CWE-212
AllowedImproper Removal of Sensitive Information Before Storage or Transfer
Abstraction: Base · Status: Incomplete
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
155 vulnerabilities reference this CWE, most recent first.
GHSA-5F88-RR7V-C4QV
Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 15:30Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.
{
"affected": [],
"aliases": [
"CVE-2025-62483"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-13T15:15:51Z",
"severity": "MODERATE"
},
"details": "Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.",
"id": "GHSA-5f88-rr7v-c4qv",
"modified": "2025-11-13T15:30:31Z",
"published": "2025-11-13T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62483"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5M8F-V3GW-H94W
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-10-27 16:52Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:support-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.79.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25187"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-312",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-27T21:24:40Z",
"nvd_published_at": "2022-02-15T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.",
"id": "GHSA-5m8f-v3gw-h94w",
"modified": "2023-10-27T16:52:02Z",
"published": "2022-02-16T00:01:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25187"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin/commit/c6d20da4f372f03bd3e4844f0df2f109df68a63c"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin/commit/e90487a87bc0a3445c887203f5badec17af905c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/support-core-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Support Core Plugin stores sensitive data in plain text"
}
GHSA-5QRF-45P7-8VRC
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the dumpxml command.
{
"affected": [],
"aliases": [
"CVE-2020-14301"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T20:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.",
"id": "GHSA-5qrf-45p7-8vrc",
"modified": "2022-05-24T19:03:34Z",
"published": "2022-05-24T19:03:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14301"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848640"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210629-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5X7M-6737-26CR
Vulnerability from github – Published: 2024-04-15 20:24 – Updated: 2025-01-09 18:56Impact
A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.
Patches
The problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.
Workarounds
None
References
None
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "SixLabors.ImageSharp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "SixLabors.ImageSharp"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32036"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-226"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-15T20:24:06Z",
"nvd_published_at": "2024-04-15T20:15:11Z",
"severity": "MODERATE"
},
"details": "### Impact\nA data leakage flaw was found in ImageSharp\u0027s JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.\n\n### Patches\nThe problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.\n\n### Workarounds\nNone\n\n### References\nNone\n",
"id": "GHSA-5x7m-6737-26cr",
"modified": "2025-01-09T18:56:34Z",
"published": "2024-04-15T20:24:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32036"
},
{
"type": "WEB",
"url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"
},
{
"type": "WEB",
"url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"
},
{
"type": "PACKAGE",
"url": "https://github.com/SixLabors/ImageSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "SixLabors.ImageSharp vulnerable to data leakage"
}
GHSA-6239-28C2-9MRM
Vulnerability from github – Published: 2021-08-30 17:22 – Updated: 2022-08-04 11:22HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-38554"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-30T17:14:06Z",
"nvd_published_at": "2021-08-13T16:15:00Z",
"severity": "MODERATE"
},
"details": "HashiCorp Vault and Vault Enterprise\u2019s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.",
"id": "GHSA-6239-28c2-9mrm",
"modified": "2022-08-04T11:22:29Z",
"published": "2021-08-30T17:22:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38554"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/vault/releases/tag/v1.6.6"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/vault/releases/tag/v1.7.4"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202207-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault"
}
GHSA-6GXW-85Q2-Q646
Vulnerability from github – Published: 2025-11-25 14:18 – Updated: 2025-11-27 08:42A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.
Impact
In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.
Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).
In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.
The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.
Patches
The patch has been released in v0.104.1.
Workaround
Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.
For example, replacing the command:
# using `--output json=path` (or `--file`) leaks credentials
grype --output json=test.json alpine:latest
with
# no use of `--output json=path` or `--file`. Output is sanitized...
grype --output json alpine:latest > test.json
...results in the same test.json output, but the credentials will be properly sanitized.
Resources
Patch pull request: https://github.com/anchore/grype/pull/3068
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/anchore/grype"
},
"ranges": [
{
"events": [
{
"introduced": "0.68.0"
},
{
"fixed": "0.104.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65965"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-25T14:18:46Z",
"nvd_published_at": "2025-11-25T20:16:00Z",
"severity": "HIGH"
},
"details": "A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and the output of grype is written using the `--file` or `--output json=\u003cfile\u003e` option, the registry credentials will be included unsanitized in the output file.\n\n## Impact\n\nIn Grype versions `v0.68.0` through `v0.104.0`, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.\n\nRegistry credentials can be set via the Grype configuration file (e.g. `registry.auth[].username`, `registry.auth[].password`, `registry.auth[].token`) or environment variables (e.g., `GRYPE_REGISTRY_AUTH_USERNAME`, `GRYPE_REGISTRY_AUTH_PASSWORD`, `GRYPE_REGISTRY_AUTH_TOKEN`).\n\nIn order for the authentication details to be improperly included, the Grype file output format must be set to `json` with output target set to a file. For example `--output json=file.json` or `--output json --file file.json`. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.\n\nThe authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the `Descriptor.Registry.Auth` fields would also include the unsanitized registry credentials. There are no known templates that include these fields.\n\n## Patches\nThe patch has been released in `v0.104.1`.\n\n## Workaround\nUsers running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the `--file` or `--output` options.\n\nFor example, replacing the command:\n\n```\n# using `--output json=path` (or `--file`) leaks credentials\ngrype --output json=test.json alpine:latest\n```\n\nwith\n\n```\n# no use of `--output json=path` or `--file`. Output is sanitized...\ngrype --output json alpine:latest \u003e test.json\n```\n\n...results in the same `test.json` output, but the credentials will be properly sanitized.\n\n## Resources\nPatch pull request: https://github.com/anchore/grype/pull/3068",
"id": "GHSA-6gxw-85q2-q646",
"modified": "2025-11-27T08:42:37Z",
"published": "2025-11-25T14:18:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65965"
},
{
"type": "WEB",
"url": "https://github.com/anchore/grype/pull/3068"
},
{
"type": "WEB",
"url": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1"
},
{
"type": "WEB",
"url": "https://github.com/anchore/grype/commit/c99f79de49a58dc16d7fd8f35160b169b87db9de"
},
{
"type": "PACKAGE",
"url": "https://github.com/anchore/grype"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Grype has a credential disclosure vulnerability in its JSON output"
}
GHSA-6H5X-7C5M-7CR7
Vulnerability from github – Published: 2022-05-13 00:01 – Updated: 2022-05-25 19:28When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "eventsource"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "eventsource"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1650"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:27:47Z",
"nvd_published_at": "2022-05-12T11:15:00Z",
"severity": "CRITICAL"
},
"details": "When fetching an url with a link to an external site (Redirect), the users Cookies \u0026 Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be \"sanitized.\"",
"id": "GHSA-6h5x-7c5m-7cr7",
"modified": "2022-05-25T19:28:43Z",
"published": "2022-05-13T00:01:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650"
},
{
"type": "WEB",
"url": "https://github.com/EventSource/eventsource/pull/273#issuecomment-1127624508"
},
{
"type": "WEB",
"url": "https://github.com/EventSource/eventsource/commit/f9f6416567bff62c1af2f4314be51d9870e94bc2"
},
{
"type": "WEB",
"url": "https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4"
},
{
"type": "PACKAGE",
"url": "https://github.com/eventsource/eventsource"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Exposure of Sensitive Information in eventsource"
}
GHSA-6R3R-QJM5-8FVP
Vulnerability from github – Published: 2024-02-18 06:30 – Updated: 2024-08-22 15:31Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2023-52376"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-18T06:15:08Z",
"severity": "HIGH"
},
"details": "Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-6r3r-qjm5-8fvp",
"modified": "2024-08-22T15:31:15Z",
"published": "2024-02-18T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52376"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/2"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-754H-5R27-7X3R
Vulnerability from github – Published: 2020-09-02 17:29 – Updated: 2023-01-24 18:07Description
The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.
Resolution
HTTP headers designed for internal use in HttpCache are now stripped from remote responses before being passed to HttpCache.
The patch for this issue is available here for the 4.4 branch.
Credits
I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.4.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15094"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-02T17:29:29Z",
"nvd_published_at": "2020-09-02T18:15:00Z",
"severity": "HIGH"
},
"details": "Description\n-----------\n\nThe `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible.\n\nResolution\n----------\n\nHTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.",
"id": "GHSA-754h-5r27-7x3r",
"modified": "2023-01-24T18:07:50Z",
"published": "2020-09-02T17:29:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15094"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/symfony/http-kernel"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2020-15094"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "RCE in Symfony"
}
GHSA-7638-R9R3-RMJJ
Vulnerability from github – Published: 2021-07-19 15:19 – Updated: 2023-08-29 18:32Impact
When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running buildah in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original buildah process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during buildah run. The commands that buildah is instructed to run can read that information if they choose to.
Patches
Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later.
Workarounds
As a workaround, invoking buildah in a container under env -i to have it started with a reinitialized environment should prevent the leakage.
For more information
If you have any questions or comments about this advisory: * Open an issue in buildah * Email us at the buildah general mailing list, or the podman security mailing list if it's sensitive.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.16.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.16.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"events": [
{
"introduced": "1.17.0"
},
{
"fixed": "1.17.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.19.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"events": [
{
"introduced": "1.18.0"
},
{
"fixed": "1.19.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.21.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/containers/buildah"
},
"ranges": [
{
"events": [
{
"introduced": "1.20.0"
},
{
"fixed": "1.21.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3602"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-15T20:26:57Z",
"nvd_published_at": "2022-03-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen running processes using \"chroot\" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to.\n\n### Patches\nUsers should upgrade packages, or images which contain packages, to include version 1.21.3 or later.\n\n### Workarounds\nAs a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [buildah](https://github.com/containers/buildah/issues)\n* Email us at [the buildah general mailing list](mailto:buildah@lists.buildah.io), or [the podman security mailing list](mailto:security@lists.podman.io) if it\u0027s sensitive.",
"id": "GHSA-7638-r9r3-rmjj",
"modified": "2023-08-29T18:32:51Z",
"published": "2021-07-19T15:19:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3602"
},
{
"type": "WEB",
"url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"
},
{
"type": "PACKAGE",
"url": "https://github.com/containers/buildah"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-0345"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2021-3602"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Buildah processes using chroot isolation may leak environment values to intermediate processes"
}
Mitigation
Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation
Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
CAPEC-168: Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.