CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (7,319)
page 120 of 366| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-8239 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2017 | In all Android releases from CAF using the Linux kernel, userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory. | ||
| CVE-2017-9605 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2017 | The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface,… | ||
| CVE-2016-3696 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2017 | The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key. | ||
| CVE-2017-6696 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2017 | A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected system. More Information: CSCvd73677. Known Affected Releases: 2.3(2). | ||
| CVE-2017-6695 | Med | 0.36 | 5.5 | 0.00 | Jun 13, 2017 | A vulnerability in the ConfD server in Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive information. More Information: CSCvd29398. Known Affected Releases: 21.0.v0.65839. | ||
| CVE-2016-3095 | Med | 0.36 | 5.5 | 0.00 | Jun 8, 2017 | server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key. | ||
| CVE-2016-3111 | Med | 0.36 | 5.5 | 0.00 | Jun 8, 2017 | pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated… | ||
| CVE-2016-8939 | Med | 0.36 | 5.5 | 0.00 | Jun 7, 2017 | IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) clients/agents store password information in the Windows Registry in a manner which can be compromised. IBM X-Force ID: 118790. | ||
| CVE-2016-5960 | Med | 0.36 | 5.5 | 0.00 | Jun 7, 2017 | IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 116171. | ||
| CVE-2014-9951 | Med | 0.36 | 5.5 | 0.00 | Jun 6, 2017 | In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure Through Timing Discrepancy vulnerability could potentially exist. | ||
| CVE-2014-9947 | Med | 0.36 | 5.5 | 0.00 | Jun 6, 2017 | In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure vulnerability could potentially exist. | ||
| CVE-2016-7977 | Med | 0.36 | 5.5 | 0.05 | May 23, 2017 | Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document. | ||
| CVE-2015-5382 | Med | 0.36 | 6.5 | 0.03 | May 23, 2017 | program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. | ||
| CVE-2017-6987 | Med | 0.36 | 5.5 | 0.01 | May 22, 2017 | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read… | ||
| CVE-2017-2507 | Med | 0.36 | 5.5 | 0.01 | May 22, 2017 | An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read… | ||
| CVE-2015-9001 | Med | 0.36 | 5.5 | 0.01 | May 16, 2017 | In TrustZone an information exposure vulnerability can potentially occur in all Android releases from CAF using the Linux kernel. | ||
| CVE-2017-7495 | Med | 0.36 | 5.5 | 0.00 | May 15, 2017 | fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset,… | ||
| CVE-2016-4839 | Med | 0.36 | 5.5 | 0.02 | May 12, 2017 | The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for… | ||
| CVE-2017-0626 | Med | 0.36 | 5.5 | 0.01 | May 12, 2017 | An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user… | ||
| CVE-2017-0625 | Med | 0.36 | 5.5 | 0.00 | May 12, 2017 | An information disclosure vulnerability in the MediaTek command queue driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user… |
- risk 0.36cvss 5.5epss 0.00
In all Android releases from CAF using the Linux kernel, userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory.
- risk 0.36cvss 5.5epss 0.00
The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW_GB_SURFACE_CREATE) in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.11.4 defines a backup_handle variable but does not give it an initial value. If one attempts to create a GB surface,…
- risk 0.36cvss 5.5epss 0.00
The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.
- risk 0.36cvss 5.5epss 0.00
A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected system. More Information: CSCvd73677. Known Affected Releases: 2.3(2).
- risk 0.36cvss 5.5epss 0.00
A vulnerability in the ConfD server in Cisco Ultra Services Platform could allow an authenticated, local attacker to view sensitive information. More Information: CSCvd29398. Known Affected Releases: 21.0.v0.65839.
- risk 0.36cvss 5.5epss 0.00
server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key.
- risk 0.36cvss 5.5epss 0.00
pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated…
- risk 0.36cvss 5.5epss 0.00
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) clients/agents store password information in the Windows Registry in a manner which can be compromised. IBM X-Force ID: 118790.
- risk 0.36cvss 5.5epss 0.00
IBM Security Privileged Identity Manager 2.0.2 and 2.1.0 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 116171.
- risk 0.36cvss 5.5epss 0.00
In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure Through Timing Discrepancy vulnerability could potentially exist.
- risk 0.36cvss 5.5epss 0.00
In TrustZone in all Android releases from CAF using the Linux kernel, an Information Exposure vulnerability could potentially exist.
- risk 0.36cvss 5.5epss 0.05
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER mode protection mechanism and consequently read arbitrary files via the use of the .libfile operator in a crafted postscript document.
- risk 0.36cvss 6.5epss 0.03
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read…
- risk 0.36cvss 5.5epss 0.01
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "Kernel" component. It allows attackers to bypass intended memory-read…
- risk 0.36cvss 5.5epss 0.01
In TrustZone an information exposure vulnerability can potentially occur in all Android releases from CAF using the Linux kernel.
- risk 0.36cvss 5.5epss 0.00
fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs-flushing-before-commit list, which allows local users to obtain sensitive information from other users' files in opportunistic circumstances by waiting for a hardware reset,…
- risk 0.36cvss 5.5epss 0.02
The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for…
- risk 0.36cvss 5.5epss 0.01
An information disclosure vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user…
- risk 0.36cvss 5.5epss 0.00
An information disclosure vulnerability in the MediaTek command queue driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user…