CWE-402
Allowed-with-ReviewTransmission of Private Resources into a New Sphere ('Resource Leak')
Abstraction: Class · Status: Draft
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.
44 vulnerabilities reference this CWE, most recent first.
CVE-2021-23263 (GCVE-0-2021-23263)
Vulnerability from cvelistv5 – Published: 2021-12-02 15:40 – Updated: 2024-09-16 23:36- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
| URL | Tags |
|---|---|
| https://docs.craftercms.org/en/3.1/security/advis… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Crafter Software | Crafter CMS |
Affected:
3.1 , < 3.1.15
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:05:54.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Crafter CMS",
"vendor": "Crafter Software",
"versions": [
{
"lessThan": "3.1.15",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Carlos Ortiz"
}
],
"datePublic": "2021-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-02T15:40:58.000Z",
"orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"shortName": "crafter"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@craftersoftware.com",
"DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
"ID": "CVE-2021-23263",
"STATE": "PUBLIC",
"TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Crafter CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.15"
}
]
}
}
]
},
"vendor_name": "Crafter Software"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Carlos Ortiz"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106",
"refsource": "MISC",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
"assignerShortName": "crafter",
"cveId": "CVE-2021-23263",
"datePublished": "2021-12-02T15:40:58.466Z",
"dateReserved": "2021-01-08T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:36:18.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8442 (GCVE-0-2017-8442)
Vulnerability from cvelistv5 – Published: 2017-07-07 20:00 – Updated: 2024-08-05 16:34- CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
| URL | Tags |
|---|---|
| https://www.elastic.co/community/security | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| Elastic | Elasticsearch X-Pack Security |
Affected:
5.0.0 to 5.4.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:34:23.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.elastic.co/community/security"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Elasticsearch X-Pack Security",
"vendor": "Elastic",
"versions": [
{
"status": "affected",
"version": "5.0.0 to 5.4.3"
}
]
}
],
"datePublic": "2017-07-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-402",
"description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-07T19:57:01.000Z",
"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"shortName": "elastic"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.elastic.co/community/security"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@elastic.co",
"ID": "CVE-2017-8442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Elasticsearch X-Pack Security",
"version": {
"version_data": [
{
"version_value": "5.0.0 to 5.4.3"
}
]
}
}
]
},
"vendor_name": "Elastic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.elastic.co/community/security",
"refsource": "CONFIRM",
"url": "https://www.elastic.co/community/security"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
"assignerShortName": "elastic",
"cveId": "CVE-2017-8442",
"datePublished": "2017-07-07T20:00:00.000Z",
"dateReserved": "2017-05-02T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:34:23.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-22Q5-9PHM-744V
Vulnerability from github – Published: 2025-03-19 20:34 – Updated: 2025-03-19 20:34Impact
Protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them.
It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).
Patches
The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.
Workarounds
There's no workaround except upgrading or applying manually the changes of the commits (see references) in xwiki-platform-rest-server and recompiling / rebuilding it.
References
- Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630
- Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639
- Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rest-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.9M1"
},
{
"fixed": "15.10.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rest-server"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-rest-server"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-29925"
],
"database_specific": {
"cwe_ids": [
"CWE-402"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-19T20:34:43Z",
"nvd_published_at": "2025-03-19T18:15:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nProtected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn\u0027t have view rights on them. \nIt\u0027s particularly true if the entire wiki is protected with \"Prevent unregistered user to view pages\": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).\n\n### Patches\n\nThe problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.\n\n### Workarounds\n\nThere\u0027s no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-server` and recompiling / rebuilding it.\n\n### References\n\n * Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630\n * Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639\n * Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
"id": "GHSA-22q5-9phm-744v",
"modified": "2025-03-19T20:34:43Z",
"published": "2025-03-19T20:34:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29925"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22630"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki allows unregistered users to access private pages information through REST endpoint"
}
GHSA-25XC-JWFQ-39JW
Vulnerability from github – Published: 2021-04-19 14:50 – Updated: 2022-08-15 20:03Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
- https://vaadin.com/security/cve-2021-31407
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "2.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:flow-server"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.0"
]
}
],
"aliases": [
"CVE-2021-31407"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:15:42Z",
"nvd_published_at": "2021-04-23T16:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerability in OSGi integration in `com.vaadin:flow-server` versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.\n\n- https://vaadin.com/security/cve-2021-31407",
"id": "GHSA-25xc-jwfq-39jw",
"modified": "2022-08-15T20:03:44Z",
"published": "2021-04-19T14:50:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31407"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/osgi/issues/50"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/10229"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/flow/pull/10269"
},
{
"type": "PACKAGE",
"url": "https://github.com/vaadin/flow"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2021-31407"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure"
}
GHSA-2WR2-8QJQ-GH55
Vulnerability from github – Published: 2021-12-16 15:27 – Updated: 2021-12-06 21:35Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.craftercms:crafter-search"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23264"
],
"database_specific": {
"cwe_ids": [
"CWE-402",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-06T21:35:33Z",
"nvd_published_at": "2021-12-02T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.",
"id": "GHSA-2wr2-8qjq-gh55",
"modified": "2021-12-06T21:35:33Z",
"published": "2021-12-16T15:27:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23264"
},
{
"type": "WEB",
"url": "https://github.com/craftercms/craftercms/commit/0e256ef0372c7be9d6e2fefc4652dd4fd94770a1"
},
{
"type": "WEB",
"url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search"
}
GHSA-34H3-8MW4-QW57
Vulnerability from github – Published: 2024-03-29 20:16 – Updated: 2024-03-29 20:16Impact
A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.
Patches
This issue is patched in 18.3.1
Workarounds
No workarounds, please update to a patched version of @electron/packager immediately if impacated.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@electron/packager"
},
"ranges": [
{
"events": [
{
"introduced": "18.3.0"
},
{
"fixed": "18.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"18.3.0"
]
}
],
"aliases": [
"CVE-2024-29900"
],
"database_specific": {
"cwe_ids": [
"CWE-402"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-29T20:16:22Z",
"nvd_published_at": "2024-03-29T16:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\nA random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc.\n\n### Patches\nThis issue is patched in 18.3.1\n\n### Workarounds\nNo workarounds, please update to a patched version of `@electron/packager` immediately if impacated.\n",
"id": "GHSA-34h3-8mw4-qw57",
"modified": "2024-03-29T20:16:22Z",
"published": "2024-03-29T20:16:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29900"
},
{
"type": "WEB",
"url": "https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee"
},
{
"type": "PACKAGE",
"url": "https://github.com/electron/packager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@electron/packager\u0027s build process memory potentially leaked into final executable"
}
GHSA-3Q75-RP5F-JFF5
Vulnerability from github – Published: 2025-07-03 15:31 – Updated: 2025-07-03 15:31In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.
{
"affected": [],
"aliases": [
"CVE-2025-49618"
],
"database_specific": {
"cwe_ids": [
"CWE-402"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T13:15:28Z",
"severity": "MODERATE"
},
"details": "In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.",
"id": "GHSA-3q75-rp5f-jff5",
"modified": "2025-07-03T15:31:20Z",
"published": "2025-07-03T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49618"
},
{
"type": "WEB",
"url": "https://www.linkedin.com/posts/gaetano-cesano-976420200_qualche-giorno-fa-stavo-testando-plesk-obsidian-activity-7341794923198709761-by9G"
},
{
"type": "WEB",
"url": "https://www.plesk.com/blog/plesk-news-announcements/plesk-obsidian-18-0-69-is-here"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5732-H43F-839F
Vulnerability from github – Published: 2024-12-06 21:30 – Updated: 2024-12-06 21:30Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal.
{
"affected": [],
"aliases": [
"CVE-2024-47146"
],
"database_specific": {
"cwe_ids": [
"CWE-402"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T19:15:12Z",
"severity": "HIGH"
},
"details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal.",
"id": "GHSA-5732-h43f-839f",
"modified": "2024-12-06T21:30:39Z",
"published": "2024-12-06T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47146"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5GVR-285Q-PWC3
Vulnerability from github – Published: 2024-02-04 15:30 – Updated: 2024-06-28 18:31A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.
{
"affected": [],
"aliases": [
"CVE-2023-6240"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-327",
"CWE-402"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-04T14:15:47Z",
"severity": "MODERATE"
},
"details": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.",
"id": "GHSA-5gvr-285q-pwc3",
"modified": "2024-06-28T18:31:42Z",
"published": "2024-02-04T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1881"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1882"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2758"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3414"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3421"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3618"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3627"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6240"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843"
},
{
"type": "WEB",
"url": "https://people.redhat.com/~hkario/marvin"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240628-0002"
},
{
"type": "WEB",
"url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-788F-3F4F-VV6F
Vulnerability from github – Published: 2023-09-20 21:31 – Updated: 2024-04-04 07:46An information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.
{
"affected": [],
"aliases": [
"CVE-2022-3596"
],
"database_specific": {
"cwe_ids": [
"CWE-402"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T20:15:11Z",
"severity": "HIGH"
},
"details": "An information leak was found in OpenStack\u0027s undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.",
"id": "GHSA-788f-3f4f-vv6f",
"modified": "2024-04-04T07:46:49Z",
"published": "2023-09-20T21:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3596"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8897"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3596"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136596"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.