Common Weakness Enumeration

CWE-212

Allowed

Improper Removal of Sensitive Information Before Storage or Transfer

Abstraction: Base · Status: Incomplete

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

155 vulnerabilities reference this CWE, most recent first.

GHSA-C3M3-28HQ-W97P

Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-28 00:00
VLAI
Details

Vulnerability of residual files not being deleted after an update in the ChinaDRM module. Successful exploitation of this vulnerability may affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-13T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of residual files not being deleted after an update in the ChinaDRM module. Successful exploitation of this vulnerability may affect availability.",
  "id": "GHSA-c3m3-28hq-w97p",
  "modified": "2022-06-28T00:00:59Z",
  "published": "2022-06-14T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46813"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2022/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C3WV-QMJJ-45R6

Vulnerability from github – Published: 2024-04-24 21:42 – Updated: 2024-04-24 21:42
VLAI
Summary
Information disclosure in podman
Details

An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/podman/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T21:42:22Z",
    "nvd_published_at": "2020-09-23T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.",
  "id": "GHSA-c3wv-qmjj-45r6",
  "modified": "2024-04-24T21:42:22Z",
  "published": "2024-04-24T21:42:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1874268"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/podman"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G6BPCZX4ASKNONL3MSCK564IVXNYSKLP"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y74V7HGQBNLT6XECCSNZNFZIB7G7XSAR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z4Y2FSGQWP4AFT5AZ6UBN6RKHVXUBRFV"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information disclosure in podman"
}

GHSA-C7MP-5HG2-GFH8

Vulnerability from github – Published: 2026-05-02 03:31 – Updated: 2026-06-30 03:36
VLAI
Details

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-02T02:16:00Z",
    "severity": "HIGH"
  },
  "details": "In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.",
  "id": "GHSA-c7mp-5hg2-gfh8",
  "modified": "2026-06-30T03:36:29Z",
  "published": "2026-05-02T03:31:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43824"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43824"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464613"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43824.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJPX-2X82-P6V9

Vulnerability from github – Published: 2022-05-24 17:14 – Updated: 2022-05-24 17:14
VLAI
Details

An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-14T13:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed.",
  "id": "GHSA-cjpx-2x82-p6v9",
  "modified": "2022-05-24T17:14:11Z",
  "published": "2022-05-24T17:14:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11740"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5M2XRNCHOGGTJQBZQJ7DCV6ZNAKN3LE2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTP4OYHCTRU3ONFJOFJQVNDFB25KLLG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YMAW7D2MP6RE4BFI5BZWOBBWGY3VSOFN"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202005-08"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4723"
    },
    {
      "type": "WEB",
      "url": "https://xenbits.xen.org/xsa/advisory-313.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/04/14/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-313.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQXX-66WH-8PJW

Vulnerability from github – Published: 2022-04-01 13:59 – Updated: 2024-09-24 21:11
VLAI
Summary
Improper Removal of Sensitive Information Before Storage or Transfer in irrd
Details

IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.

The issue occurred: * For mntner objects where all password hash names (MD5-PW and CRYPT-PW) were in lower or mixed case in the auth attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the export_destination setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected. * For any GraphQL queries that queried the auth field on mntner objects. * For any GraphQL queries that queried the objectText field on the journal field on mntner objects, if the nrtm_access_list setting permitted journal access.

The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "irrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T13:59:17Z",
    "nvd_published_at": "2022-03-31T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.\n\nThe issue occurred:\n* For `mntner` objects where all password hash names (`MD5-PW` and `CRYPT-PW`) were in lower or mixed case in the `auth` attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the `export_destination` setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected.\n* For any GraphQL queries that queried the `auth` field on `mntner` objects.\n* For any GraphQL queries that queried the `objectText` field on the `journal` field on `mntner` objects, if the `nrtm_access_list` setting permitted journal access.\n\nThe two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.\nThis has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]",
  "id": "GHSA-cqxx-66wh-8pjw",
  "modified": "2024-09-24T21:11:09Z",
  "published": "2022-04-01T13:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/irrdnet/irrd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/irrd/PYSEC-2022-178.yaml"
    },
    {
      "type": "WEB",
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.2.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Removal of Sensitive Information Before Storage or Transfer in irrd"
}

GHSA-CRRQ-VR9J-FXXH

Vulnerability from github – Published: 2022-07-06 19:52 – Updated: 2022-07-06 19:52
VLAI
Summary
Protected fields exposed via LiveQuery
Details

Impact

Parse Server LiveQuery does not remove protected fields in classes, passing them to the client.

Patches

The LiveQueryController now removes protected fields from the client response.

Workarounds

Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields.

References

  • https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh
  • https://github.com/parse-community/parse-server

For more information

If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our community forum or community chat - Report other vulnerabilities at report.parseplatform.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:52:23Z",
    "nvd_published_at": "2022-06-30T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nParse Server LiveQuery does not remove protected fields in classes, passing them to the client.\n\n### Patches\nThe LiveQueryController now removes protected fields from the client response.\n\n### Workarounds\nUse `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.\n\n### References\n- https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh\n- https://github.com/parse-community/parse-server\n\n### For more information\nIf you have any questions or comments about this advisory:\n- For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/)\n- Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/)\n",
  "id": "GHSA-crrq-vr9j-fxxh",
  "modified": "2022-07-06T19:52:23Z",
  "published": "2022-07-06T19:52:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/issues/8073"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/pull/8074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/054f3e6ab01d66a0dcfb77725af28eac1485b375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/5.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Protected fields exposed via LiveQuery"
}

GHSA-F2WF-25XC-69C9

Vulnerability from github – Published: 2022-06-09 23:47 – Updated: 2022-06-20 21:56
VLAI
Summary
Failure to strip the Cookie header on change in host or HTTP downgrade
Details

Impact

Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.

Workarounds

An alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.

References

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/guzzle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "6.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "guzzlehttp/guzzle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-09T23:47:25Z",
    "nvd_published_at": "2022-06-10T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n`Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the `Cookie` header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any `Cookie` header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there.\n\n### Patches\n\nAffected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.\n\n### Workarounds\n\nAn alternative approach would be to use your own redirect middleware, rather than ours, if you are unable to upgrade. If you do not require or expect redirects to be followed, one should simply disable redirects all together.\n\n### References\n\n* [RFC9110 Section 15.4](https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx)\n\n### For more information\n\nIf you have any questions or comments about this advisory, please get in touch with us in `#guzzle` on the [PHP HTTP Slack](https://php-http.slack.com/). Do not report additional security advisories in that public channel, however - please follow our [vulnerability reporting process](https://github.com/guzzle/guzzle/security/policy).\n",
  "id": "GHSA-f2wf-25xc-69c9",
  "modified": "2022-06-20T21:56:53Z",
  "published": "2022-06-09T23:47:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guzzle/guzzle/commit/e3ff079b22820c2029d4c2a87796b6a0b8716ad8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/guzzlehttp/guzzle/CVE-2022-31042.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/guzzle/guzzle"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5246"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-core-2022-011"
    },
    {
      "type": "WEB",
      "url": "https://www.rfc-editor.org/rfc/rfc9110.html#name-redirection-3xx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Failure to strip the Cookie header on change in host or HTTP downgrade"
}

GHSA-F3JG-756W-GM35

Vulnerability from github – Published: 2026-05-11 21:20 – Updated: 2026-06-08 23:53
VLAI
Summary
Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content
Details

Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts.

Impact

Potentially sensitive data accessed or written by coding agents may be logged to local sqlite database. Users of Gryph are affected ONLY if their local sqlite database is stolen or exported to remote system with the assumption that no sensitive data is logged.

Patches

Fixed in v0.7.0

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.6.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/safedep/gryph"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T21:20:04Z",
    "nvd_published_at": "2026-05-27T19:16:21Z",
    "severity": "MODERATE"
  },
  "details": "Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard.  Source code review shows sensitive `file-write` content remains in the stored `payload` as `ContentPreview`, `OldString`, or `NewString` at the default `standard` logging level and at `full`. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. \n\n### Impact\n\nPotentially sensitive data accessed or written by coding agents may be logged to local sqlite database. Users of Gryph are affected ONLY if their local sqlite database is stolen or exported to remote system with the assumption that no sensitive data is logged.\n\n### Patches\n\nFixed in v0.7.0",
  "id": "GHSA-f3jg-756w-gm35",
  "modified": "2026-06-08T23:53:33Z",
  "published": "2026-05-11T21:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/safedep/gryph/security/advisories/GHSA-f3jg-756w-gm35"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45046"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/safedep/gryph"
    },
    {
      "type": "WEB",
      "url": "https://github.com/safedep/gryph/releases/tag/v0.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gryph Agents Payload Filter Fails to Strip Tool Payload for Sensitive Content"
}

GHSA-F3P5-98FC-2GXR

Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-23 00:00
VLAI
Details

AMD microprocessor families 15h to 18h are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "AMD microprocessor families 15h to 18h are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions.",
  "id": "GHSA-f3p5-98fc-2gxr",
  "modified": "2022-07-23T00:00:16Z",
  "published": "2022-07-13T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29900"
    },
    {
      "type": "WEB",
      "url": "https://comsec.ethz.ch/retbleed"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4RW5FCIYFNCQOEFJEUIRW3DGYW7CWBG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLSRW4LLTAT3CZMOYVNTC7YIYGX3KLED"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M27MB3QFNIJV4EQQSXWARHP3OGX6CR6K"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYI3OMJ7RIZNL3C6GUWNANNPEUUID6FM"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202402-07"
    },
    {
      "type": "WEB",
      "url": "https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5184"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5207"
    },
    {
      "type": "WEB",
      "url": "https://www.secpod.com/blog/retbleed-intel-and-amd-processor-information-disclosure-vulnerability"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/12/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/12/4"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/12/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/07/13/1"
    },
    {
      "type": "WEB",
      "url": "http://xenbits.xen.org/xsa/advisory-407.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F556-49JC-4RVC

Vulnerability from github – Published: 2025-10-31 17:31 – Updated: 2025-10-31 17:31
VLAI
Summary
Ansible does not collect garbage after playbook run
Details

A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is completed. Files would remain in the bucket exposing the data. This issue directly affects data confidentiality.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-31T17:31:57Z",
    "nvd_published_at": "2020-10-05T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is completed. Files would remain in the bucket exposing the data. This issue directly affects data confidentiality.",
  "id": "GHSA-f556-49jc-4rvc",
  "modified": "2025-10-31T17:31:57Z",
  "published": "2025-10-31T17:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-collections/community.aws/issues/222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible-collections/community.aws/pull/237#issuecomment-1468591094"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-220.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ansible does not collect garbage after playbook run"
}

Mitigation
Requirements

Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation
Implementation

Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.

CAPEC-168: Windows ::DATA Alternate Data Stream

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.