Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-436 (解释冲突) — Vulnerability Class 45

45 vulnerabilities classified as CWE-436 (解释冲突). AI Chinese analysis included.

CWE-436, Interpretation Conflict, is a design weakness occurring when two interacting components, such as a client and server or an intermediary proxy, interpret the same input or state differently. This discrepancy typically arises in security appliances like firewalls or anti-virus software that modify traffic based on conflicting expectations of protocol behavior. Attackers exploit this by crafting malicious payloads that trigger divergent interpretations, causing the security device to permit harmful data or the target system to execute unintended actions. To mitigate this risk, developers must ensure consistent parsing logic across all interacting components. Implementing strict, unified protocol standards and rigorous validation checks at every processing stage helps eliminate ambiguity. Additionally, thorough integration testing that simulates edge-case scenarios can reveal interpretation mismatches before deployment, ensuring that all entities in the communication chain process data uniformly and securely.

MITRE CWE Description
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. This is generally found in proxies, firewalls, anti-virus software, and other intermediary devices that monitor, allow, deny, or modify traffic based on how the client or server is expected to behave.
Common Consequences (1)
Integrity, OtherUnexpected State, Varies by Context
Examples (2)
The paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" [REF-428] shows that OSes varied widely in how they manage unusual packets, which made it difficult or impossible for intrusion detection systems to properly detect certain attacker manipulations that took advantage of these OS differences.
Null characters have different interpretations in Perl and C, which have security consequences when Perl invokes C functions. Similar problems have been reported in ASP [REF-429] and PHP.
CVE IDTitleCVSSSeverityPublished
CVE-2023-36456 Authentik lacks Proxy IP headers validation — authentik 8.3 High2023-07-06
CVE-2023-30541 TransparentUpgradeableProxy clashing selector calls may not be delegated in @openzeppelin/contracts — openzeppelin-contracts 5.3 Medium2023-04-17
CVE-2023-30536 Insecure header validation in slim/psr7 — Slim-Psr7 6.5 Medium2023-04-17
CVE-2023-29197 Improper header name validation in guzzlehttp/psr7 — psr7 5.3 Medium2023-04-17
CVE-2023-22735 User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip — zulip 4.4 Medium2023-02-07
CVE-2023-24813 URI validation failure on SVG parsing. Bypass of CVE-2023-23924 — dompdf 10.0 Critical2023-02-07
CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request — Apache Shiro 7.5 -2023-01-14
CVE-2022-41915 Netty 安全漏洞 — netty 6.5 Medium2022-12-13
CVE-2022-36051 Broken Authorization in ZITADEL Actions — zitadel 8.7 High2022-08-31
CVE-2022-36048 IP address leak via image proxy bypass in Zulip Server — zulip 4.3 Medium2022-08-31
CVE-2022-29254 Failed payment recorded has completed in silverstripe/silverstripe-omnipay — silverstripe-omnipay 3.7 Low2022-06-06
CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering — PAN-OS 6.5 Medium2022-02-10
CVE-2021-39137 Consensus flaw during block processing in go-ethereum — go-ethereum 6.5 Medium2021-08-24
CVE-2021-21366 Misinterpretation of malicious XML input — xmldom 4.3 Medium2021-03-12
CVE-2021-0207 NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series: Certain genuine traffic received by the Junos OS device will be discarded instead of forwarded. — Junos OS 7.5 High2021-01-15

Vulnerabilities classified as CWE-436 (解释冲突) represent 45 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.