CWE-209
AllowedGeneration of Error Message Containing Sensitive Information
Abstraction: Base · Status: Draft
The product generates an error message that includes sensitive information about its environment, users, or associated data.
833 vulnerabilities reference this CWE, most recent first.
GHSA-HJ5W-45WX-H9RG
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
{
"affected": [],
"aliases": [
"CVE-2021-35947"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-07T19:15:00Z",
"severity": "MODERATE"
},
"details": "The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.",
"id": "GHSA-hj5w-45wx-h9rg",
"modified": "2022-05-24T19:13:08Z",
"published": "2022-05-24T19:13:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35947"
},
{
"type": "WEB",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"type": "WEB",
"url": "https://owncloud.com/security-advisories/cve-2021-35947"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HJG2-F45W-C566
Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.
The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.
{
"affected": [],
"aliases": [
"CVE-2026-56139"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T09:16:39Z",
"severity": "MODERATE"
},
"details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.\n\nThe camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.",
"id": "GHSA-hjg2-f45w-c566",
"modified": "2026-07-06T21:30:37Z",
"published": "2026-07-06T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56139"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2026-56139.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/29"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HJG4-8Q5F-X6FM
Vulnerability from github – Published: 2021-05-05 19:49 – Updated: 2023-07-05 20:17Impact
There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input.
Vulnerable code will look like this.
redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example,
private def check(param)
case param
when "valid"
param
else
"/"
end
end
def index
redirect_to(check(params[:some_param]))
end
Or force the user input to be cast to a string like this,
def index
redirect_to(params[:some_param].to_s)
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 5-2-information-disclosure.patch - Patch for 5.2 series
- 6-0-information-disclosure.patch - Patch for 6.0 series
- 6-1-information-disclosure.patch - Patch for 6.1 series
Please note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
Thanks to Benoit Côté-Jodoin from Shopify for reporting this.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.3.6"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.1.3.1"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "6.1.0"
},
{
"fixed": "6.1.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.5"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.4.5"
},
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "5.2.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-22885"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-05T19:48:10Z",
"nvd_published_at": "2021-05-27T12:15:00Z",
"severity": "HIGH"
},
"details": "Impact\n------\nThere is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.\n\nVulnerable code will look like this.\n\n```\nredirect_to(params[:some_param])\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nTo work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example,\n\n```ruby\nprivate def check(param)\n case param\n when \"valid\"\n param\n else\n \"/\"\n end\nend\n\ndef index\n redirect_to(check(params[:some_param]))\nend\n```\n\nOr force the user input to be cast to a string like this,\n\n```ruby\ndef index\n redirect_to(params[:some_param].to_s)\nend\n```\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* 5-2-information-disclosure.patch - Patch for 5.2 series\n* 6-0-information-disclosure.patch - Patch for 6.0 series\n* 6-1-information-disclosure.patch - Patch for 6.1 series\n\nPlease note that only the 5.2, 6.0, and 6.1 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.\n\nCredits\n-------\n\nThanks to Benoit C\u00f4t\u00e9-Jodoin from Shopify for reporting this.",
"id": "GHSA-hjg4-8q5f-x6fm",
"modified": "2023-07-05T20:17:23Z",
"published": "2021-05-05T19:49:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22885"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1106652"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210805-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Action Pack contains Information Disclosure / Unintended Method Execution vulnerability"
}
GHSA-HJQ3-5XJW-J37Q
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 183189.
{
"affected": [],
"aliases": [
"CVE-2020-4544"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-08T21:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Foundation Products could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 183189.",
"id": "GHSA-hjq3-5xjw-j37q",
"modified": "2022-05-24T17:38:21Z",
"published": "2022-05-24T17:38:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4544"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/183189"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6398742"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HM37-9XH2-Q499
Vulnerability from github – Published: 2022-07-06 19:24 – Updated: 2024-10-07 21:17Impact
If a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key's sensitive field can thus expose the raw value of that field.
Patches
Upgrade to version 0.0.6, which no longer includes the raw field value in the error message.
Workarounds
N/A
References
N/A
For more information
If you have any questions or comments about this advisory: * Open an issue in openssh_key_parser
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openssh-key-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31124"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:24:12Z",
"nvd_published_at": "2022-07-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nIf a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key\u0027s sensitive field can thus expose the raw value of that field.\n\n### Patches\nUpgrade to version 0.0.6, which no longer includes the raw field value in the error message.\n\n### Workarounds\nN/A\n\n### References\nN/A\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [openssh_key_parser](https://github.com/scottcwang/openssh_key_parser)\n",
"id": "GHSA-hm37-9xh2-q499",
"modified": "2024-10-07T21:17:17Z",
"published": "2022-07-06T19:24:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser/security/advisories/GHSA-hm37-9xh2-q499"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31124"
},
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser/pull/5"
},
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser/commit/26e0a471e9fdb23e635bc3014cf4cbd2323a08d3"
},
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser/commit/274447f91b4037b7050ae634879b657554523b39"
},
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser/commit/d5b53b4b7e76c5b666fc657019dbf864fb04076c"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/openssh-key-parser/PYSEC-2022-233.yaml"
},
{
"type": "WEB",
"url": "https://github.com/scottcwang/openssh_key_parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Possible leak of key\u0027s raw field if declared length is incorrect"
}
GHSA-HM6H-8CG9-XCV7
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.
{
"affected": [],
"aliases": [
"CVE-2016-9459"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-28T02:59:00Z",
"severity": "MODERATE"
},
"details": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.",
"id": "GHSA-hm6h-8cg9-xcv7",
"modified": "2022-05-13T01:38:33Z",
"published": "2022-05-13T01:38:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9459"
},
{
"type": "WEB",
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"type": "WEB",
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"type": "WEB",
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"type": "WEB",
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/146278"
},
{
"type": "WEB",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"type": "WEB",
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97284"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPFW-6CC8-9HHJ
Vulnerability from github – Published: 2022-05-24 17:35 – Updated: 2022-05-24 17:35The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.
{
"affected": [],
"aliases": [
"CVE-2020-16128"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-09T04:15:00Z",
"severity": "LOW"
},
"details": "The aptdaemon DBus interface disclosed file existence disclosure by setting Terminal/DebconfSocket properties, aka GHSL-2020-192 and GHSL-2020-196. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.",
"id": "GHSA-hpfw-6cc8-9hhj",
"modified": "2022-05-24T17:35:29Z",
"published": "2022-05-24T17:35:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16128"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1899513"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/usn/usn-4664-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQF8-2R96-C772
Vulnerability from github – Published: 2025-02-27 15:31 – Updated: 2025-02-27 15:31IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2024-56493"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T15:15:39Z",
"severity": "LOW"
},
"details": "IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.",
"id": "GHSA-hqf8-2r96-c772",
"modified": "2025-02-27T15:31:52Z",
"published": "2025-02-27T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56493"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7184194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HR32-MGPM-QF2F
Vulnerability from github – Published: 2021-06-03 23:41 – Updated: 2021-06-03 23:33A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.6.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-client"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.7.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.6.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-client-microprofile"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.7.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.2.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.13.2.Final"
},
"package": {
"ecosystem": "Maven",
"name": "org.jboss.resteasy:resteasy-client-microprofile"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.14.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25633"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-03T23:33:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server\u0027s potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.",
"id": "GHSA-hr32-mgpm-qf2f",
"modified": "2021-06-03T23:33:32Z",
"published": "2021-06-03T23:41:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25633"
},
{
"type": "WEB",
"url": "https://github.com/resteasy/Resteasy/pull/2665/commits/13c808b5967242eec1e877edbc0014a84dcd6eb0"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/RESTEASY-2820"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Generation of Error Message Containing Sensitive Information in RESTEasy client"
}
GHSA-HRVG-RQ28-FJF5
Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-1262"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T21:16:28Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 is affected by an information disclosure vulnerability.",
"id": "GHSA-hrvg-rq28-fjf5",
"modified": "2026-03-25T21:30:36Z",
"published": "2026-03-25T21:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1262"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7266748"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation MIT-40
Strategy: Compilation or Build Hardening
Debugging information should not make its way into a production release.
Mitigation MIT-40
Strategy: Environment Hardening
Debugging information should not make its way into a production release.
Mitigation
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.