CWE-212
AllowedImproper Removal of Sensitive Information Before Storage or Transfer
Abstraction: Base · Status: Incomplete
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
156 vulnerabilities reference this CWE, most recent first.
GHSA-F556-49JC-4RVC
Vulnerability from github – Published: 2025-10-31 17:31 – Updated: 2025-10-31 17:31A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is completed. Files would remain in the bucket exposing the data. This issue directly affects data confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25635"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-31T17:31:57Z",
"nvd_published_at": "2020-10-05T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is completed. Files would remain in the bucket exposing the data. This issue directly affects data confidentiality.",
"id": "GHSA-f556-49jc-4rvc",
"modified": "2025-10-31T17:31:57Z",
"published": "2025-10-31T17:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25635"
},
{
"type": "WEB",
"url": "https://github.com/ansible-collections/community.aws/issues/222"
},
{
"type": "WEB",
"url": "https://github.com/ansible-collections/community.aws/pull/237#issuecomment-1468591094"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-220.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ansible does not collect garbage after playbook run"
}
GHSA-F6FM-R26Q-P747
Vulnerability from github – Published: 2022-05-20 00:00 – Updated: 2022-06-07 21:17An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "strapi"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.0-beta.14"
},
"package": {
"ecosystem": "npm",
"name": "@strapi/strapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0-beta.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-30617"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-07T21:17:00Z",
"nvd_published_at": "2022-05-19T18:15:00Z",
"severity": "HIGH"
},
"details": "An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged \u201cauthor\u201d role account can view these details in the JSON response for an \u201ceditor\u201d or \u201csuper admin\u201d that has updated one of the author\u2019s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users\u2019 accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a \u201csuper admin\u201d account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.",
"id": "GHSA-f6fm-r26q-p747",
"modified": "2022-06-07T21:17:00Z",
"published": "2022-05-20T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30617"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
},
{
"type": "WEB",
"url": "https://www.synopsys.com/blogs/software-security/cyrc-advisory-strapi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Removal of Sensitive Information Before Storage or Transfer in Strapi"
}
GHSA-FX46-5QRR-3WP5
Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.
{
"affected": [],
"aliases": [
"CVE-2025-1759"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T14:15:28Z",
"severity": "MODERATE"
},
"details": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory.",
"id": "GHSA-fx46-5qrr-3wp5",
"modified": "2025-08-18T15:30:32Z",
"published": "2025-08-18T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1759"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7242354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G2FV-W76J-V7P7
Vulnerability from github – Published: 2023-12-19 00:30 – Updated: 2023-12-19 00:30Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages.
This issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.
{
"affected": [],
"aliases": [
"CVE-2023-41967"
],
"database_specific": {
"cwe_ids": [
"CWE-1272",
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-18T22:15:08Z",
"severity": "LOW"
},
"details": "\nSensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller\u0027s default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. \n\nThis issue affects: Gallagher Controller 6000 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), v8.60 or earlier.\n\n\n",
"id": "GHSA-g2fv-w76j-v7p7",
"modified": "2023-12-19T00:30:18Z",
"published": "2023-12-19T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41967"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2023-41967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC2P-G4FG-29VH
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2025-04-24 17:41In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "k8s.io/kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-11243"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-271"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-24T17:41:45Z",
"nvd_published_at": "2019-04-22T15:29:00Z",
"severity": "HIGH"
},
"details": "In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()",
"id": "GHSA-gc2p-g4fg-29vh",
"modified": "2025-04-24T17:41:45Z",
"published": "2022-05-24T16:44:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11243"
},
{
"type": "WEB",
"url": "https://github.com/kubernetes/kubernetes/issues/76797"
},
{
"type": "PACKAGE",
"url": "https://github.com/kubernetes/kubernetes"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190509-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Kubernetes did not effectively clear service account credentials"
}
GHSA-GCGF-W628-JQ5C
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.
{
"affected": [],
"aliases": [
"CVE-2026-1732"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T16:16:22Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose confidential issue titles due to improper filtering under certain circumstances.",
"id": "GHSA-gcgf-w628-jq5c",
"modified": "2026-03-11T18:30:32Z",
"published": "2026-03-11T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1732"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3532881"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/588380"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GMH5-5F53-3929
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-07-13 00:00An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
{
"affected": [],
"aliases": [
"CVE-2020-36476"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-23T02:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.",
"id": "GHSA-gmh5-5f53-3929",
"modified": "2022-07-13T00:00:51Z",
"published": "2022-05-24T19:11:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36476"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0"
},
{
"type": "WEB",
"url": "https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GMVW-8MPV-XH3V
Vulnerability from github – Published: 2024-06-17 15:30 – Updated: 2024-10-30 21:30Improper removal of sensitive information in data source export feature in Devolutions Remote Desktop Manager 2024.1.32.0 and earlier on Windows allows an attacker that obtains the exported settings to recover powershell credentials configured on the data source via stealing the configuration file.
{
"affected": [],
"aliases": [
"CVE-2024-6055"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-17T13:15:53Z",
"severity": "MODERATE"
},
"details": "Improper removal of sensitive information in data source export feature in Devolutions Remote Desktop Manager 2024.1.32.0 and earlier on Windows allows an attacker that obtains the exported settings to recover powershell credentials configured on the data source via stealing the configuration file.",
"id": "GHSA-gmvw-8mpv-xh3v",
"modified": "2024-10-30T21:30:37Z",
"published": "2024-06-17T15:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6055"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2024-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GR35-VPX2-QXHC
Vulnerability from github – Published: 2025-11-05 18:45 – Updated: 2026-06-06 00:35Summary
Weblate leaks the IP address of the project member inviting the user to the project in the audit log.
Details
The audit log included IP addresses from admin-triggered actions, and those could be viewed by invited users.
Impact
The inviting user's (admin's) IP address could be leaked to invited users.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weblate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64326"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-05T18:45:59Z",
"nvd_published_at": "2025-11-06T21:15:43Z",
"severity": "LOW"
},
"details": "### Summary\nWeblate leaks the IP address of the project member inviting the user to the project in the audit log.\n\n### Details\nThe audit log included IP addresses from admin-triggered actions, and those could be viewed by invited users.\n\n### Impact\n\nThe inviting user\u0027s (admin\u0027s) IP address could be leaked to invited users.",
"id": "GHSA-gr35-vpx2-qxhc",
"modified": "2026-06-06T00:35:23Z",
"published": "2025-11-05T18:45:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64326"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/16781"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/b847e9756a0a6f7659ef20fa9f34846ca862c574"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/weblate"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-230.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate leaks the IP of project member inviting user to be reviewer in Audit log"
}
GHSA-GVH3-F4G3-C9FF
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2025-07-25 15:30IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release.
{
"affected": [],
"aliases": [
"CVE-2025-33013"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-244"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T15:15:25Z",
"severity": "MODERATE"
},
"details": "IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release.",
"id": "GHSA-gvh3-f4g3-c9ff",
"modified": "2025-07-25T15:30:45Z",
"published": "2025-07-25T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33013"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7240431"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation
Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
CAPEC-168: Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.