CWE-319
Cleartext Transmission of Sensitive Information
Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65
CVEs mapped to this weakness (302)
page 13 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-30513 | 0.00 | — | 0.00 | Apr 12, 2023 | Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||
| CVE-2023-24440 | 0.00 | — | 0.00 | Jan 24, 2023 | Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||
| CVE-2022-23509 | 0.00 | — | 0.00 | Jan 9, 2023 | Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The… | |||
| CVE-2022-45935 | 0.00 | — | 0.00 | Jan 6, 2023 | Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version… | |||
| CVE-2023-0055 | 0.00 | — | 0.00 | Jan 4, 2023 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. | |||
| CVE-2022-4683 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | ||
| CVE-2022-4409 | — | 0.00 | — | 0.00 | Dec 11, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||
| CVE-2022-46685 | 0.00 | — | 0.00 | Dec 7, 2022 | In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. | |||
| CVE-2022-43691 | — | 0.00 | — | 0.00 | Nov 14, 2022 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | ||
| CVE-2022-39287 | — | 0.00 | — | 0.00 | Oct 7, 2022 | tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version… | ||
| CVE-2022-34804 | — | 0.00 | — | 0.00 | Jun 30, 2022 | Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure. | ||
| CVE-2022-34801 | 0.00 | — | 0.00 | Jun 30, 2022 | Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | |||
| CVE-2022-21829 | — | 0.00 | — | 0.02 | Jun 24, 2022 | Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a… | ||
| CVE-2022-31046 | 0.00 | — | 0.01 | Jun 14, 2022 | TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can… | |||
| CVE-2022-21951 | 0.00 | — | 0.00 | May 25, 2022 | A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI… | |||
| CVE-2022-25180 | 0.00 | — | 0.01 | Feb 15, 2022 | Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. | |||
| CVE-2022-23105 | 0.00 | — | 0.00 | Jan 12, 2022 | Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations. | |||
| CVE-2021-37939 | 0.00 | — | 0.00 | Nov 18, 2021 | It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could… | |||
| CVE-2021-33900 | 0.00 | — | 0.01 | Jul 26, 2021 | While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not… | |||
| CVE-2021-31671 | — | 0.00 | — | 0.01 | Apr 27, 2021 | pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used. |
- CVE-2023-30513Apr 12, 2023risk 0.00cvss —epss 0.00
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
- CVE-2023-24440Jan 24, 2023risk 0.00cvss —epss 0.00
Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2022-23509Jan 9, 2023risk 0.00cvss —epss 0.00
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. GitOps run has a local S3 bucket which it uses for synchronizing files that are later applied against a Kubernetes cluster. The…
- CVE-2022-45935Jan 6, 2023risk 0.00cvss —epss 0.00
Usage of temporary files with insecure permissions by the Apache James server allows an attacker with local access to access private user data in transit. Vulnerable components includes the SMTP stack and IMAP APPEND command. This issue affects Apache James server version…
- CVE-2023-0055Jan 4, 2023risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32.
- CVE-2022-4683Dec 23, 2022risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2022-4409Dec 11, 2022risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
- CVE-2022-46685Dec 7, 2022risk 0.00cvss —epss 0.00
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
- CVE-2022-43691Nov 14, 2022risk 0.00cvss —epss 0.00
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.
- CVE-2022-39287Oct 7, 2022risk 0.00cvss —epss 0.00
tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version…
- CVE-2022-34804Jun 30, 2022risk 0.00cvss —epss 0.00
Jenkins OpsGenie Plugin 1.9 and earlier transmits API keys in plain text as part of the global Jenkins configuration form and job configuration forms, potentially resulting in their exposure.
- CVE-2022-34801Jun 30, 2022risk 0.00cvss —epss 0.00
Jenkins Build Notifications Plugin 1.5.0 and earlier transmits tokens in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2022-21829Jun 24, 2022risk 0.00cvss —epss 0.02
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a…
- CVE-2022-31046Jun 14, 2022risk 0.00cvss —epss 0.01
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, the export functionality fails to limit the result set to allowed columns of a particular database table. This way, authenticated users can…
- CVE-2022-21951May 25, 2022risk 0.00cvss —epss 0.00
A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI…
- CVE-2022-25180Feb 15, 2022risk 0.00cvss —epss 0.01
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.
- CVE-2022-23105Jan 12, 2022risk 0.00cvss —epss 0.00
Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.
- CVE-2021-37939Nov 18, 2021risk 0.00cvss —epss 0.00
It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could…
- CVE-2021-33900Jul 26, 2021risk 0.00cvss —epss 0.01
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not…
- CVE-2021-31671Apr 27, 2021risk 0.00cvss —epss 0.01
pgsync before 0.6.7 is affected by Information Disclosure of sensitive information. Syncing the schema with the --schema-first and --schema-only options is mishandled. For example, the sslmode connection parameter may be lost, which means that SSL would not be used.