Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-7H49-6H73-GRW2

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-10-01 00:00
VLAI
Details

An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. Unrestricted access to a high-level system-usage summary allows an attacker to obtain project names and usage metrics.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-18T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. Unrestricted access to a high-level system-usage summary allows an attacker to obtain project names and usage metrics.",
  "id": "GHSA-7h49-6h73-grw2",
  "modified": "2022-10-01T00:00:25Z",
  "published": "2022-05-24T17:28:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15775"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gradle/gradle/security/advisories"
    },
    {
      "type": "WEB",
      "url": "https://security.gradle.com/advisory/CVE-2020-15775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7P4C-4HVH-3RQ2

Vulnerability from github – Published: 2024-05-17 09:30 – Updated: 2024-05-17 09:30
VLAI
Details

Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-44581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-17T07:15:46Z",
    "severity": "MODERATE"
  },
  "details": "Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2.",
  "id": "GHSA-7p4c-4hvh-3rq2",
  "modified": "2024-05-17T09:30:58Z",
  "published": "2024-05-17T09:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44581"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/defender-security/wordpress-defender-security-plugin-3-3-2-broken-authentication-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R8R-45G3-PMF8

Vulnerability from github – Published: 2025-05-22 21:30 – Updated: 2025-05-22 21:30
VLAI
Details

Serialized configuration information may be disclosed during device commissioning while using ASPECT's configuration toolsetThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-22T19:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Serialized configuration information may be disclosed during device commissioning while using ASPECT\u0027s configuration toolsetThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.",
  "id": "GHSA-7r8r-45g3-pmf8",
  "modified": "2025-05-22T21:30:47Z",
  "published": "2025-05-22T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13954"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7RQ6-HG5Q-VCX9

Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-10-14 19:00
VLAI
Details

Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-25T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.",
  "id": "GHSA-7rq6-hg5q-vcx9",
  "modified": "2022-10-14T19:00:35Z",
  "published": "2022-05-24T17:01:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13719"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/927150"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W8X-FX6M-5H6X

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06
VLAI
Details

The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14957"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-01T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.",
  "id": "GHSA-7w8x-fx6m-5h6x",
  "modified": "2024-04-04T02:06:20Z",
  "published": "2022-05-24T16:57:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14957"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2019/09/26/jetbrains-security-bulletin-q2-2019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WJ2-558X-H38C

Vulnerability from github – Published: 2023-07-17 21:31 – Updated: 2024-04-04 06:11
VLAI
Details

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-17T20:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the \"chef-server-ctl reconfigure\" command.",
  "id": "GHSA-7wj2-558x-h38c",
  "modified": "2024-04-04T06:11:48Z",
  "published": "2023-07-17T21:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28864"
    },
    {
      "type": "WEB",
      "url": "https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation"
    },
    {
      "type": "WEB",
      "url": "https://docs.chef.io/release_notes_server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WVC-54WP-PV8X

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T02:15:29Z",
    "severity": "MODERATE"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.",
  "id": "GHSA-7wvc-54wp-pv8x",
  "modified": "2025-11-04T00:32:12Z",
  "published": "2024-12-12T03:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54477"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121840"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121842"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/7"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/8"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Dec/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84PQ-42VW-9J2M

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-16T00:15:00Z",
    "severity": "LOW"
  },
  "details": "A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.",
  "id": "GHSA-84pq-42vw-9j2m",
  "modified": "2022-05-24T17:34:15Z",
  "published": "2022-05-24T17:34:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19561"
    },
    {
      "type": "WEB",
      "url": "https://media.daimler.com/marsMediaSite/en/instance/ko/Mercedes-Benz-and-360-Group-to-join-forces-Mercedes-Benz-and-360-Group-with-its-Cyber-Security-Brain-work-together-to-strengthen-car-IT-security-for-industry.xhtml?oid=45208829"
    },
    {
      "type": "WEB",
      "url": "https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-85VG-GRR5-PW42

Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-18 19:29
VLAI
Summary
Insecure password handling vulnerability in Strapi
Details

Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request. From this, the attacker can get the victim's cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-46440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-18T19:29:59Z",
    "nvd_published_at": "2022-05-03T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim\u0027s HTTP request. From this, the attacker can get the victim\u0027s cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.",
  "id": "GHSA-85vg-grr5-pw42",
  "modified": "2022-05-18T19:29:59Z",
  "published": "2022-05-04T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/pull/12246"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://hub.docker.com/r/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://strapi.io"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure password handling vulnerability in Strapi"
}

GHSA-879X-4CWP-MQV7

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2025-04-20 03:48
VLAI
Details

SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-16T15:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes.",
  "id": "GHSA-879x-4cwp-mqv7",
  "modified": "2025-04-20T03:48:33Z",
  "published": "2022-05-13T01:44:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16560"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40esterling_/cve-2017-16560-sandisk-secure-access-leaves-plain-text-copies-of-files-on-disk-4eabeca6bdbc"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@esterling_/cve-2017-16560-sandisk-secure-access-leaves-plain-text-copies-of-files-on-disk-4eabeca6bdbc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.