CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
Description
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-168
CVEs mapped to this weakness (55)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-30618 | 0.00 | — | 0.01 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are… | |||
| CVE-2022-30617 | 0.00 | — | 0.01 | May 19, 2022 | An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For… | |||
| CVE-2022-1650 | — | 0.00 | — | 0.02 | May 12, 2022 | Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2. | ||
| CVE-2022-24798 | 0.00 | — | 0.01 | Mar 31, 2022 | Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of… | |||
| CVE-2021-3602 | 0.00 | — | 0.00 | Mar 3, 2022 | An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD… | |||
| CVE-2022-24719 | 0.00 | — | 0.01 | Mar 1, 2022 | Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as… | |||
| CVE-2022-25187 | 0.00 | — | 0.01 | Feb 15, 2022 | Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. | |||
| CVE-2022-23633 | 0.00 | — | 0.02 | Feb 11, 2022 | Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next… | |||
| CVE-2022-0536 | — | 0.00 | — | 0.01 | Feb 9, 2022 | Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8. | ||
| CVE-2021-38554 | — | 0.00 | — | 0.01 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | ||
| CVE-2020-25635 | — | 0.00 | — | 0.00 | Oct 5, 2020 | A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. | ||
| CVE-2020-14370 | — | 0.00 | — | 0.01 | Sep 23, 2020 | An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container… | ||
| CVE-2020-15094 | 0.00 | — | 0.03 | Sep 2, 2020 | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The… | |||
| CVE-2020-1940 | 0.00 | — | 0.05 | Jan 28, 2020 | The optional initial password change and password expiration features present in Apache Jackrabbit Oak 1.2.0 to 1.22.0 are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials… | |||
| CVE-2019-11243 | 0.00 | — | 0.01 | Apr 22, 2019 | In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not… |
- CVE-2022-30618May 19, 2022risk 0.00cvss —epss 0.01
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are…
- CVE-2022-30617May 19, 2022risk 0.00cvss —epss 0.01
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For…
- CVE-2022-1650May 12, 2022risk 0.00cvss —epss 0.02
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.
- CVE-2022-24798Mar 31, 2022risk 0.00cvss —epss 0.01
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of…
- CVE-2021-3602Mar 3, 2022risk 0.00cvss —epss 0.00
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD…
- CVE-2022-24719Mar 1, 2022risk 0.00cvss —epss 0.01
Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using `followRedirects` or `followRedirectsWith` with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as…
- CVE-2022-25187Feb 15, 2022risk 0.00cvss —epss 0.01
Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle.
- CVE-2022-23633Feb 11, 2022risk 0.00cvss —epss 0.02
Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next…
- CVE-2022-0536Feb 9, 2022risk 0.00cvss —epss 0.01
Improper Removal of Sensitive Information Before Storage or Transfer in NPM follow-redirects prior to 1.14.8.
- CVE-2021-38554Aug 13, 2021risk 0.00cvss —epss 0.01
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
- CVE-2020-25635Oct 5, 2020risk 0.00cvss —epss 0.00
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.
- CVE-2020-14370Sep 23, 2020risk 0.00cvss —epss 0.01
An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container…
- CVE-2020-15094Sep 2, 2020risk 0.00cvss —epss 0.03
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The…
- CVE-2020-1940Jan 28, 2020risk 0.00cvss —epss 0.05
The optional initial password change and password expiration features present in Apache Jackrabbit Oak 1.2.0 to 1.22.0 are prone to a sensitive information disclosure vulnerability. The code mandates the changed password to be passed as an additional attribute to the credentials…
- CVE-2019-11243Apr 22, 2019risk 0.00cvss —epss 0.01
In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not…