VYPR

CWE-319

Cleartext Transmission of Sensitive Information

BaseDraftLikelihood: High

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65

CVEs mapped to this weakness (302)

page 13 of 16
  • CVE-2023-30513Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

  • CVE-2023-24440Jan 24, 2023
    risk 0.00cvss epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2022-23509Jan 9, 2023
    risk 0.00cvss epss 0.00

    Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The…

  • CVE-2022-45935Jan 6, 2023
    risk 0.00cvss epss 0.00

    Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version…

  • CVE-2023-0055Jan 4, 2023
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.

  • CVE-2022-4683Dec 23, 2022
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.

  • CVE-2022-4409Dec 11, 2022
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

  • CVE-2022-46685Dec 7, 2022
    risk 0.00cvss epss 0.00

    In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.

  • CVE-2022-43691Nov 14, 2022
    risk 0.00cvss epss 0.00

    Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

  • CVE-2022-39287Oct 7, 2022
    risk 0.00cvss epss 0.00

    tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version…

  • CVE-2022-34804Jun 30, 2022
    risk 0.00cvss epss 0.00

    Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure.

  • CVE-2022-34801Jun 30, 2022
    risk 0.00cvss epss 0.00

    Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2022-21829Jun 24, 2022
    risk 0.00cvss epss 0.02

    Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a…

  • CVE-2022-31046Jun 14, 2022
    risk 0.00cvss epss 0.01

    TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can…

  • CVE-2022-21951May 25, 2022
    risk 0.00cvss epss 0.00

    A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI…

  • CVE-2022-25180Feb 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

  • CVE-2022-23105Jan 12, 2022
    risk 0.00cvss epss 0.00

    Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

  • CVE-2021-37939Nov 18, 2021
    risk 0.00cvss epss 0.00

    It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could…

  • CVE-2021-33900Jul 26, 2021
    risk 0.00cvss epss 0.01

    While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not…

  • CVE-2021-31671Apr 27, 2021
    risk 0.00cvss epss 0.01

    pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.