Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-617 (可达断言) — Vulnerability Class 233

233 vulnerabilities classified as CWE-617 (可达断言). AI Chinese analysis included.

CWE-617 represents a software weakness where an assertion statement, intended for debugging or internal logic validation, remains enabled in production code and can be triggered by external input. This flaw typically leads to a denial of service, as the application abruptly terminates or crashes when the assertion fails, rather than handling the error gracefully. Attackers exploit this by crafting specific inputs that violate the assumed invariants, forcing the program to exit unexpectedly. To mitigate this risk, developers must ensure that assertions are strictly disabled in production environments or replace them with robust error-handling mechanisms. By validating inputs and managing exceptions without relying on fatal assertions, teams can maintain application availability and prevent attackers from leveraging these logic checks for disruptive service interruptions.

MITRE CWE Description
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.
Common Consequences (1)
AvailabilityDoS: Crash, Exit, or Restart
An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session.
Mitigations (2)
ImplementationMake sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
ImplementationPerform input validation on user data.
Examples (1)
In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form.
String email = request.getParameter("email_address"); assert email != null;
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-35935 `CHECK` failure in `SobolSample` via missing validation in TensorFlow — tensorflow 5.9 Medium2022-09-16
CVE-2022-35934 `CHECK` failure in tf.reshape in Tensorflow — tensorflow 5.9 Medium2022-09-16
CVE-2022-2719 Imagemagick Studio ImageMagick 安全漏洞 — ImageMagick 5.5 -2022-08-09
CVE-2021-3431 BT: Assertion failure on repeated LL_FEATURE_REQ — zephyr 4.3 Medium2022-06-28
CVE-2021-3430 BT: Assertion failure on repeated LL_CONNECTION_PARAM_REQ — zephyr 6.5 Medium2022-06-28
CVE-2022-31100 Reachable Assertion in rulex — rulex 6.5 Medium2022-06-27
CVE-2022-31009 DoS vulnerability: Invalid Accent Colors — wire-ios 5.7 Medium2022-06-23
CVE-2022-29228 Reachable assertion in Envoy — envoy 7.5 High2022-06-09
CVE-2021-27500 EIPStackGroup OpENer Ethernet/IP Reachable Assertion — OpENer EtherNet/IP 7.5 High2022-05-12
CVE-2021-27498 EIPStackGroup OpENer Ethernet/IP Reachable Assertion — OpENer EtherNet/IP 7.5 High2022-05-12
CVE-2022-24272 MongoDB Server (mongod) may crash in response to unexpected requests — MongoDB Server 6.5 Medium2022-04-21
CVE-2022-20694 Cisco IOS XE Software Border Gateway Protocol Resource Public Key Infrastructure Denial of Service Vulnerability — Cisco IOS XE Software 6.8 Medium2022-04-15
CVE-2022-24777 Denial of Service via reachable assertion in grpc-swift — grpc-swift 7.5 High2022-03-25
CVE-2022-23564 Reachable Assertion in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23565 `CHECK`-failures in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23571 Reachable Assertion in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23579 `CHECK`-failures during Grappler's `SafeToRemoveIdentity` in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23581 `CHECK`-failures during Grappler's `IsSimplifiableReshape` in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23588 `CHECK`-fails due to attempting to build a reference tensor in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23586 Multiple `CHECK`-fails in `function.cc` in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23583 `CHECK`-failures in binary ops in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2022-23582 `CHECK`-failures in `TensorByteSize` in Tensorflow — tensorflow 6.5 Medium2022-02-04
CVE-2021-43849 DoS vulnerability — cordova-plugin-fingerprint-aio 6.2 Medium2021-12-23
CVE-2021-32037 User may trigger invariant when allowed to send commands directly to shards — MongoDB Server 6.5 Medium2021-11-24
CVE-2021-41200 Incomplete validation in `tf.summary.create_file_writer` — tensorflow 5.5 Medium2021-11-05
CVE-2021-37644 `std::abort` raised from `TensorListReserve` in TensorFlow — tensorflow 5.5 Medium2021-08-12
CVE-2021-32815 Denial of service due to assertion failure in crwimage_int.cpp — exiv2 5.5 Medium2021-08-09
CVE-2021-1422 Cisco Adaptive Security Appliance Software Release 9.16.1 and Cisco Firepower Threat Defense Software Release 7.0.0 IPsec Denial of Service Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 7.7 High2021-07-16
CVE-2020-25710 OpenLDAP 安全漏洞 — openldap 7.5 -2021-05-28
CVE-2021-29561 CHECK-fail in `LoadAndRemapMatrix` — tensorflow 2.5 Low2021-05-14

Vulnerabilities classified as CWE-617 (可达断言) represent 233 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.