Common Weakness Enumeration

CWE-213

Allowed

Exposure of Sensitive Information Due to Incompatible Policies

Abstraction: Base · Status: Draft

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

51 vulnerabilities reference this CWE, most recent first.

GHSA-JP2F-V3MV-MPR8

Vulnerability from github – Published: 2026-07-08 09:31 – Updated: 2026-07-08 09:31
VLAI
Details

Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.

This issue affects Nomysem: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T09:16:34Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.\n\nThis issue affects Nomysem: through 08072026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-jp2f-v3mv-mpr8",
  "modified": "2026-07-08T09:31:52Z",
  "published": "2026-07-08T09:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6280"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0516"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P9XG-3J9R-V8JF

Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2025-02-18 18:33
VLAI
Details

Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a "white out" functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-30350"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-30T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a \"white out\" functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader.",
  "id": "GHSA-p9xg-3j9r-v8jf",
  "modified": "2025-02-18T18:33:02Z",
  "published": "2023-03-30T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30350"
    },
    {
      "type": "WEB",
      "url": "https://arxiv.org/pdf/2206.02285.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.pdfescape.com/open"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PWVW-RGGJ-F74R

Vulnerability from github – Published: 2024-12-25 15:30 – Updated: 2024-12-25 15:30
VLAI
Details

An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5117"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-25T15:15:05Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.",
  "id": "GHSA-pwvw-rggj-f74r",
  "modified": "2024-12-25T15:30:42Z",
  "published": "2024-12-25T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5117"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/398250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q475-2PGM-7HVP

Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-06-05 14:17
VLAI
Summary
Apache Airflow: Connection sensitive details exposed to users with READ permissions
Details

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.

In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration option.

This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.

Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-airflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.3"
            },
            {
              "fixed": "3.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.3"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54831"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T14:54:17Z",
    "nvd_published_at": "2025-09-26T08:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a \"write-only\" model for sensitive values.\n\nIn Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.\n\nThis issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.\n\nUsers of Airflow 3.0.3 are advised to upgrade Airflow to \u003e=3.0.4.",
  "id": "GHSA-q475-2pgm-7hvp",
  "modified": "2026-06-05T14:17:01Z",
  "published": "2025-09-26T09:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54831"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/airflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2025-85.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/25/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Airflow: Connection sensitive details exposed to users with READ permissions"
}

GHSA-R28M-G6J9-R2H5

Vulnerability from github – Published: 2019-04-23 16:07 – Updated: 2021-04-23 20:21
VLAI
Summary
Information Exposure vulnerability in Eclipse Jetty
Details

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.2.27.v20190403"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.2.0"
            },
            {
              "fixed": "9.2.28.v20190418"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.3.26.v20190403"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.3.0"
            },
            {
              "fixed": "9.3.27.v20190418"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.16.v20190411"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty:jetty-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4.0"
            },
            {
              "fixed": "9.4.17.v20190418"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-213"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-04-23T16:03:54Z",
    "nvd_published_at": "2019-04-22T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.",
  "id": "GHSA-r28m-g6j9-r2h5",
  "modified": "2021-04-23T20:21:47Z",
  "published": "2019-04-23T16:07:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10246"
    },
    {
      "type": "WEB",
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190509-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Information Exposure vulnerability in Eclipse Jetty"
}

GHSA-VG7X-9FX9-RHFV

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-20 18:31
VLAI
Details

HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T16:22:01Z",
    "severity": "LOW"
  },
  "details": "HCL Connections is vulnerable to information disclosure.  In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.",
  "id": "GHSA-vg7x-9fx9-rhfv",
  "modified": "2026-02-20T18:31:33Z",
  "published": "2026-02-20T18:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52603"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124242"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W962-8HWV-W52P

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-07-25 15:30
VLAI
Details

An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4976"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-24T07:15:53Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.",
  "id": "GHSA-w962-8hwv-w52p",
  "modified": "2025-07-25T15:30:42Z",
  "published": "2025-07-25T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4976"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3149956"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/543905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WFHX-9FX9-R5GM

Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30
VLAI
Details

Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. MİA-MED allows Collect Data as Provided by Users.This issue affects MİA-MED: before 1.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-08T12:15:55Z",
    "severity": "HIGH"
  },
  "details": "Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. M\u0130A-MED allows Collect Data as Provided by Users.This issue affects M\u0130A-MED: before 1.0.7.",
  "id": "GHSA-wfhx-9fx9-r5gm",
  "modified": "2026-05-20T12:30:35Z",
  "published": "2024-02-08T12:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6517"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJ6F-PHFQ-G2GW

Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30
VLAI
Details

IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to excessive data exposure, allowing attackers to access sensitive information without proper filtering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-18T14:15:28Z",
    "severity": "LOW"
  },
  "details": "IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to excessive data exposure, allowing attackers to access sensitive information without proper filtering.",
  "id": "GHSA-wj6f-phfq-g2gw",
  "modified": "2025-08-18T15:30:32Z",
  "published": "2025-08-18T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49827"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7242354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8PX-6GF5-46X5

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-09-21 18:30
VLAI
Details

Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1010283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-213"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-17T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.",
  "id": "GHSA-x8px-6gf5-46x5",
  "modified": "2023-09-21T18:30:59Z",
  "published": "2022-05-24T16:50:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010283"
    },
    {
      "type": "WEB",
      "url": "https://github.com/univention/univention-corporate-server/commit/a28053045bd2e778c50ed1acaf4e52e1e34f6e34"
    },
    {
      "type": "WEB",
      "url": "https://forge.univention.org/bugzilla/show_bug.cgi?id=48427"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.