Common Weakness Enumeration

CWE-209

Allowed

Generation of Error Message Containing Sensitive Information

Abstraction: Base · Status: Draft

The product generates an error message that includes sensitive information about its environment, users, or associated data.

833 vulnerabilities reference this CWE, most recent first.

GHSA-C2J7-66M3-R4FF

Vulnerability from github – Published: 2022-08-06 05:39 – Updated: 2022-08-06 05:39
VLAI
Summary
JSPUI's "Internal System Error" page prints exceptions and stack traces without sanitization
Details

Impact

When an "Internal System Error" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack. This vulnerability only impacts the JSPUI.

This vulnerability does NOT impact the XMLUI or 7.x.

Patches

DSpace 6.x: * Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31a * 6.x patch file: https://github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31a.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible)

DSpace 5.x: * The 6.x patch file can also be applied to an older 5.x installation. * Alternatively, you can simply apply the workaround documented below. The detailed error information embedded in internal.jsp is not necessary for the JSPUI to function.

Apply the patch to your DSpace

If at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches as follows: 1. Download the appropriate patch file to the machine where DSpace is running 2. From the [dspace-src] folder, apply the patch, e.g. git apply [name-of-file].patch 3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps: 1. Rebuild DSpace, e.g. mvn -U clean package (This will recompile all DSpace code) 2. Redeploy DSpace, e.g. ant update (This will copy all updated WARs / configs to your installation directory). Depending on your setup you also may need to copy the updated WARs over to your Tomcat webapps folder. 3. Restart Tomcat

Workarounds

The detailed error information embedded in internal.jsp is not necessary for the JSPUI to function. Because this error information is also available in the dspace.log files, it does not need to be displayed in internal.jsp.

Modify your internal.jsp, and disable the display of the error message. This is most easily done by setting the returned exception to "null" at all times. For example, add a new line between line number 43 and 44

// This line should exist around line number 43
Throwable ex = (Throwable) request.getAttribute("javax.servlet.error.exception");
// Add workaround for security issue. Ensure exception is always set to null.
ex = null;
// This line should exist around line number 44
if(ex == null) out.println("No stack trace available<br/>");

References

Discovered & reported by Ozkan Erdogan (Brunel University London)

For more information

If you have any questions or comments about this advisory: * Email us at security@dspace.org

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.dspace:dspace-jspui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0"
            },
            {
              "fixed": "6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-06T05:39:46Z",
    "nvd_published_at": "2022-08-01T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen an \"Internal System Error\" occurs in the JSPUI, then entire exception (including stack trace) is available. Information in this stacktrace may be useful to an attacker in launching a more sophisticated attack.  This vulnerability only impacts the JSPUI.\n\n_This vulnerability does NOT impact the XMLUI or 7.x._\n\n### Patches\n\n_DSpace 6.x:_\n* Fixed in 6.4 via commit: https://github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31a\n* 6.x patch file: https://github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31a.patch (may be applied manually if an immediate upgrade to 6.4 or above is not possible)\n\n_DSpace 5.x:_\n* The 6.x patch file can also be applied to an older 5.x installation.\n* Alternatively, you can simply apply the workaround documented below.  The detailed error information embedded in `internal.jsp` is not necessary for the JSPUI to function.\n\n#### Apply the patch to your DSpace\nIf at all possible, we recommend upgrading your DSpace site based on the upgrade instructions. However, if you are unable to do so, you can manually apply the above patches as follows:\n1. Download the appropriate patch file to the machine where DSpace is running\n2. From the `[dspace-src]` folder, apply the patch, e.g. `git apply [name-of-file].patch`\n3. Now, update your DSpace site (based loosely on the Upgrade instructions). This generally involves three steps:\n    1. Rebuild DSpace, e.g. `mvn -U clean package`  (This will recompile all DSpace code)\n    2. Redeploy DSpace, e.g. `ant update`  (This will copy all updated WARs / configs to your installation directory). Depending on your setup you also may need to copy the updated WARs over to your Tomcat webapps folder.\n    3. Restart Tomcat\n\n### Workarounds\n\nThe detailed error information embedded in `internal.jsp` is not necessary for the JSPUI to function.  Because this error information is also available in the `dspace.log` files, it does not need to be displayed in `internal.jsp`.\n\nModify your `internal.jsp`, and disable the display of the error message. This is most easily done by setting the returned exception to \"null\" at all times.  For example, add a new line between line number 43 and 44\n\n```\n// This line should exist around line number 43\nThrowable ex = (Throwable) request.getAttribute(\"javax.servlet.error.exception\");\n// Add workaround for security issue. Ensure exception is always set to null.\nex = null;\n// This line should exist around line number 44\nif(ex == null) out.println(\"No stack trace available\u003cbr/\u003e\");\n```\n\n### References\nDiscovered \u0026 reported by Ozkan Erdogan (Brunel University London)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@dspace.org",
  "id": "GHSA-c2j7-66m3-r4ff",
  "modified": "2022-08-06T05:39:46Z",
  "published": "2022-08-06T05:39:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-c2j7-66m3-r4ff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DSpace/DSpace/commit/afcc6c3389729b85d5c7b0230cbf9aaf7452f31a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DSpace/DSpace"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JSPUI\u0027s \"Internal System Error\" page prints exceptions and stack traces without sanitization"
}

GHSA-C3GC-9PF2-84GG

Vulnerability from github – Published: 2026-05-06 17:54 – Updated: 2026-05-13 14:18
VLAI
Summary
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
Details

Summary

pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions.

Because /web/<path:filename> is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.

Details

The issue is caused by the combination of:

  1. Unauthenticated template-render route:
  2. src/pyload/webui/app/blueprints/app_blueprint.py:32-36
  3. @bp.route("/web/<path:filename>", endpoint="web")
  4. data = render_template(filename) with user-controlled filename
  5. no @login_required(...) on this route

  6. Global exception handler exposes traceback to response:

  7. src/pyload/webui/app/handlers.py:14-27
  8. tb = traceback.format_exc()
  9. messages.extend(tb.split('\n'))
  10. returned in rendered error page for all exceptions

  11. Error page renders all messages:

  12. src/pyload/webui/app/themes/modern/templates/base.html:217-219
  13. loops over messages and prints them in response HTML

So any unhandled exception can disclose internal implementation details (stack frames, source paths, exception metadata) to remote unauthenticated clients.

This is a core behavior issue in default WebUI error handling

PoC

#!/usr/bin/env python3
from __future__ import annotations

import re
import shutil
import tempfile
import traceback
from pathlib import Path


ROOT = Path(__file__).resolve().parent / "pyload" / "src" / "pyload"


def read_text(rel: str) -> str:
    return (ROOT / rel).read_text(encoding="utf-8")


def route_has_no_login_required(app_blueprint: str) -> bool:
    m = re.search(
        r'@bp\\.route\\("/web/<path:filename>", endpoint="web"\\)\\s*'
        r"def render\\(filename\\):(?P<body>.*?)(?:\\n\\n@bp\\.route|\\Z)",
        app_blueprint,
        re.DOTALL,
    )
    if not m:
        return False
    block_start = max(0, m.start() - 200)
    block = app_blueprint[block_start:m.end()]
    return "@login_required(" not in block


def main() -> None:
    workdir = Path(tempfile.mkdtemp(prefix="pyload-traceback-infoleak-"))
    try:
        app_blueprint = read_text("webui/app/blueprints/app_blueprint.py")
        handlers = read_text("webui/app/handlers.py")
        base_template = read_text("webui/app/themes/modern/templates/base.html")

        unauth_web_route = '/web/<path:filename>' in app_blueprint and route_has_no_login_required(app_blueprint)
        user_controlled_template_name = "render_template(filename)" in app_blueprint
        handler_uses_traceback = "traceback.format_exc()" in handlers
        handler_appends_trace = "messages.extend(tb.split('\\n'))" in handlers
        global_exception_handler = "(Exception, handle_exception_error)" in handlers
        template_renders_messages = "{% for message in messages %}" in base_template and "{{message}}" in base_template

        leaked_traceback_keyword = False
        leaked_exception_type = False
        try:
            raise RuntimeError("forced-poc-error")
        except Exception:
            tb = traceback.format_exc()
            messages = [f"Error 500: forced-poc-error"]
            messages.extend(tb.split("\\n"))
            joined = "\\n".join(messages)
            leaked_traceback_keyword = "Traceback (most recent call last)" in joined
            leaked_exception_type = "RuntimeError: forced-poc-error" in joined

        repro_success = all(
            [
                unauth_web_route,
                user_controlled_template_name,
                handler_uses_traceback,
                handler_appends_trace,
                global_exception_handler,
                template_renders_messages,
                leaked_traceback_keyword,
                leaked_exception_type,
            ]
        )

        print("unauth_web_route=", unauth_web_route)
        print("user_controlled_template_name=", user_controlled_template_name)
        print("handler_uses_traceback=", handler_uses_traceback)
        print("handler_appends_trace=", handler_appends_trace)
        print("global_exception_handler=", global_exception_handler)
        print("template_renders_messages=", template_renders_messages)
        print("leaked_traceback_keyword=", leaked_traceback_keyword)
        print("leaked_exception_type=", leaked_exception_type)
        print("traceback_infoleak_repro_success=", repro_success)
    finally:
        shutil.rmtree(workdir, ignore_errors=True)
        print("cleanup_done=True")


if __name__ == "__main__":
    main()

Observed result:

unauth_web_route= True
user_controlled_template_name= True
handler_uses_traceback= True
handler_appends_trace= True
global_exception_handler= True
template_renders_messages= True
leaked_traceback_keyword= True
leaked_exception_type= True
traceback_infoleak_repro_success= True
cleanup_done=True

Impact

  • Vulnerability type: Information disclosure (stack trace / internal path leakage).
  • Attack surface: unauthenticated WebUI request path.
  • Exposes internal error details that help attackers map application internals and improve exploit reliability for follow-on attacks.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.0b3.dev100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:54:20Z",
    "nvd_published_at": "2026-05-11T18:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n`pyload-ng` WebUI returns full Python traceback details to clients on unhandled exceptions.\n\nBecause `/web/\u003cpath:filename\u003e` is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-existent template) and receive internal stack traces in the HTTP response.\n\n### Details\nThe issue is caused by the combination of:\n\n1. Unauthenticated template-render route:\n- `src/pyload/webui/app/blueprints/app_blueprint.py:32-36`\n  - `@bp.route(\"/web/\u003cpath:filename\u003e\", endpoint=\"web\")`\n  - `data = render_template(filename)` with user-controlled `filename`\n  - no `@login_required(...)` on this route\n\n2. Global exception handler exposes traceback to response:\n- `src/pyload/webui/app/handlers.py:14-27`\n  - `tb = traceback.format_exc()`\n  - `messages.extend(tb.split(\u0027\\n\u0027))`\n  - returned in rendered error page for all exceptions\n\n3. Error page renders all `messages`:\n- `src/pyload/webui/app/themes/modern/templates/base.html:217-219`\n  - loops over `messages` and prints them in response HTML\n\nSo any unhandled exception can disclose internal implementation details (stack frames, source paths, exception metadata) to remote unauthenticated clients. \n\nThis is a core behavior issue in default WebUI error handling\n\n### PoC\n```python\n#!/usr/bin/env python3\nfrom __future__ import annotations\n\nimport re\nimport shutil\nimport tempfile\nimport traceback\nfrom pathlib import Path\n\n\nROOT = Path(__file__).resolve().parent / \"pyload\" / \"src\" / \"pyload\"\n\n\ndef read_text(rel: str) -\u003e str:\n    return (ROOT / rel).read_text(encoding=\"utf-8\")\n\n\ndef route_has_no_login_required(app_blueprint: str) -\u003e bool:\n    m = re.search(\n        r\u0027@bp\\\\.route\\\\(\"/web/\u003cpath:filename\u003e\", endpoint=\"web\"\\\\)\\\\s*\u0027\n        r\"def render\\\\(filename\\\\):(?P\u003cbody\u003e.*?)(?:\\\\n\\\\n@bp\\\\.route|\\\\Z)\",\n        app_blueprint,\n        re.DOTALL,\n    )\n    if not m:\n        return False\n    block_start = max(0, m.start() - 200)\n    block = app_blueprint[block_start:m.end()]\n    return \"@login_required(\" not in block\n\n\ndef main() -\u003e None:\n    workdir = Path(tempfile.mkdtemp(prefix=\"pyload-traceback-infoleak-\"))\n    try:\n        app_blueprint = read_text(\"webui/app/blueprints/app_blueprint.py\")\n        handlers = read_text(\"webui/app/handlers.py\")\n        base_template = read_text(\"webui/app/themes/modern/templates/base.html\")\n\n        unauth_web_route = \u0027/web/\u003cpath:filename\u003e\u0027 in app_blueprint and route_has_no_login_required(app_blueprint)\n        user_controlled_template_name = \"render_template(filename)\" in app_blueprint\n        handler_uses_traceback = \"traceback.format_exc()\" in handlers\n        handler_appends_trace = \"messages.extend(tb.split(\u0027\\\\n\u0027))\" in handlers\n        global_exception_handler = \"(Exception, handle_exception_error)\" in handlers\n        template_renders_messages = \"{% for message in messages %}\" in base_template and \"{{message}}\" in base_template\n\n        leaked_traceback_keyword = False\n        leaked_exception_type = False\n        try:\n            raise RuntimeError(\"forced-poc-error\")\n        except Exception:\n            tb = traceback.format_exc()\n            messages = [f\"Error 500: forced-poc-error\"]\n            messages.extend(tb.split(\"\\\\n\"))\n            joined = \"\\\\n\".join(messages)\n            leaked_traceback_keyword = \"Traceback (most recent call last)\" in joined\n            leaked_exception_type = \"RuntimeError: forced-poc-error\" in joined\n\n        repro_success = all(\n            [\n                unauth_web_route,\n                user_controlled_template_name,\n                handler_uses_traceback,\n                handler_appends_trace,\n                global_exception_handler,\n                template_renders_messages,\n                leaked_traceback_keyword,\n                leaked_exception_type,\n            ]\n        )\n\n        print(\"unauth_web_route=\", unauth_web_route)\n        print(\"user_controlled_template_name=\", user_controlled_template_name)\n        print(\"handler_uses_traceback=\", handler_uses_traceback)\n        print(\"handler_appends_trace=\", handler_appends_trace)\n        print(\"global_exception_handler=\", global_exception_handler)\n        print(\"template_renders_messages=\", template_renders_messages)\n        print(\"leaked_traceback_keyword=\", leaked_traceback_keyword)\n        print(\"leaked_exception_type=\", leaked_exception_type)\n        print(\"traceback_infoleak_repro_success=\", repro_success)\n    finally:\n        shutil.rmtree(workdir, ignore_errors=True)\n        print(\"cleanup_done=True\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\nObserved result:\n```text\nunauth_web_route= True\nuser_controlled_template_name= True\nhandler_uses_traceback= True\nhandler_appends_trace= True\nglobal_exception_handler= True\ntemplate_renders_messages= True\nleaked_traceback_keyword= True\nleaked_exception_type= True\ntraceback_infoleak_repro_success= True\ncleanup_done=True\n```\n\n### Impact\n- Vulnerability type: Information disclosure (stack trace / internal path leakage).\n- Attack surface: unauthenticated WebUI request path.\n- Exposes internal error details that help attackers map application internals and improve exploit reliability for follow-on attacks.",
  "id": "GHSA-c3gc-9pf2-84gg",
  "modified": "2026-05-13T14:18:12Z",
  "published": "2026-05-06T17:54:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-c3gc-9pf2-84gg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44226"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI"
}

GHSA-C52R-R6J6-X3C5

Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30
VLAI
Details

IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38716"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-25T14:15:28Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, and 2.3.4.0 could disclose sensitive information about the system that could aid in further attacks against the system.",
  "id": "GHSA-c52r-r6j6-x3c5",
  "modified": "2025-01-25T15:30:31Z",
  "published": "2025-01-25T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38716"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7148474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5RF-2F3R-9GR9

Vulnerability from github – Published: 2025-02-04 18:30 – Updated: 2025-02-04 18:30
VLAI
Details

IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-04T18:15:34Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.",
  "id": "GHSA-c5rf-2f3r-9gr9",
  "modified": "2025-02-04T18:30:48Z",
  "published": "2025-02-04T18:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45659"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7182386"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C66C-VQ6W-FVH5

Vulnerability from github – Published: 2026-06-05 15:25 – Updated: 2026-06-05 15:25
VLAI
Summary
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Details

Summary

managementServer.CreateSchematic (internal/backend/grpc/schematics.go) passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf("/version/%s/overlays/official", talosVersion) path template. url.URL.JoinPath resolves any ../ sequences in that path, allowing an authenticated Operator to rewrite the URL path and force Omni to issue HTTP GET requests to unintended paths on the configured image-factory server. Error body content from those unintended endpoints is returned to the caller.

Severity

  • Attack Vector: Network: exploited via the gRPC CreateSchematic API endpoint.
  • Attack Complexity: Low: once the attacker holds an Operator credential and has identified a media ID with an overlay, exploitation is a single API call.
  • Privileges Required: High: role.Operator is required, which has administrative capabilities on Omni.
  • User Interaction: None.
  • Scope: Unchanged: the traversal is constrained to the configured image-factory host; the attacker cannot redirect Omni to an arbitrary external server.
  • Confidentiality Impact: Low: error body content from unintended image-factory endpoints is reflected back to the operator, potentially leaking server-internal information.
  • Integrity Impact: None: only HTTP GET requests are issued; no write operations are performed.
  • Availability Impact: None.

Impact

  • Same-host path traversal: An authenticated Operator can force Omni to issue GET requests to arbitrary URL paths on the configured image-factory server, bypassing the intended versioned overlay API structure.
  • Error-body disclosure: HTTP error responses from unintended image-factory endpoints are reflected back to the operator, potentially leaking server-internal diagnostics or sensitive path content.
  • Internal network probing: In deployments using a private image-factory instance on an internal network, the attacker can probe endpoint existence and partial responses through error-text differences.
  • Depth control: By varying the number of ../ prefixes in talosVersion, the attacker can reach any path hierarchy on the image-factory host.

Credit

This vulnerability was discovered and reported by bugbunny.ai.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siderolabs/omni"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45723"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-209",
      "CWE-22",
      "CWE-441",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T15:25:58Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\n`managementServer.CreateSchematic` (`internal/backend/grpc/schematics.go`) passes the caller-controlled `TalosVersion` field directly to `imageFactoryClient.OverlaysVersions`, which embeds it verbatim into a `fmt.Sprintf(\"/version/%s/overlays/official\", talosVersion)` path template. `url.URL.JoinPath` resolves any `../` sequences in that path, allowing an authenticated Operator to rewrite the URL path and force Omni to issue HTTP GET requests to unintended paths on the configured image-factory server. Error body content from those unintended endpoints is returned to the caller.\n\n## Severity\n\n- **Attack Vector:** Network: exploited via the gRPC `CreateSchematic` API endpoint.\n- **Attack Complexity:** Low: once the attacker holds an Operator credential and has identified a media ID with an overlay, exploitation is a single API call.\n- **Privileges Required:** High: `role.Operator` is required, which has administrative capabilities on Omni.\n- **User Interaction:** None.\n- **Scope:** Unchanged: the traversal is constrained to the configured image-factory host; the attacker cannot redirect Omni to an arbitrary external server.\n- **Confidentiality Impact:** Low: error body content from unintended image-factory endpoints is reflected back to the operator, potentially leaking server-internal information.\n- **Integrity Impact:** None: only HTTP GET requests are issued; no write operations are performed.\n- **Availability Impact:** None.\n\n## Impact\n\n- **Same-host path traversal**: An authenticated Operator can force Omni to issue GET requests to arbitrary URL paths on the configured image-factory server, bypassing the intended versioned overlay API structure.\n- **Error-body disclosure**: HTTP error responses from unintended image-factory endpoints are reflected back to the operator, potentially leaking server-internal diagnostics or sensitive path content.\n- **Internal network probing**: In deployments using a private image-factory instance on an internal network, the attacker can probe endpoint existence and partial responses through error-text differences.\n- **Depth control**: By varying the number of `../` prefixes in `talosVersion`, the attacker can reach any path hierarchy on the image-factory host.\n\n## Credit\nThis vulnerability was discovered and reported by [bugbunny.ai](https://bugbunny.ai).",
  "id": "GHSA-c66c-vq6w-fvh5",
  "modified": "2026-06-05T15:25:58Z",
  "published": "2026-06-05T15:25:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/security/advisories/GHSA-c66c-vq6w-fvh5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siderolabs/omni"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/releases/tag/v1.6.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siderolabs/omni/releases/tag/v1.7.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic"
}

GHSA-C6H4-5P2H-25V8

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Desigo Insight (All versions). Some error messages in the web application show the absolute path to the requested resource. This could allow an authenticated attacker to retrieve additional information about the host system.",
  "id": "GHSA-c6h4-5p2h-25v8",
  "modified": "2022-05-24T17:30:44Z",
  "published": "2022-05-24T17:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15794"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-226339.pdf"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-287-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-C8C2-H4X6-97WV

Vulnerability from github – Published: 2025-03-05 00:30 – Updated: 2025-03-05 00:30
VLAI
Details

After attempting to upload a file that does not meet prerequisites, GMOD Apollo will respond with local path information disclosure

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-20002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T00:15:37Z",
    "severity": "MODERATE"
  },
  "details": "After attempting to upload a file that does not meet prerequisites, GMOD Apollo will respond with local path information disclosure",
  "id": "GHSA-c8c2-h4x6-97wv",
  "modified": "2025-03-05T00:30:35Z",
  "published": "2025-03-05T00:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20002"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GMOD/Apollo"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-063-07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-C8HJ-W239-5GVF

Vulnerability from github – Published: 2023-11-15 14:49 – Updated: 2023-11-15 23:22
VLAI
Summary
pimcore/admin-ui-classic-bundle Full Path Disclosure via re-export document
Details

Impact

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)"

Patches

Apply patch https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch

Workarounds

Update to version 1.2.1 or apply patches manually

References

https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/admin-ui-classic-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-47636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-15T14:49:41Z",
    "nvd_published_at": "2023-11-15T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nFull Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.\n\nIn the case of pimcore, the fopen() function here doesn\u0027t have an error handle when the file doesn\u0027t exist on the server so the server response raises the full path \"fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)\"\n\n### Patches\nApply patch https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch\n\n### Workarounds\nUpdate to version 1.2.1 or apply [patches](https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch) manually\n\n### References\nhttps://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/",
  "id": "GHSA-c8hj-w239-5gvf",
  "modified": "2023-11-15T23:22:45Z",
  "published": "2023-11-15T14:49:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-c8hj-w239-5gvf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pimcore/admin-ui-classic-bundle Full Path Disclosure via re-export document"
}

GHSA-CC8F-FCX3-GPJR

Vulnerability from github – Published: 2026-06-19 22:10 – Updated: 2026-06-19 22:10
VLAI
Summary
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
Details

SurrealDB's full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk (DEFINE ANALYZER ... FILTERS mapper('<path>')). A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned in the query's error message.

File access is meant to be restricted by the SURREAL_FILE_ALLOWLIST setting, but an empty allowlist applied no restriction at all — and empty is the default.

Impact

The file is read with the privileges of the SurrealDB process, so a database EDITOR or OWNER user can disclose the contents of any file the process can access. Only the first line of the file is returned, except for files with no newlines.

However recovering the process's command line and environment could expose startup root credentials (--user / --pass) and secret environment variables, escalating a single-database role toward full control of the instance.

The read on the underlying filesystem is bounded by what the SurrealDB process can reach — any file readable by the OS user it runs as — so the impact scales with how the process is run and what is mounted into it.

Patches

A patch has been included in SurrealDB 3.1.5.

File access is now secure by default. check_is_path_allowed denies every path when no SURREAL_FILE_ALLOWLIST is configured, so the mapper filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.

Workarounds

Users unable to upgrade are advised to consider the following:

  • Set SURREAL_FILE_ALLOWLIST to a directory that contains only the intended mapping files; this confines the mapper filter to that path. On affected versions the allowlist must be non-empty to have any effect.
  • Grant the EDITOR and OWNER database roles only to trusted principals.
  • Avoid supplying secrets — including the root credentials — on the command line or through environment variables; prefer mounted files with least-privilege permissions.

References

Acknowledgements

Thanks to Jan Kahmen (@kah-ja) for finding and reporting this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "surrealdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-209",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T22:10:48Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "SurrealDB\u0027s full-text search lets you define a text analyzer whose `mapper` filter loads a term-mapping file from disk (`DEFINE ANALYZER ... FILTERS mapper(\u0027\u003cpath\u003e\u0027)`). A database user with the `EDITOR` or `OWNER` role could point that filter at any file the SurrealDB process can read and have its content returned in the query\u0027s error message.\n\nFile access is meant to be restricted by the `SURREAL_FILE_ALLOWLIST` setting, but an empty allowlist applied no restriction at all \u2014 and empty is the default. \n\n## Impact\n\nThe file is read with the privileges of the SurrealDB process, so a database `EDITOR` or `OWNER` user can disclose the contents of any file the process can access. Only the **first line** of the file is returned, except for files with no newlines.\n\nHowever recovering the process\u0027s command line and environment could expose startup root credentials (`--user` / `--pass`) and secret environment variables, escalating a single-database role toward full control of the instance.\n\nThe read on the underlying filesystem is bounded by what the SurrealDB process can reach \u2014 any file readable by the OS user it runs as \u2014 so the impact scales with how the process is run and what is mounted into it.\n\n## Patches\n\nA patch has been included in SurrealDB 3.1.5.\n\nFile access is now secure by default. `check_is_path_allowed` denies every path when no `SURREAL_FILE_ALLOWLIST` is configured, so the `mapper` filter cannot open any file unless the operator has explicitly allowed its directory. Analyzer parse errors no longer include the contents of the mapped file, only the line number.\n\n## Workarounds\n\nUsers unable to upgrade are advised to consider the following:\n\n- Set `SURREAL_FILE_ALLOWLIST` to a directory that contains only the intended mapping files; this confines the `mapper` filter to that path. On affected versions the allowlist must be non-empty to have any effect.\n- Grant the `EDITOR` and `OWNER` database roles only to trusted principals.\n- Avoid supplying secrets \u2014 including the root credentials \u2014 on the command line or through environment variables; prefer mounted files with least-privilege permissions.\n\n## References\n\n- [SurrealQL Documentation \u2014 DEFINE ANALYZER](https://surrealdb.com/docs/surrealql/statements/define/analyzer#define-analyzer-statement)\n- [SurrealDB Documentation \u2014 Capabilities](https://surrealdb.com/docs/surrealdb/security/capabilities)\n- Related earlier advisory: [GHSA-2cvj-g5r5-jrrg](https://github.com/surrealdb/surrealdb/security/advisories/GHSA-2cvj-g5r5-jrrg) local file read of 2-column TSV files via analyzers\n- https://github.com/surrealdb/surrealdb/pull/5600\n- fix(iam): deny filesystem access by default and stop leaking file content in analyzer errors\n\n## Acknowledgements\n\nThanks to Jan Kahmen ([@kah-ja](https://github.com/kah-ja)) for finding and reporting this issue.",
  "id": "GHSA-cc8f-fcx3-gpjr",
  "modified": "2026-06-19T22:10:48Z",
  "published": "2026-06-19T22:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-cc8f-fcx3-gpjr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/surrealdb/surrealdb/pull/5600"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/surrealdb/surrealdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter"
}

GHSA-CFPF-6674-H88V

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-209"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309.",
  "id": "GHSA-cfpf-6674-h88v",
  "modified": "2022-05-24T19:07:32Z",
  "published": "2022-05-24T19:07:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20424"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196309"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6471325"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-39
Implementation
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Implementation

Handle exceptions internally and do not display errors containing potentially sensitive information to a user.

Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Compilation or Build Hardening

Debugging information should not make its way into a production release.

Mitigation MIT-40
Implementation Build and Compilation

Strategy: Environment Hardening

Debugging information should not make its way into a production release.

Mitigation
System Configuration

Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.

Mitigation
System Configuration

Create default error pages or messages that do not leak any information.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

CAPEC-463: Padding Oracle Crypto Attack

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

CAPEC-54: Query System for Information

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

CAPEC-7: Blind SQL Injection

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.