CWE-209
Generation of Error Message Containing Sensitive Information
Description
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-215 · CAPEC-463 · CAPEC-54 · CAPEC-7
CVEs mapped to this weakness (189)
page 9 of 10| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23794 | 0.00 | — | 0.01 | Mar 30, 2022 | An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application. | |||
| CVE-2022-24731 | 0.00 | — | 0.01 | Mar 23, 2022 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files… | |||
| CVE-2021-3620 | — | 0.00 | — | 0.00 | Mar 3, 2022 | A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. | ||
| CVE-2022-0660 | 0.00 | — | 0.07 | Feb 18, 2022 | Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. | |||
| CVE-2022-0622 | 0.00 | — | 0.01 | Feb 17, 2022 | Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11. | |||
| CVE-2022-0504 | 0.00 | — | 0.01 | Feb 8, 2022 | Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11. | |||
| CVE-2022-0083 | 0.00 | — | 0.01 | Jan 4, 2022 | livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information | |||
| CVE-2022-0079 | — | 0.00 | — | 0.01 | Jan 3, 2022 | showdoc is vulnerable to Generation of Error Message Containing Sensitive Information | ||
| CVE-2021-32712 | 0.00 | — | 0.01 | Jun 24, 2021 | Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download… | |||
| CVE-2021-22885 | — | 0.00 | — | 0.04 | May 27, 2021 | A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | ||
| CVE-2021-29040 | — | 0.00 | — | 0.01 | May 16, 2021 | The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch… | ||
| CVE-2021-21421 | 0.00 | — | 0.01 | Apr 1, 2021 | node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later. | |||
| CVE-2021-21416 | 0.00 | — | 0.00 | Apr 1, 2021 | django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not… | |||
| CVE-2021-20289 | — | 0.00 | — | 0.01 | Mar 26, 2021 | A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's… | ||
| CVE-2020-1717 | 0.00 | — | 0.01 | Feb 11, 2021 | A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | |||
| CVE-2020-25640 | 0.00 | — | 0.01 | Nov 24, 2020 | A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. | |||
| CVE-2020-25633 | 0.00 | — | 0.01 | Sep 18, 2020 | A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this… | |||
| CVE-2020-15132 | 0.00 | — | 0.01 | Aug 5, 2020 | In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message… | |||
| CVE-2020-15125 | 0.00 | — | 0.02 | Jul 29, 2020 | In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged… | |||
| CVE-2020-13997 | — | 0.00 | — | 0.01 | Jul 28, 2020 | In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. |
- CVE-2022-23794Mar 30, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Joomla! 3.0.0 through 3.10.6 & 4.0.0 through 4.1.0. Uploading a file name of an excess length causes the error. This error brings up the screen with the path of the source code of the web application.
- CVE-2022-24731Mar 23, 2022risk 0.00cvss —epss 0.01
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 1.5.0 but before versions 2.1.11, 2.2.6, and 2.3.0 is vulnerable to a path traversal vulnerability, allowing a malicious user with read/write access to leak sensitive files…
- CVE-2021-3620Mar 3, 2022risk 0.00cvss —epss 0.00
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
- CVE-2022-0660Feb 18, 2022risk 0.00cvss —epss 0.07
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
- CVE-2022-0622Feb 17, 2022risk 0.00cvss —epss 0.01
Generation of Error Message Containing Sensitive Information in Packagist snipe/snipe-it prior to 5.3.11.
- CVE-2022-0504Feb 8, 2022risk 0.00cvss —epss 0.01
Generation of Error Message Containing Sensitive Information in Packagist microweber/microweber prior to 1.2.11.
- CVE-2022-0083Jan 4, 2022risk 0.00cvss —epss 0.01
livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information
- CVE-2022-0079Jan 3, 2022risk 0.00cvss —epss 0.01
showdoc is vulnerable to Generation of Error Message Containing Sensitive Information
- CVE-2021-32712Jun 24, 2021risk 0.00cvss —epss 0.01
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download…
- CVE-2021-22885May 27, 2021risk 0.00cvss —epss 0.04
A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.
- CVE-2021-29040May 16, 2021risk 0.00cvss —epss 0.01
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch…
- CVE-2021-21421Apr 1, 2021risk 0.00cvss —epss 0.01
node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later.
- CVE-2021-21416Apr 1, 2021risk 0.00cvss —epss 0.00
django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not…
- CVE-2021-20289Mar 26, 2021risk 0.00cvss —epss 0.01
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's…
- CVE-2020-1717Feb 11, 2021risk 0.00cvss —epss 0.01
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
- CVE-2020-25640Nov 24, 2020risk 0.00cvss —epss 0.01
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
- CVE-2020-25633Sep 18, 2020risk 0.00cvss —epss 0.01
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this…
- CVE-2020-15132Aug 5, 2020risk 0.00cvss —epss 0.01
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message…
- CVE-2020-15125Jul 29, 2020risk 0.00cvss —epss 0.02
In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged…
- CVE-2020-13997Jul 28, 2020risk 0.00cvss —epss 0.01
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.