn't affect freshly installed versions of XWiki. Further, this vulnerability doesn't affect content that is only loaded from the current version of a document like the code of wiki macros or UI extensions. This vulnerability has been patched in XWiki 14.10.7 and 15.2RC1 by forcing old revisions to be executed in a restricted mode that disables all script macros. As a workaround, admins can manually delete old revisions of affected documents. A script could be used to identify all installed documents and delete the history for them. However, also manually added and later corrected code may be affected by this vulnerability so it is easy to miss documents.

pub. 2023-06-29
9.8
CVSS
CRITICAL
CVE-2026-28268

W Vikunja przed wersją 2.1.0 tokeny resetowania hasła nie są unieważniane po użyciu i pozostają ważne bezterminowo. Umożliwia to atakującemu, który wejdzie w posiadanie jednego tokenu, trwałe przejęcie konta w dowolnym momencie w przyszłości.

pub. 2026-02-27
9.8
CVSS
CRITICAL
CVE-2022-45347

Apache ShardingSphere-Proxy prior to 5.3.0 when using MySQL as database backend didn't cleanup the database session completely after client authentication failed, which allowed an attacker to execute normal commands by constructing a special MySQL client. This vulnerability has been fixed in Apache ShardingSphere 5.3.0.

pub. 2022-12-22
9.8
CVSS
CRITICAL
CVE-2021-45330

An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.

pub. 2022-02-09
9.8
CVSS
CRITICAL
CVE-2021-45706

An issue was discovered in the zeroize_derive crate before 1.1.1 for Rust. Dropped memory is not zeroed out for an enum.

pub. 2021-12-27
9.8
CVSS
CRITICAL
CVE-2021-32928

The Sentinel LDK Run-Time Environment installer (Versions 7.6 and prior) adds a firewall rule named “Sentinel License Manager” that allows incoming connections from private networks using TCP Port 1947. While uninstalling, the uninstaller fails to close Port 1947.

pub. 2021-06-16
9.8
CVSS
CRITICAL
CVE-2020-13451

An incomplete-cleanup vulnerability in the Office rendering engine of Gotenberg through 6.2.1 allows an attacker to overwrite LibreOffice configuration files and execute arbitrary code via macros.

pub. 2021-01-07
9.8
CVSS
CRITICAL
CVE-2005-1744

BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings.

pub. 2005-05-24
9.6
CVSS
CRITICAL
CVE-2026-34263

Nieprawidłowa konfiguracja Spring Security w SAP Commerce Cloud umożliwia nieuwierzytelnionemu atakującemu wstrzyknięcie złośliwych danych wejściowych i wykonanie dowolnego kodu po stronie serwera. Podatność oceniono jako krytyczną z wynikiem CVSS 9.6, co oznacza pełne ryzyko utraty poufności, integralności i dostępności aplikacji.

pub. 2026-05-12
9.2
CVSS
CRITICAL
CVE-2025-6338

W module Qt Network, w obsłudze protokołu Schannel na systemie Windows, istnieje podatność niekompletnego czyszczenia zasobów (CWE-459). Przez długi okres działania aplikacji może ona prowadzić do odmowy usługi (Denial of Service).

pub. 2025-10-16
9.1
CVSS
CRITICAL
CVE-2024-28265

IBOS w wersji 4.5.5 zawiera podatność pozwalającą nieuwierzytelnionemu atakującemu na usunięcie dowolnego pliku na serwerze. Podatność sklasyfikowana jako krytyczna (CVSS 9.1) stanowi poważne zagrożenie dla integralności i dostępności systemu.

pub. 2024-11-01
8.8
CVSS
HIGH
CVE-2022-1552

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

pub. 2022-08-31
8.8
CVSS
HIGH
CVE-2020-24489

Incomplete cleanup in some Intel(R) VT-d products may allow an authenticated user to potentially enable escalation of privilege via local access.

pub. 2021-06-09
8.8
CVSS
HIGH
CVE-2019-25016

In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly inherited by authenticated executions if the authenticating rule allowed the user to execute any command. Rules that only allowed to authenticated user to execute specific commands were not affected by this issue.

pub. 2021-01-28
8.8
CVSS
HIGH
CVE-2019-18191

A privilege escalation vulnerability in the Trend Micro Deep Security as a Service Quick Setup cloud formation template could allow an authenticated entity with certain unrestricted AWS execution privileges to escalate to full privileges within the target AWS account.

pub. 2019-12-16
8.8
CVSS
HIGH
CVE-2018-18924

The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.

pub. 2018-11-04
8.7
CVSS
HIGH
CVE-2026-3304

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.

pub. 2026-02-27
8.7
CVSS
HIGH
CVE-2025-59781

When DNS cache is configured on a BIG-IP or BIG-IP Next CNF virtual server, undisclosed DNS queries can cause an increase in memory resource utilization.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2025-10-15
8.7
CVSS
HIGH
CVE-2025-21609

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

pub. 2025-01-03
8.2
CVSS
HIGH
CVE-2025-66675

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4

pub. 2025-12-10
Pokazano 20 z 225 podatności
Informacje
ID: CWE-459
Typ: Base
Podatności: 225
MITRE CWE ↗
← Słownik CWE