Common Weakness Enumeration

CWE-1295

Allowed

Debug Messages Revealing Unnecessary Information

Abstraction: Base · Status: Incomplete

The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages.

41 vulnerabilities reference this CWE, most recent first.

GHSA-F65R-H4G3-3H9H

Vulnerability from github – Published: 2026-06-26 20:34 – Updated: 2026-06-26 20:34
VLAI
Summary
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Details

Summary

In backpropagate >= 1.1.0, the optional Reflex web UI (pip install backpropagate[ui], launched via backprop ui) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.

The CLI accepts two operator-facing flags intended as security controls:

  • --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI."
  • --share — documented as "expose the UI on a public address; requires --auth."

When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend.

The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access.

An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced.

This advisory is filed primarily because the runtime contradicted an operator-facing security claim. Code-only bugs of comparable shape (auth check missing entirely from a path) would already warrant disclosure; the additional false-promise dimension raises the severity.

Impact

An attacker who reaches the bound port can:

  • Read uploaded datasets rendered in the UI preview, including content of any JSONL/CSV/TXT file the legitimate operator has uploaded for fine-tuning.
  • Trigger arbitrary training runs against any base model the operator has installed locally or that can be downloaded from HuggingFace.
  • Trigger HuggingFace Hub pushes to repositories named via the UI input (subject to the operator's local HF token's scope — typically all repos owned by the operator).
  • Cause disk-fill DoS via the rx.upload endpoint (no size cap, no extension filter, no per-session count cap in v1.1.0 / v1.1.1).
  • Read model paths (source_model_path, dataset_path, model, uploaded_path) which are user-supplied and bypass the safe_path() helper that lives in backpropagate/ui_security.py (path validation is dead code on the Reflex surface in v1.1.0 / v1.1.1).

The combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration (reading uploaded training data) and supply-chain attacks (pushing tampered model weights to the operator's HF account).

The local-only default (no --share) reduces exposure to a host-local attacker. The --share flag is documented as a "public URL" feature; operators who used --share --auth user:pass had no warning that the auth half was inert.

Patches

Fixed in v1.2.0 (released 2026-05-23). The patch implements real ASGI middleware via rx.App(api_transformer=basic_auth_transformer) that gates HTTP routes AND the /_event WebSocket upgrade. Four modes (no_auth_local_only / token_auto / explicit_creds / production), HMAC-signed cookie validated PRE-websocket.accept(), Host + Origin allowlists. The middleware ships alongside a 4-layer defense in depth at the cli.py / ui_app/app.py / rxconfig.py / env-strip surfaces so direct python -m reflex run invocations (bypassing the CLI guard) also enforce authentication.

Upgrade with:

  • pip: pip install --upgrade backpropagate
  • npm: npm install -g @mcptoolshop/backpropagate@latest

Full release notes: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23

Workarounds

If users cannot upgrade immediately:

  1. Do not pass --auth or --share to backprop ui. Run the UI with no flags (backprop ui); it will bind to localhost and accept any client that can reach 127.0.0.1.
  2. For remote access, use SSH port-forwarding instead of --share: # On the client: ssh -L 7860:localhost:7860 <training-host> # On the server: backprop ui # no --share # Then open http://localhost:7860 in your local browser. SSH provides the authentication layer the Reflex UI did not.
  3. Audit existing deployments. If any host running backpropagate >= 1.1.0 has previously been launched with --share, treat any uploaded training data, model paths, or HF push targets visible in that UI session as potentially exposed. Re-issue HF tokens that have been in use during such sessions.

Binary distribution gap. Standalone binaries (Windows .exe / macOS .app via PyInstaller) failed to build for v1.2.0 and will land in a follow-up patch release. In the interim, users who relied on the v1.1.x binary distribution should install the patched version via pip install backpropagate==1.2.0 to receive the auth-bypass fix. The v1.2.0 PyPI package and @mcptoolshop/backpropagate@1.2.0 npm package both carry the patched code.

Credit

Discovered by the dogfood-swarm Stage A audit on 2026-05-22 (finding ID FRONTEND-A-001, classified CRITICAL). The audit also surfaced contradicting documentation in CHANGELOG / SHIP_GATE / README; those were corrected in v1.2.0 alongside the runtime fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "backpropagate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@mcptoolshop/backpropagate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-358",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:34:29Z",
    "nvd_published_at": "2026-06-17T13:20:43Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nIn `backpropagate \u003e= 1.1.0`, the optional Reflex web UI (`pip install backpropagate[ui]`, launched via `backprop ui`) exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push.\n\nThe CLI accepts two operator-facing flags intended as security controls:\n\n- `--auth user:pass` \u2014 documented as \"require HTTP Basic authentication on every request to the UI.\"\n- `--share` \u2014 documented as \"expose the UI on a public address; requires `--auth`.\"\n\nWhen `--auth user:pass` is passed, the CLI prints `Auth: enabled (user: \u003cusername\u003e)` to confirm to the operator that authentication is active, then exports `BACKPROPAGATE_UI_AUTH=user:pass` to the subprocess that launches the Reflex backend.\n\n**The Reflex backend (`backpropagate/ui_app/**`) never reads `BACKPROPAGATE_UI_AUTH`.** No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port \u2014 local or remote, depending on whether `--share` is used \u2014 has full UI access.\n\nAn inline comment at `backpropagate/cli.py:1217-1218` in the v1.1.0 source documents the gap: *\"For Phase 1 the variable is exported but Reflex doesn\u0027t read it yet.\"* This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced.\n\nThis advisory is filed primarily because the runtime contradicted an operator-facing security claim. Code-only bugs of comparable shape (auth check missing entirely from a path) would already warrant disclosure; the additional false-promise dimension raises the severity.\n\n## Impact\n\nAn attacker who reaches the bound port can:\n\n- **Read uploaded datasets** rendered in the UI preview, including content of any JSONL/CSV/TXT file the legitimate operator has uploaded for fine-tuning.\n- **Trigger arbitrary training runs** against any base model the operator has installed locally or that can be downloaded from HuggingFace.\n- **Trigger HuggingFace Hub pushes** to repositories named via the UI input (subject to the operator\u0027s local HF token\u0027s scope \u2014 typically all repos owned by the operator).\n- **Cause disk-fill DoS** via the `rx.upload` endpoint (no size cap, no extension filter, no per-session count cap in v1.1.0 / v1.1.1).\n- **Read model paths** (`source_model_path`, `dataset_path`, `model`, `uploaded_path`) which are user-supplied and bypass the `safe_path()` helper that lives in `backpropagate/ui_security.py` (path validation is dead code on the Reflex surface in v1.1.0 / v1.1.1).\n\nThe combination of unauthenticated training control, HF push target spoofing, and path-input traversal makes the affected endpoint suitable for both data exfiltration (reading uploaded training data) and supply-chain attacks (pushing tampered model weights to the operator\u0027s HF account).\n\nThe local-only default (no `--share`) reduces exposure to a host-local attacker. The `--share` flag is documented as a \"public URL\" feature; operators who used `--share --auth user:pass` had no warning that the auth half was inert.\n\n## Patches\n\nFixed in **v1.2.0** (released 2026-05-23). The patch implements real ASGI middleware via `rx.App(api_transformer=basic_auth_transformer)` that gates HTTP routes AND the `/_event` WebSocket upgrade. Four modes (`no_auth_local_only` / `token_auto` / `explicit_creds` / `production`), HMAC-signed cookie validated PRE-`websocket.accept()`, Host + Origin allowlists. The middleware ships alongside a 4-layer defense in depth at the cli.py / ui_app/app.py / rxconfig.py / env-strip surfaces so direct `python -m reflex run` invocations (bypassing the CLI guard) also enforce authentication.\n\nUpgrade with:\n\n- pip: `pip install --upgrade backpropagate`\n- npm: `npm install -g @mcptoolshop/backpropagate@latest`\n\nFull release notes: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23\n\n## Workarounds\n\nIf users cannot upgrade immediately:\n\n1. **Do not pass `--auth` or `--share` to `backprop ui`.** Run the UI with no flags (`backprop ui`); it will bind to `localhost` and accept any client that can reach `127.0.0.1`.\n2. **For remote access, use SSH port-forwarding** instead of `--share`:\n   ```\n   # On the client:\n   ssh -L 7860:localhost:7860 \u003ctraining-host\u003e\n   # On the server:\n   backprop ui            # no --share\n   # Then open http://localhost:7860 in your local browser.\n   ```\n   SSH provides the authentication layer the Reflex UI did not.\n3. **Audit existing deployments.** If any host running `backpropagate \u003e= 1.1.0` has previously been launched with `--share`, treat any uploaded training data, model paths, or HF push targets visible in that UI session as potentially exposed. Re-issue HF tokens that have been in use during such sessions.\n\n**Binary distribution gap.** Standalone binaries (Windows .exe / macOS .app via PyInstaller) failed to build for v1.2.0 and will land in a follow-up patch release. In the interim, users who relied on the v1.1.x binary distribution should install the patched version via `pip install backpropagate==1.2.0` to receive the auth-bypass fix. The v1.2.0 PyPI package and `@mcptoolshop/backpropagate@1.2.0` npm package both carry the patched code.\n\n## Credit\n\nDiscovered by the dogfood-swarm Stage A audit on 2026-05-22 (finding ID `FRONTEND-A-001`, classified CRITICAL). The audit also surfaced contradicting documentation in CHANGELOG / SHIP_GATE / README; those were corrected in v1.2.0 alongside the runtime fix.",
  "id": "GHSA-f65r-h4g3-3h9h",
  "modified": "2026-06-26T20:34:29Z",
  "published": "2026-06-26T20:34:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mcp-tool-shop-org/backpropagate/security/advisories/GHSA-f65r-h4g3-3h9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48797"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mcp-tool-shop-org/backpropagate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mcp-tool-shop-org/backpropagate/releases/tag/v1.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication"
}

GHSA-JX64-R67P-6V8C

Vulnerability from github – Published: 2025-02-14 06:30 – Updated: 2025-08-26 21:31
VLAI
Details

Under certain error conditions at time of SANnav installation or upgrade, the encryption key can be written into and obtained from a Brocade SANnav supportsave. An attacker with privileged access to the Brocade SANnav database could use the encryption key to obtain passwords used by Brocade SANnav.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-14T04:15:08Z",
    "severity": "HIGH"
  },
  "details": "Under certain error conditions at time of SANnav installation or upgrade, the encryption key can be written into and obtained from a Brocade SANnav supportsave.  An attacker with privileged access to the Brocade SANnav database could use the encryption key to obtain passwords used by Brocade SANnav.",
  "id": "GHSA-jx64-r67p-6v8c",
  "modified": "2025-08-26T21:31:06Z",
  "published": "2025-02-14T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1053"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25399"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-M6VW-RHWF-XJXQ

Vulnerability from github – Published: 2023-10-17 00:30 – Updated: 2024-04-04 08:42
VLAI
Details

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-17T00:15:11Z",
    "severity": "HIGH"
  },
  "details": "Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.",
  "id": "GHSA-m6vw-rhwf-xjxq",
  "modified": "2024-04-04T08:42:11Z",
  "published": "2023-10-17T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4215"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PPM5-JV84-2XG2

Vulnerability from github – Published: 2024-06-25 17:26 – Updated: 2024-06-25 22:18
VLAI
Summary
Aimeos HTML client may potentially reveal sensitive information in error log
Details

Impact

Debug information can reveal sensitive information from environment variables in error log

Affected platform

Laravel environments with multi-vendor setups and admin access for the vendors

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2024.04.1"
            },
            {
              "fixed": "2024.04.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.04.1"
            },
            {
              "fixed": "2023.10.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2022.04.1"
            },
            {
              "fixed": "2022.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "aimeos/ai-client-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2021.10.1"
            },
            {
              "fixed": "2021.10.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-25T17:26:56Z",
    "nvd_published_at": "2024-06-25T21:15:59Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nDebug information can reveal sensitive information from environment variables in error log\n\n### Affected platform\nLaravel environments with multi-vendor setups and admin access for the vendors",
  "id": "GHSA-ppm5-jv84-2xg2",
  "modified": "2024-06-25T22:18:15Z",
  "published": "2024-06-25T17:26:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/security/advisories/GHSA-ppm5-jv84-2xg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38516"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aimeos/ai-client-html/commit/bb389620ffc3cf4a2f29c11a1e5f512049e0c132"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aimeos/ai-client-html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Aimeos HTML client may potentially reveal sensitive information in error log"
}

GHSA-Q76Q-CWC5-25WV

Vulnerability from github – Published: 2024-06-14 06:34 – Updated: 2024-07-04 06:35
VLAI
Details

Admin cookies are written in clear-text in logs. An attacker can retrieve them and bypass the authentication mechanism. As for the affected products/models/versions, see the reference URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-14T04:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Admin cookies are written in clear-text in logs. An attacker can retrieve them and bypass the authentication mechanism. As for the affected products/models/versions, see the reference URL.",
  "id": "GHSA-q76q-cwc5-25wv",
  "modified": "2024-07-04T06:35:04Z",
  "published": "2024-06-14T06:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27179"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU97136265/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/20240531_01.html"
    },
    {
      "type": "WEB",
      "url": "https://www.toshibatec.com/information/pdf/information20240531_01.pdf"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRG9-F472-QWFM

Vulnerability from github – Published: 2021-06-28 16:55 – Updated: 2021-06-24 19:46
VLAI
Summary
Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19
Details

Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for NotFoundException is provided.

  • https://vaadin.com/security/cve-2021-31412
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.18"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 14.0.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "14.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 19.0.8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:vaadin-bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0.0"
            },
            {
              "fixed": "19.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-20",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-24T19:46:19Z",
    "nvd_published_at": "2021-06-24T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Improper sanitization of path in default `RouteNotFoundError` view in `com.vaadin:flow-server` versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows network attacker to enumerate all available routes via crafted HTTP request when application is running in production mode and no custom handler for `NotFoundException` is provided.\n\n- https://vaadin.com/security/cve-2021-31412",
  "id": "GHSA-qrg9-f472-qwfm",
  "modified": "2021-06-24T19:46:19Z",
  "published": "2021-06-28T16:55:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/platform/security/advisories/GHSA-qrg9-f472-qwfm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31412"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/11107"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2021-31412"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19"
}

GHSA-QV29-2G6C-W6PF

Vulnerability from github – Published: 2025-11-08 00:31 – Updated: 2025-11-10 18:30
VLAI
Details

Inappropriate implementation in Passkeys in Google Chrome prior to 140.0.7339.80 allowed a local attacker to obtain potentially sensitive information via debug logs. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-08T00:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Passkeys in Google Chrome prior to 140.0.7339.80 allowed a local attacker to obtain potentially sensitive information via debug logs. (Chromium security severity: Low)",
  "id": "GHSA-qv29-2g6c-w6pf",
  "modified": "2025-11-10T18:30:34Z",
  "published": "2025-11-08T00:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12910"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/434977743"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R228-W758-3QFV

Vulnerability from github – Published: 2023-02-10 21:30 – Updated: 2023-02-27 15:30
VLAI
Details

Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information. An attacker could potentially exploit this vulnerability and have access to private information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-10T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information. An attacker could potentially exploit this vulnerability and have access to private information.",
  "id": "GHSA-r228-w758-3qfv",
  "modified": "2023-02-27T15:30:22Z",
  "published": "2023-02-10T21:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34364"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000203275/dsa-2022-188-dell-bsafe-ssl-j-6-5-and-7-1-security-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RV94-849J-V27X

Vulnerability from github – Published: 2025-02-03 06:30 – Updated: 2025-02-03 18:30
VLAI
Details

In DA, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure, if an attacker has physical access to the device, if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS09291146; Issue ID: MSV-2056.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T04:15:09Z",
    "severity": "MODERATE"
  },
  "details": "In DA, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure, if an attacker has physical access to the device, if a malicious actor has already obtained the System privilege. User interaction is needed for exploitation. Patch ID: ALPS09291146; Issue ID: MSV-2056.",
  "id": "GHSA-rv94-849j-v27x",
  "modified": "2025-02-03T18:30:41Z",
  "published": "2025-02-03T06:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20643"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/February-2025"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFXF-3935-5JGV

Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2026-03-20 18:31
VLAI
Details

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a rulebook and also affects Event Streams.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T14:15:21Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in the Ansible Automation Platform\u0027s Event-Driven Ansible. In configurations where verbosity is set to \"debug\", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any \"debug\" action in a rulebook and also affects Event Streams.",
  "id": "GHSA-wfxf-3935-5jgv",
  "modified": "2026-03-20T18:31:14Z",
  "published": "2025-03-28T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2877"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible-rulebook/pull/767"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3636"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3637"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2877"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355540"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure that a debug message does not reveal any unnecessary information during the debug process for the intended response.

CAPEC-121: Exploit Non-Production Interfaces

An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.