Common Weakness Enumeration

CWE-212

Allowed

Improper Removal of Sensitive Information Before Storage or Transfer

Abstraction: Base · Status: Incomplete

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

155 vulnerabilities reference this CWE, most recent first.

GHSA-WQGP-H8FJ-P489

Vulnerability from github – Published: 2026-05-07 09:31 – Updated: 2026-05-07 09:31
VLAI
Details

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-07T09:16:24Z",
    "severity": "HIGH"
  },
  "details": "A low privileged remote attacker can gain\u00a0the root password due to improper removal of sensitive information before storage or transfer.",
  "id": "GHSA-wqgp-h8fj-p489",
  "modified": "2026-05-07T09:31:26Z",
  "published": "2026-05-07T09:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43384"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/en/advisories/VDE-2024-039"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X27P-5F68-M644

Vulnerability from github – Published: 2026-03-29 15:13 – Updated: 2026-03-31 18:51
VLAI
Summary
Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
Details

Summary

Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.

Details

Iceberg REST catalog typically needs access to object storage. This access can be configured in multiple different ways. When storage access is achieved by static credentials (e.g. AWS S3 access key) or vended credentials (temporary access key).

Query JSON is a query visualization and performance troubleshooting facility. It includes serialized query plan and handles for table writes or execution of table procedures. A user that submitted a query has access to query JSON for their query. Query JSON is available from Trino UI or via /ui/api/query/«query_id» and /v1/query/«query_id» endpoints.

The storage credentials are stored in those handles when performing write operations, or table maintenance operations. They are serialized in query JSON. A user with write access to data in Iceberg connector configured to use REST Catalog with static or vended credentials can retrieve those credentials.

Impact

Anyone using Iceberg REST catalog with static or vended credentials is impacted. The credentials should be considered compromised. Vended credentials are temporary in nature so they do not need to be rotated. However, underlying data could have been exposed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.trino:trino-iceberg"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "439"
            },
            {
              "fixed": "480"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-29T15:13:30Z",
    "nvd_published_at": "2026-03-31T15:16:18Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level.\n\n### Details\n\nIceberg REST catalog typically needs access to object storage. This access can be configured in multiple different ways. When storage access is achieved by static credentials (e.g. AWS S3 access key) or vended credentials (temporary access key).\n\nQuery JSON is a query visualization and performance troubleshooting facility. It includes serialized query plan and handles for table writes or  execution of table procedures. A user that submitted a query has access to query JSON for their query. Query JSON is available from Trino UI or via `/ui/api/query/\u00abquery_id\u00bb` and `/v1/query/\u00abquery_id\u00bb` endpoints.\n\nThe storage credentials are stored in those handles when performing write operations, or table maintenance operations. They are serialized in query JSON. A user with write access to data in Iceberg connector configured to use REST Catalog with static or vended credentials can retrieve those credentials.\n\n### Impact\n\nAnyone using Iceberg REST catalog with static or vended credentials is impacted.\nThe credentials should be considered compromised. \nVended credentials are temporary in nature so they do not need to be rotated. However, underlying data could have been exposed.",
  "id": "GHSA-x27p-5f68-m644",
  "modified": "2026-03-31T18:51:27Z",
  "published": "2026-03-29T15:13:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trinodb/trino/security/advisories/GHSA-x27p-5f68-m644"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34214"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trinodb/trino"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trinodb/trino/releases/tag/480"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON"
}

GHSA-X6GV-2RVH-QMP6

Vulnerability from github – Published: 2025-08-13 23:03 – Updated: 2025-10-27 16:22
VLAI
Summary
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
Details

Summary

The steam-workshop-deploy github action does not exclude the .git directory when packaging content for deployment and provides no built-in way to do so. If a .git folder exists in the target directory (e.g., due to a local Git repo, custom project structure, or via the actions/checkout workflow), it is silently included in the output package. This results in leakage of sensitive repository metadata and potentially credentials, including github personal access tokens (PATs) embedded in .git/config.

Many game modding projects require packaging from the project root as the game expects certain files (assets, configuration, metadata) to be present at specific root-level paths. Consequently, the .git directory often exists alongside these required files and gets packaged unintentionally, especially when using actions/checkout.

While github hosted runners automatically revoke ephemeral credentials at the end of each job, the severity of this issue increases dramatically in other CI environments:

  • Self-hosted runners may store long-lived tokens or secrets.
  • Developers may maintain their own .git folders with embedded PATs or remotes tied to private repositories.
  • The workflow may run without the actions/checkout action, distributing the .git directory present on the running machine if it exists in the directory.

A real example of an affected mod can be found here: https://github.com/BoldestDungeon/wildermyth-drauven-pcs/security/advisories/GHSA-7j9v-72w9-ww6w

Details

Who is affected: - Any user of steam-workshop-deploy operating in an environment where .git exists in the packaging directory. - Any user of steam-workshop-deploy operating in an environment where the actions/checkout workflow is used and then the .git directory is inadvertently generated within the packaging directory (greatly reduced severity due to the ephemeral nature of github actions).

Impact

The severity of this issue for downstream components can range from 0.0 (no credentials, sensitive metadata, or private source code were present in the packaging directory) to 10.0 (extremely sensitive, high privilige credentials or source code from private repositories were exposed).

The actual severity depends primarily on the permissions, scope, and nature of the exposed data: * Low/none (0.0-3.9): Only non-sensitive repository metadata was exposed, no credentials were present, or only public facing code was included. * Medium(4.0-6.9): Credentials with limited repository access and/or short lifespan (e.g., ephemeral tokens) were exposed, or non-sensitive private code was disclosed. * High/critical (7.0-10.0): Long-lived tokens, organization-wide credentials, or credentials with administrative privileges were exposed, potentially enabling full repository compromise, secret extraction, code tampering, or the complete leak of private repository source code.

As such, each downstream consumer should independently assess their exposure by reviewing packaged artifacts for the presence of .git directories or other credentials, and evaluating both the sensitivity of any credentials found and the confidentiality of any included source code.

Consequences may include: - Unauthorized access to git repositories via exposed PATs. - Tampering with repository code or metadata. - Malicious CI behavior (triggering workflows, reading secrets). - Disclosure of commit history, remote origins, or other sensitive internal structure.

Recommendation

This issue should be considered severe due to the potential exposure of sensitive tokens and repository metadata. Although most workflows that use steam-workshop-deploy also employ actions/checkout, which handles tokens and credentials more securely, there are legitimate use cases where actions/checkout is not used or where custom .git folders exist. Additionally, actions/checkout can accept a on-emphemeral tokens as a parameter for its workflow. In such cases, long-lived or sensitive credentials may be packaged and exposed, greatly increasing the risk of unauthorized access and repository compromise. Therefore, this issue should be considered severe regardless of common usage patterns.

Downstream: - Downstream components should revoke any credentials or PATs associated with workflows or repositories that use this github action

This Deployment Action

  • [x] The action should exclude .git/ and other common sensitive file(s) by default from all packaging operations.
  • [x] A deployignore or similar mechanism should be introduced to give users finer control of what files or directories are included for deployed artifacts
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "m00nl1ght-dev/steam-workshop-deploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "GitHub Actions",
        "name": "BoldestDungeon/steam-workshop-deploy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-522",
      "CWE-527"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-13T23:03:26Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\nThe `steam-workshop-deploy` github action does not exclude the `.git` directory when packaging content for deployment and provides no built-in way to do so. If a `.git` folder exists in the target directory (e.g., due to a local Git repo, custom project structure, or via  the `actions/checkout` workflow), it is silently included in the output package. This results in leakage of sensitive repository metadata and potentially credentials, including github personal access tokens (PATs) embedded in `.git/config`.\n\nMany game modding projects require packaging from the project root as the game expects certain files (assets, configuration, metadata) to be present at specific root-level paths. Consequently, the `.git` directory often exists alongside these required files and gets packaged unintentionally, especially when using `actions/checkout`.\n\nWhile github hosted runners automatically revoke ephemeral credentials at the end of each job, the severity of this issue increases dramatically in other CI environments:\n\n- Self-hosted runners may store long-lived tokens or secrets.\n- Developers may maintain their own `.git` folders with embedded PATs or remotes tied to private repositories.\n- The workflow may run without the `actions/checkout` action, distributing the `.git` directory present on the running machine if it exists in the directory.\n\nA real example of an affected mod can be found here: https://github.com/BoldestDungeon/wildermyth-drauven-pcs/security/advisories/GHSA-7j9v-72w9-ww6w\n\n## Details\nWho is affected:\n- Any user of `steam-workshop-deploy` operating in an environment where `.git` exists in the packaging directory.\n- Any user of `steam-workshop-deploy` operating in an environment where the [actions/checkout](https://github.com/actions/checkout) workflow is used and then the `.git` directory is inadvertently generated within the packaging directory (greatly reduced severity due to the ephemeral nature of github actions).\n\n## Impact\nThe severity of this issue for downstream components can range from **0.0** (no credentials, sensitive metadata, or private source code were present in the packaging directory) to **10.0** (extremely sensitive, high privilige credentials or source code from private repositories were exposed).\n\nThe actual severity depends primarily on the permissions, scope, and nature of the exposed data:\n* **Low/none (0.0-3.9)**: Only non-sensitive repository metadata was exposed, no credentials were present, or only public facing code was included.\n* **Medium(4.0-6.9)**: Credentials with limited repository access and/or short lifespan (e.g., ephemeral tokens) were exposed, or non-sensitive private code was disclosed.\n* **High/critical (7.0-10.0)**: Long-lived tokens, organization-wide credentials, or credentials with administrative privileges were exposed, potentially enabling full repository compromise, secret extraction, code tampering, or the complete leak of private repository source code.\n\nAs such, each downstream consumer should independently assess their exposure by reviewing packaged artifacts for the presence of `.git` directories or other credentials, and evaluating both the sensitivity of any credentials found and the confidentiality of any included source code.\n\nConsequences may include:\n  - Unauthorized access to git repositories via exposed PATs.\n  - Tampering with repository code or metadata.\n  - Malicious CI behavior (triggering workflows, reading secrets).\n  - Disclosure of commit history, remote origins, or other sensitive internal structure.\n\n## Recommendation\nThis issue should be considered **severe** due to the potential exposure of sensitive tokens and repository metadata. Although most workflows that use `steam-workshop-deploy` also employ `actions/checkout`, which handles tokens and credentials more securely, there are legitimate use cases where `actions/checkout` is not used or where custom `.git` folders exist. Additionally, `actions/checkout` can accept a on-emphemeral tokens as a parameter for its workflow. In such cases, long-lived or sensitive credentials may be packaged and exposed, greatly increasing the risk of unauthorized access and repository compromise.  Therefore, this issue should be considered severe regardless of common usage patterns.\n\n**Downstream:**\n- Downstream components should revoke any credentials or PATs associated with workflows or repositories that use this github action\n\n**This Deployment Action**\n\n- [x] The action should exclude `.git/` and other common sensitive file(s) by default from all packaging operations.\n- [x] A `deployignore` or similar mechanism should be introduced to give users finer control of what files or directories are included for deployed artifacts",
  "id": "GHSA-x6gv-2rvh-qmp6",
  "modified": "2025-10-27T16:22:57Z",
  "published": "2025-08-13T23:03:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/security/advisories/GHSA-x6gv-2rvh-qmp6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/commit/0ba85729da32108e1cc498d1b3d6760857b5c04d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m00nl1ght-dev/steam-workshop-deploy/commit/913f0844e2153d798189397036918f4ceb0911e0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BoldestDungeon/steam-workshop-deploy/releases/tag/V2.0.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/m00nl1ght-dev/steam-workshop-deploy/releases/tag/v4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials"
}

GHSA-XCMX-JJ38-V524

Vulnerability from github – Published: 2025-12-19 09:30 – Updated: 2026-02-23 12:31
VLAI
Details

Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-19T07:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7",
  "id": "GHSA-xcmx-jj38-v524",
  "modified": "2026-02-23T12:31:29Z",
  "published": "2025-12-19T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14267"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2025-14267"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2025-14267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XRJ7-V4X4-74HR

Vulnerability from github – Published: 2026-02-18 21:31 – Updated: 2026-02-18 21:31
VLAI
Details

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback uefi_vars_write is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback uefi_vars_read returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-8860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-18T21:16:22Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.",
  "id": "GHSA-xrj7-v4x4-74hr",
  "modified": "2026-02-18T21:31:23Z",
  "published": "2026-02-18T21:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8860"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-8860"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387588"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation
Implementation

Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.

CAPEC-168: Windows ::DATA Alternate Data Stream

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.