CWE-922
Insecure Storage of Sensitive Information
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
Hierarchy (View 1000)
CVEs mapped to this weakness (144)
page 7 of 8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13937 | — | 0.07 | — | 0.79 | Oct 19, 2020 | Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration… | ||
| CVE-2018-25031 | — | 0.03 | — | 0.42 | Mar 11, 2022 | Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.… | ||
| CVE-2026-22251 | 0.00 | — | 0.00 | Jan 12, 2026 | wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers. | |||
| CVE-2024-57436 | 0.00 | — | 0.01 | Jan 29, 2025 | RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie. | |||
| CVE-2024-43427 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party. | |||
| CVE-2024-47197 | — | 0.00 | — | 0.01 | Sep 26, 2024 | Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the… | ||
| CVE-2024-29120 | 0.00 | — | 0.00 | Jul 17, 2024 | In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password,… | |||
| CVE-2024-39459 | 0.00 | — | 0.00 | Jun 26, 2024 | In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global… | |||
| CVE-2024-5206 | 0.00 | — | 0.00 | Jun 6, 2024 | A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data… | |||
| CVE-2023-45859 | 0.00 | — | 0.01 | Feb 28, 2024 | In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster. | |||
| CVE-2024-22371 | 0.00 | — | 0.01 | Feb 26, 2024 | Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through… | |||
| CVE-2023-50298 | 0.00 | — | 0.02 | Feb 9, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost"… | |||
| CVE-2024-22193 | 0.00 | — | 0.00 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may… | |||
| CVE-2023-43631 | — | 0.00 | — | 0.00 | Sep 21, 2023 | On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root… | ||
| CVE-2023-43633 | — | 0.00 | — | 0.00 | Sep 21, 2023 | On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also… | ||
| CVE-2023-43634 | — | 0.00 | — | 0.00 | Sep 21, 2023 | When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that… | ||
| CVE-2023-2665 | — | 0.00 | — | 0.01 | May 12, 2023 | Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0. | ||
| CVE-2022-2815 | 0.00 | — | 0.01 | Jan 14, 2023 | Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10. | |||
| CVE-2022-41876 | 0.00 | — | 0.01 | Nov 10, 2022 | ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that… | |||
| CVE-2021-46440 | — | 0.00 | — | 0.02 | May 3, 2022 | Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext… |
- CVE-2020-13937Oct 19, 2020risk 0.07cvss —epss 0.79
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration…
- CVE-2018-25031Mar 11, 2022risk 0.03cvss —epss 0.42
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3.…
- CVE-2026-22251Jan 12, 2026risk 0.00cvss —epss 0.00
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
- CVE-2024-57436Jan 29, 2025risk 0.00cvss —epss 0.01
RuoYi v4.8.0 was discovered to allow unauthorized attackers to view the session ID of the admin in the system monitoring. This issue can allow attackers to impersonate Admin users via using a crafted cookie.
- CVE-2024-43427Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
- CVE-2024-47197Sep 26, 2024risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor, Insecure Storage of Sensitive Information vulnerability in Maven Archetype Plugin. This issue affects Maven Archetype Plugin: from 3.2.1 before 3.3.0. Users are recommended to upgrade to version 3.3.0, which fixes the…
- CVE-2024-29120Jul 17, 2024risk 0.00cvss —epss 0.00
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password,…
- CVE-2024-39459Jun 26, 2024risk 0.00cvss —epss 0.00
In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global…
- CVE-2024-5206Jun 6, 2024risk 0.00cvss —epss 0.00
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data…
- CVE-2023-45859Feb 28, 2024risk 0.00cvss —epss 0.01
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
- CVE-2024-22371Feb 26, 2024risk 0.00cvss —epss 0.01
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through…
- CVE-2023-50298Feb 9, 2024risk 0.00cvss —epss 0.02
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost"…
- CVE-2024-22193Jan 30, 2024risk 0.00cvss —epss 0.00
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may…
- CVE-2023-43631Sep 21, 2023risk 0.00cvss —epss 0.00
On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root…
- CVE-2023-43633Sep 21, 2023risk 0.00cvss —epss 0.00
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also…
- CVE-2023-43634Sep 21, 2023risk 0.00cvss —epss 0.00
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that…
- CVE-2023-2665May 12, 2023risk 0.00cvss —epss 0.01
Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.
- CVE-2022-2815Jan 14, 2023risk 0.00cvss —epss 0.01
Insecure Storage of Sensitive Information in GitHub repository publify/publify prior to 9.2.10.
- CVE-2022-41876Nov 10, 2022risk 0.00cvss —epss 0.01
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that…
- CVE-2021-46440May 3, 2022risk 0.00cvss —epss 0.02
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext…