CWE-213
AllowedExposure of Sensitive Information Due to Incompatible Policies
Abstraction: Base · Status: Draft
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
51 vulnerabilities reference this CWE, most recent first.
GHSA-JP2F-V3MV-MPR8
Vulnerability from github – Published: 2026-07-08 09:31 – Updated: 2026-07-08 09:31Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.
This issue affects Nomysem: through 08072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2026-6280"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T09:16:34Z",
"severity": "MODERATE"
},
"details": "Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs.\n\nThis issue affects Nomysem: through 08072026.\u00a0NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-jp2f-v3mv-mpr8",
"modified": "2026-07-08T09:31:52Z",
"published": "2026-07-08T09:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6280"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P9XG-3J9R-V8JF
Vulnerability from github – Published: 2023-03-30 18:30 – Updated: 2025-02-18 18:33Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a "white out" functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader.
{
"affected": [],
"aliases": [
"CVE-2022-30350"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-30T16:15:00Z",
"severity": "HIGH"
},
"details": "Avanquest Software RAD PDF (PDFEscape Online) 3.19.2.2 is vulnerable to Information Leak / Disclosure. The PDFEscape Online tool provides users with a \"white out\" functionality for redacting images, text, and other graphics from a PDF document. However, this mechanism does not remove underlying text or PDF object specification information from the PDF. As a result, for example, redacted text may be copy-pasted by a PDF reader.",
"id": "GHSA-p9xg-3j9r-v8jf",
"modified": "2025-02-18T18:33:02Z",
"published": "2023-03-30T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30350"
},
{
"type": "WEB",
"url": "https://arxiv.org/pdf/2206.02285.pdf"
},
{
"type": "WEB",
"url": "https://www.pdfescape.com/open"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PWVW-RGGJ-F74R
Vulnerability from github – Published: 2024-12-25 15:30 – Updated: 2024-12-25 15:30An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.
{
"affected": [],
"aliases": [
"CVE-2023-5117"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-25T15:15:05Z",
"severity": "LOW"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL.",
"id": "GHSA-pwvw-rggj-f74r",
"modified": "2024-12-25T15:30:42Z",
"published": "2024-12-25T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5117"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/398250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q475-2PGM-7HVP
Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-06-05 14:17Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.
In Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS configuration option.
This issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.
Users of Airflow 3.0.3 are advised to upgrade Airflow to >=3.0.4.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.3"
},
{
"fixed": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.0.3"
]
}
],
"aliases": [
"CVE-2025-54831"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T14:54:17Z",
"nvd_published_at": "2025-09-26T08:15:38Z",
"severity": "MODERATE"
},
"details": "Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a \"write-only\" model for sensitive values.\n\nIn Airflow 3.0.3, this model was unintentionally violated: sensitive connection information could be viewed by users with READ permissions through both the API and the UI. This behavior also bypassed the `AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS` configuration option.\n\nThis issue does not affect Airflow 2.x, where exposing sensitive information to connection editors was the intended and documented behavior.\n\nUsers of Airflow 3.0.3 are advised to upgrade Airflow to \u003e=3.0.4.",
"id": "GHSA-q475-2pgm-7hvp",
"modified": "2026-06-05T14:17:01Z",
"published": "2025-09-26T09:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54831"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2025-85.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/vblmfqtydrp5zgn2q8tj3slk5podxspf"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/25/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow: Connection sensitive details exposed to users with READ permissions"
}
GHSA-R28M-G6J9-R2H5
Vulnerability from github – Published: 2019-04-23 16:07 – Updated: 2021-04-23 20:21In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.2.27.v20190403"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.2.0"
},
{
"fixed": "9.2.28.v20190418"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.3.26.v20190403"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.0"
},
{
"fixed": "9.3.27.v20190418"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.4.16.v20190411"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.jetty:jetty-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.4.0"
},
{
"fixed": "9.4.17.v20190418"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10246"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-213"
],
"github_reviewed": true,
"github_reviewed_at": "2019-04-23T16:03:54Z",
"nvd_published_at": "2019-04-22T20:29:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.",
"id": "GHSA-r28m-g6j9-r2h5",
"modified": "2021-04-23T20:21:47Z",
"published": "2019-04-23T16:07:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10246"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190509-0003"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information Exposure vulnerability in Eclipse Jetty"
}
GHSA-VG7X-9FX9-RHFV
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-20 18:31HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.
{
"affected": [],
"aliases": [
"CVE-2025-52603"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:01Z",
"severity": "LOW"
},
"details": "HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.",
"id": "GHSA-vg7x-9fx9-rhfv",
"modified": "2026-02-20T18:31:33Z",
"published": "2026-02-20T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52603"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124242"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W962-8HWV-W52P
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-07-25 15:30An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.
{
"affected": [],
"aliases": [
"CVE-2025-4976"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T07:15:53Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.",
"id": "GHSA-w962-8hwv-w52p",
"modified": "2025-07-25T15:30:42Z",
"published": "2025-07-25T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4976"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3149956"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/543905"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFHX-9FX9-R5GM
Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. MİA-MED allows Collect Data as Provided by Users.This issue affects MİA-MED: before 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2023-6517"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T12:15:55Z",
"severity": "HIGH"
},
"details": "Exposure of Sensitive Information Due to Incompatible Policies vulnerability in Mia Technology Inc. M\u0130A-MED allows Collect Data as Provided by Users.This issue affects M\u0130A-MED: before 1.0.7.",
"id": "GHSA-wfhx-9fx9-r5gm",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-02-08T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6517"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ6F-PHFQ-G2GW
Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to excessive data exposure, allowing attackers to access sensitive information without proper filtering.
{
"affected": [],
"aliases": [
"CVE-2024-49827"
],
"database_specific": {
"cwe_ids": [
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T14:15:28Z",
"severity": "LOW"
},
"details": "IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to excessive data exposure, allowing attackers to access sensitive information without proper filtering.",
"id": "GHSA-wj6f-phfq-g2gw",
"modified": "2025-08-18T15:30:32Z",
"published": "2025-08-18T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49827"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7242354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X8PX-6GF5-46X5
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-09-21 18:30Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.
{
"affected": [],
"aliases": [
"CVE-2019-1010283"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-213"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-17T21:15:00Z",
"severity": "MODERATE"
},
"details": "Univention Corporate Server univention-directory-notifier 12.0.1-3 and earlier is affected by: CWE-213: Intentional Information Exposure. The impact is: Loss of Confidentiality. The component is: function data_on_connection() in src/callback.c. The attack vector is: network connectivity. The fixed version is: 12.0.1-4 and later.",
"id": "GHSA-x8px-6gf5-46x5",
"modified": "2023-09-21T18:30:59Z",
"published": "2022-05-24T16:50:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010283"
},
{
"type": "WEB",
"url": "https://github.com/univention/univention-corporate-server/commit/a28053045bd2e778c50ed1acaf4e52e1e34f6e34"
},
{
"type": "WEB",
"url": "https://forge.univention.org/bugzilla/show_bug.cgi?id=48427"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.