Common Weakness Enumeration

CWE-209

Allowed

Generation of Error Message Containing Sensitive Information

Abstraction: Base · Status: Draft

The product generates an error message that includes sensitive information about its environment, users, or associated data.

833 vulnerabilities reference this CWE, most recent first.

GHSA-3CQF-953P-H5CP

Vulnerability from github – Published: 2024-06-06 19:04 – Updated: 2024-06-06 19:04
VLAI
Summary
Argo-cd authenticated users can enumerate clusters by name
Details

Impact

It’s possible for authenticated users to enumerate clusters by name by inspecting error messages:

$ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization: 
Bearer $token"
{"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z"}⏎                                 

$ curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorizati
on: Bearer $token"
{"error":"permission denied","code":7,"message":"permission denied"}

It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters.

curl -k 'https://localhost:8080/api/v1/clusters/in-cluster-project?id.type=name' -H "Authorization: Bearer $token"
{"error":"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z"}

curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorization: Bearer $token"
{"error":"permission denied","code":7,"message":"permission denied"}

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.3 v2.10.12 v2.9.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "2.9.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-06T19:04:54Z",
    "nvd_published_at": "2024-06-06T15:15:45Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt\u2019s possible for authenticated users to enumerate clusters by name by inspecting error messages:\n\n```\n$ curl -k \u0027https://localhost:8080/api/v1/clusters/in-cluster?id.type=name\u0027 -H \"Authorization: \nBearer $token\"\n{\"error\":\"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z\",\"code\":7,\"message\":\"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z\"}\u23ce                                 \n                                   \n$ curl -k \u0027https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name\u0027 -H \"Authorizati\non: Bearer $token\"\n{\"error\":\"permission denied\",\"code\":7,\"message\":\"permission denied\"}\n```\n\nIt\u2019s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters.\n```\ncurl -k \u0027https://localhost:8080/api/v1/clusters/in-cluster-project?id.type=name\u0027 -H \"Authorization: Bearer $token\"\n{\"error\":\"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z\",\"code\":7,\"message\":\"permission denied: clusters, get, default/, sub: alice, iat: 2022-11-04T20:25:44Z\"}\n\ncurl -k \u0027https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name\u0027 -H \"Authorization: Bearer $token\"\n{\"error\":\"permission denied\",\"code\":7,\"message\":\"permission denied\"}\n```\n\n### Patches\nA patch for this vulnerability has been released in the following Argo CD versions:\n\nv2.11.3\nv2.10.12\nv2.9.17\n\n### For more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\nJoin us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\nCredits\nThis vulnerability was found \u0026 reported by @crenshaw-dev (Michael Crenshaw)\n\nThe Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue\n",
  "id": "GHSA-3cqf-953p-h5cp",
  "modified": "2024-06-06T19:04:54Z",
  "published": "2024-06-06T19:04:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo-cd authenticated users can enumerate clusters by name"
}

GHSA-3F65-M234-9MXR

Vulnerability from github – Published: 2024-05-24 20:19 – Updated: 2024-05-29 20:43
VLAI
Summary
github.com/huandu/facebook may expose access_token in error message.
Details

Summary

access_token can be exposed in error message on fail in HTTP request.

Details

Using this module, when HTTP request fails, error message can contain access_token. This can be happen when: - module is sending HTTP request with query parameter ?access_token=.... - and HTTP request fails (errors like facebook: cannot reach facebook server).

In such situation, error message is constucted like following. https://github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.go#L558-L567 Original error message contained in it comes from net/http module. And it can contain full URL, that can contain query parameter access_token: https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633 https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30

It should be very common that applications log error message when they encounter errors. As a result, access_token can be stored into log server and some other infrastructures. Of course other careless error handling in client code that causing other security problems can exist.

I'm not very sure that whether we can consider that github.com/huandu/facebook is vulnerable. Anyway, I think current error message, that can expose access_token, is not desirble.

PoC

Request me this section if you need complete instruction.

Impact

Client applications with following conditions can be affected. - logs error message from this module - or returns error message to client as something like HTTP response. - or uses error messages somewhere

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/huandu/facebook/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-24T20:19:53Z",
    "nvd_published_at": "2024-05-24T21:15:59Z",
    "severity": "LOW"
  },
  "details": "### Summary\naccess_token can be exposed in error message on fail in HTTP request.\n\n### Details\nUsing this module, when HTTP request fails, error message can contain access_token. This can be happen when:\n- module is sending HTTP request with query parameter `?access_token=...`.\n- and HTTP request fails (errors like `facebook: cannot reach facebook server`).\n\nIn such situation, error message is constucted like following.\nhttps://github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.go#L558-L567\nOriginal error message contained in it comes from `net/http` module. And it can contain full URL, that can contain query parameter `access_token`:\nhttps://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633\nhttps://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30\n\nIt should be very common that applications log error message when they encounter errors. As a result, access_token can be stored into log server and some other infrastructures. Of course other careless error handling in client code that causing other security problems can exist.\n\nI\u0027m not very sure that whether we can consider that github.com/huandu/facebook is vulnerable. Anyway, I think current error message, that can expose access_token, is not desirble.\n\n### PoC\nRequest me this section if you need complete instruction.\n\n### Impact\nClient applications with following conditions can be affected.\n- logs error message from this module\n- or returns error message to client as something like HTTP response.\n- or uses error messages somewhere\n",
  "id": "GHSA-3f65-m234-9mxr",
  "modified": "2024-05-29T20:43:59Z",
  "published": "2024-05-24T20:19:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/huandu/facebook/security/advisories/GHSA-3f65-m234-9mxr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35232"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huandu/facebook/commit/8b34431b91b32903c8821b1d7621bf81a029d8e4"
    },
    {
      "type": "WEB",
      "url": "https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/client.go;l=629-633"
    },
    {
      "type": "WEB",
      "url": "https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/url/url.go;l=30"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huandu/facebook"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huandu/facebook/blob/1591be276561bbdb019c0279f1d33cb18a650e1b/session.go#L558-L567"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "github.com/huandu/facebook may expose access_token in error message."
}

GHSA-3HG9-F2MV-C9RX

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 181857.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 181857.",
  "id": "GHSA-3hg9-f2mv-c9rx",
  "modified": "2022-05-24T17:33:22Z",
  "published": "2022-05-24T17:33:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4483"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/181857"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6360835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3HVJ-3CG9-V242

Vulnerability from github – Published: 2023-03-02 23:04 – Updated: 2023-03-13 19:18
VLAI
Summary
Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions
Details

Impact

Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests.

Affected versions: Saleor ≥ 2.0.0

Workarounds

None

For more information

If you have any questions or comments about this advisory: * Open a discussion at https://github.com/saleor/saleor/discussions * Email us at hello@saleor.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "3.1.48"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.11.0"
            },
            {
              "fixed": "3.11.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "3.10.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.8.0"
            },
            {
              "fixed": "3.8.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "saleor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.7.0"
            },
            {
              "fixed": "3.7.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-02T23:04:10Z",
    "nvd_published_at": "2023-03-02T19:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nSome internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests.\n\nAffected versions: Saleor \u2265 2.0.0\n\n### Workarounds\nNone\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion at https://github.com/saleor/saleor/discussions\n* Email us at [hello@saleor.io](mailto:hello@saleor.io)\n\n",
  "id": "GHSA-3hvj-3cg9-v242",
  "modified": "2023-03-13T19:18:39Z",
  "published": "2023-03-02T23:04:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/security/advisories/GHSA-3hvj-3cg9-v242"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26052"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/saleor/saleor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.1.48"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.10.14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.11.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.7.59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.8.30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saleor/saleor/releases/tag/3.9.27"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions"
}

GHSA-3JP4-JF35-6MQ4

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

IBM Security Guardium 11.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196315.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-24T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Guardium 11.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196315.",
  "id": "GHSA-3jp4-jf35-6mq4",
  "modified": "2022-05-24T19:03:03Z",
  "published": "2022-05-24T19:03:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20428"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196315"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6455281"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3P62-42X7-GXG5

Vulnerability from github – Published: 2024-05-14 22:29 – Updated: 2024-11-18 16:26
VLAI
Summary
Grafana User enumeration via forget password
Details

Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate security fixes for CVE-2022-39307.

We are also releasing security patches for Grafana 8.5.15 to fix these issues.

Release 9.2.4, latest patch, also containing security fix:

Release 8.5.15, only containing security fix:

Appropriate patches have been applied to Grafana Cloud and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.

Username enumeration

Summary

When using the forget password on the login page, a POST request is made to the /api/user/password/sent-reset-email URL. When the username or email does not exist, a JSON response contains a “user not found” message.

The CVSS score for this vulnerability is 5.3 Moderate

Impact

The impacted endpoint leaks information to unauthenticated users and introduces a security risk.

Impacted versions

All installations for Grafana versions Grafana <=9.x, <8.x

Solutions and mitigations

To fully address CVE-2022-39307, please upgrade your Grafana instances. Appropriate patches have been applied to Grafana Cloud.

Reporting security issues

If you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs' open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is

F988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA

The key is available from keyserver.ubuntu.com.

Security announcements

We maintain a security category on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.

You can also subscribe to our RSS feed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.5.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T22:29:31Z",
    "nvd_published_at": "2022-11-09T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate security fixes for CVE-2022-39307.\n\nWe are also releasing security patches for Grafana 8.5.15 to fix these issues.\n\nRelease 9.2.4, latest patch, also containing security fix:\n\n- [Download Grafana 9.2.4](https://grafana.com/grafana/download/9.2.4)\n\nRelease 8.5.15, only containing security fix:\n\n- [Download Grafana 8.5.15](https://grafana.com/grafana/download/8.5.15)\n\nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud) and as always, we closely coordinated with all cloud providers licensed to offer Grafana Pro. They have received early notification under embargo and confirmed that their offerings are secure at the time of this announcement. This is applicable to Amazon Managed Grafana and Azure Managed Grafana as a service offering.\n\n## Username enumeration\n\n### Summary \n\nWhen using the forget password on the login page, a POST request is made to the `/api/user/password/sent-reset-email` URL. When the username or email does not exist, a JSON response contains a \u201cuser not found\u201d message.\n\nThe CVSS score for this vulnerability is [5.3 Moderate](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\u0026version=3.1)\n\n### Impact\n\nThe impacted endpoint leaks information to unauthenticated users and introduces a security risk.\n\n### Impacted versions\n\nAll installations for Grafana versions Grafana \u003c=9.x, \u003c8.x\n\n### Solutions and mitigations\n\nTo fully address CVE-2022-39307, please upgrade your Grafana instances. \nAppropriate patches have been applied to [Grafana Cloud](https://grafana.com/cloud). \n\n## Reporting security issues\n\nIf you think you have found a security vulnerability, please send a report to security@grafana.com. This address can be used for all of Grafana Labs\u0027 open source and commercial products (including, but not limited to Grafana, Grafana Cloud, Grafana Enterprise, and grafana.com). We can accept only vulnerability reports at this address. We would prefer that you encrypt your message to us by using our PGP key. The key fingerprint is\n\nF988 7BEA 027A 049F AE8E 5CAA D125 8932 BE24 C5CA\n\nThe key is available from keyserver.ubuntu.com.\n\n## Security announcements\n\nWe maintain a [security category](https://community.grafana.com/c/support/security-announcements) on our blog, where we will always post a summary, remediation, and mitigation details for any patch containing security fixes.\n\nYou can also subscribe to our [RSS feed](https://grafana.com/tags/security/index.xml).",
  "id": "GHSA-3p62-42x7-gxg5",
  "modified": "2024-11-18T16:26:41Z",
  "published": "2024-05-14T22:29:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana/security/advisories/GHSA-3p62-42x7-gxg5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39307"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221215-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grafana User enumeration via forget password"
}

GHSA-3P6H-JM8P-G7P5

Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-07 18:30
VLAI
Details

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-02T00:15:55Z",
    "severity": "MODERATE"
  },
  "details": "In Rapid Software LLC\u0027s Rapid SCADA versions prior to\u00a0Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request.\n",
  "id": "GHSA-3p6h-jm8p-g7p5",
  "modified": "2024-02-07T18:30:27Z",
  "published": "2024-02-02T00:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21866"
    },
    {
      "type": "WEB",
      "url": "https://rapidscada.org/contact"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3P77-WG4C-QM24

Vulnerability from github – Published: 2024-01-19 21:30 – Updated: 2026-01-22 20:36
VLAI
Summary
Duplicate Advisory: Exposure of sensitive information in ClickHouse
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-g8ph-74m6-8m7r. This link is maintained to preserve external references.

Original Description

Exposure of sensitive information in exceptions in ClickHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when 'sslkey' is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.clickhouse:clickhouse-r2dbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.clickhouse:clickhouse-jdbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.clickhouse:clickhouse-client"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-23T14:34:54Z",
    "nvd_published_at": "2024-01-19T21:15:10Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g8ph-74m6-8m7r. This link is maintained to preserve external references.\n\n## Original Description\nExposure of sensitive information in exceptions in ClickHouse\u0027s clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs. This occurs when \u0027sslkey\u0027 is specified and an exception, such as a ClickHouseException or SQLException, is thrown during database operations; the certificate password is then included in the logged exception message.",
  "id": "GHSA-3p77-wg4c-qm24",
  "modified": "2026-01-22T20:36:05Z",
  "published": "2024-01-19T21:30:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ClickHouse/clickhouse-java/issues/1331"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ClickHouse/clickhouse-java/pull/1334"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ClickHouse/clickhouse-java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-g8ph-74m6-8m7r"
    },
    {
      "type": "WEB",
      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: Exposure of sensitive information in ClickHouse",
  "withdrawn": "2026-01-22T20:36:05Z"
}

GHSA-3Q5Q-8RWQ-GWP8

Vulnerability from github – Published: 2023-09-22 18:30 – Updated: 2023-09-22 18:30
VLAI
Details

Credential disclosure in the '/webs/userpasswd.htm' endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an authenticated attacker to leak the password for the administrative account via requests to the vulnerable endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-210"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-22T17:15:09Z",
    "severity": "HIGH"
  },
  "details": "Credential disclosure in the \u0027/webs/userpasswd.htm\u0027 endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.4 and V1.0.5 allows an authenticated attacker to leak the password for the administrative account via requests to the vulnerable endpoint.\n\n",
  "id": "GHSA-3q5q-8rwq-gwp8",
  "modified": "2023-09-22T18:30:26Z",
  "published": "2023-09-22T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41027"
    },
    {
      "type": "WEB",
      "url": "https://blog.exodusintel.com/2023/09/18/juplink-rx4-1500-credential-disclosure-vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3Q6J-5F25-XFC9

Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-21 21:30
VLAI
Details

In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name 'lime_sessions', primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41076"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T15:17:29Z",
    "severity": "MODERATE"
  },
  "details": "In version 6.13.0 of LimeSurvey, any external user can cause a 500 error in the survey system by sending a malformed session cookie. Instead of displaying a generic error message, the system exposes internal backend information, including the use of the Yii framework, the MySQL/MariaDB database engine, the table name \u0027lime_sessions\u0027, primary keys, and fragments of the content that caused the conflict. This information can simplify the collection of data about the internal architecture of the application by an attacker.",
  "id": "GHSA-3q6j-5f25-xfc9",
  "modified": "2025-11-21T21:30:17Z",
  "published": "2025-11-20T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41076"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-limesurvey-0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Implementation

Handle exceptions internally and do not display errors containing potentially sensitive information to a user.

Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Compilation or Build Hardening

Debugging information should not make its way into a production release.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Environment Hardening

Debugging information should not make its way into a production release.

Mitigation
System Configuration

Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.

Mitigation
System Configuration

Create default error pages or messages that do not leak any information.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-54: Query System for Information

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

CAPEC-7: Blind SQL Injection

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.