VYPR

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

BaseIncomplete

Description

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-168

CVEs mapped to this weakness (55)

page 2 of 3
  • CVE-2025-24884MedJan 29, 2025
    risk 0.26cvss epss 0.00

    kube-audit-rest is a simple logger of mutation/creation requests to the k8s api. If the "full-elastic-stack" example vector configuration was used for a real cluster, the previous values of kubernetes secrets would have been disclosed in the audit messages. This vulnerability is…

  • CVE-2025-8860LowFeb 18, 2026
    risk 0.21cvss 3.3epss 0.00

    A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data…

  • CVE-2025-0011LowSep 6, 2025
    risk 0.21cvss 3.3epss 0.00

    Improper removal of sensitive information before storage or transfer in AMD Crash Defender could allow an attacker to obtain kernel address information potentially resulting in loss of confidentiality.

  • CVE-2024-32028MedApr 12, 2024
    risk 0.20cvss 4.1epss 0.00

    OpenTelemetry dotnet is a dotnet telemetry framework. In affected versions of `OpenTelemetry.Instrumentation.Http` and `OpenTelemetry.Instrumentation.AspNetCore` the `url.full` writes attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http requests and…

  • CVE-2026-45737May 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-confi…

  • CVE-2025-68131Dec 31, 2025
    risk 0.00cvss epss 0.00

    cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag…

  • CVE-2025-64326Nov 6, 2025
    risk 0.00cvss epss 0.00

    Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users.…

  • CVE-2025-58049Aug 28, 2025
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job…

  • CVE-2025-57757Aug 28, 2025
    risk 0.00cvss epss 0.00

    Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and…

  • CVE-2025-27221Mar 3, 2025
    risk 0.00cvss epss 0.00

    In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

  • CVE-2024-29120Jul 17, 2024
    risk 0.00cvss epss 0.00

    In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password,…

  • CVE-2024-32036Apr 15, 2024
    risk 0.00cvss epss 0.01

    ImageSharp is a 2D graphics API. A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information…

  • CVE-2022-4734Dec 25, 2022
    risk 0.00cvss epss 0.01

    Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.

  • CVE-2022-39393Nov 10, 2022
    risk 0.00cvss epss 0.01

    Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be…

  • CVE-2022-2818Aug 15, 2022
    risk 0.00cvss epss 0.01

    Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.

  • CVE-2022-31162Jul 21, 2022
    risk 0.00cvss epss 0.01

    Slack Morphism is an async client library for Rust. Prior to 0.41.0, it was possible for Slack OAuth client information to leak in application debug logs. Stricter and more secure debug formatting was introduced in v0.41.0 for OAuth secret types to reduce the possibility of…

  • CVE-2022-31112Jun 30, 2022
    risk 0.00cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from…

  • CVE-2022-31090Jun 27, 2022
    risk 0.00cvss epss 0.02

    Guzzle, an extensible PHP HTTP client. `Authorization` headers on requests are sensitive information. In affected versions when using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds…

  • CVE-2022-31042Jun 9, 2022
    risk 0.00cvss epss 0.02

    Guzzle is an open source PHP HTTP client. In affected versions the `Cookie` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, or on making a request to a server…

  • CVE-2022-31043Jun 9, 2022
    risk 0.00cvss epss 0.02

    Guzzle is an open source PHP HTTP client. In affected versions `Authorization` headers on requests are sensitive information. On making a request using the `https` scheme to a server which responds with a redirect to a URI with the `http` scheme, we should not forward the…