VYPR

CWE-209

Generation of Error Message Containing Sensitive Information

BaseDraftLikelihood: High

Description

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7

CVEs mapped to this weakness (189)

page 7 of 10
  • CVE-2024-47803Oct 2, 2024
    risk 0.00cvss epss 0.01

    Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.

  • CVE-2024-45384Sep 17, 2024
    risk 0.00cvss epss 0.01

    Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid…

  • CVE-2024-41674Aug 21, 2024
    risk 0.00cvss epss 0.00

    CKAN is an open-source data management system for powering data hubs and data portals. If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to package_search calls as part of the returned error message.…

  • CVE-2024-43376Aug 20, 2024
    risk 0.00cvss epss 0.00

    Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.

  • CVE-2024-39458Jun 26, 2024
    risk 0.00cvss epss 0.00

    When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the…

  • CVE-2024-37162Jun 7, 2024
    risk 0.00cvss epss 0.00

    zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment,…

  • CVE-2024-36106Jun 6, 2024
    risk 0.00cvss epss 0.00

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the…

  • CVE-2024-27315Feb 28, 2024
    risk 0.00cvss epss 0.01

    An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that triggers an error on the database. This error is not properly handled by Apache Superset and may inadvertently surface in the error…

  • CVE-2024-23689Jan 19, 2024
    risk 0.00cvss epss 0.01

    Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs.…

  • CVE-2024-21733Jan 19, 2024
    risk 0.00cvss epss 0.14

    Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64…

  • CVE-2023-6944Jan 4, 2024
    risk 0.00cvss epss 0.01

    A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encoded GitLab token includes a newline at the end of the string. The sanitized error can display on the frontend, including the raw…

  • CVE-2023-31048Dec 12, 2023
    risk 0.00cvss epss 0.01

    The OPC UA .NET Standard Reference Server before 1.4.371.86. places sensitive information into an error message that may be seen remotely.

  • CVE-2023-49080Dec 4, 2023
    risk 0.00cvss epss 0.01

    The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can…

  • CVE-2023-47636Nov 15, 2023
    risk 0.00cvss epss 0.01

    The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection)…

  • CVE-2023-46240Oct 31, 2023
    risk 0.00cvss epss 0.01

    CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch.…

  • CVE-2023-4457Oct 16, 2023
    risk 0.00cvss epss 0.00

    Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially…

  • CVE-2023-39264Sep 6, 2023
    risk 0.00cvss epss 0.01

    By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerability exists in Apache Superset versions up to and including 2.1.0.

  • CVE-2023-40338Aug 16, 2023
    risk 0.00cvss epss 0.01

    Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier displays an error message that includes an absolute path of a log file when attempting to access the Scan Organization Folder Log if no logs are available, exposing information about the Jenkins controller file system.

  • CVE-2023-37260Jul 6, 2023
    risk 0.00cvss epss 0.01

    league/oauth2-server is an implementation of an OAuth 2.0 authorization server written in PHP. Starting in version 8.3.2 and prior to version 8.5.3, servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in…

  • CVE-2023-34110Jun 22, 2023
    risk 0.00cvss epss 0.01

    Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back…