Incomplete List of Disallowed Inputs

CVE-2020-5253

Low

3.9/10

Summary

NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file (usually .nethackrc) which could be exploited. This bug is patched in NetHack 3.6.0.

Attack Complexity: HIGH
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-184 - Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.

References

Advisory Timeline

Published Mar 10, 2020

Incomplete List of Disallowed Inputs

CVE-2020-5253

Summary

CWE-184 - Incomplete List of Disallowed Inputs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS