Common Weakness Enumeration

CWE-212

Allowed

Improper Removal of Sensitive Information Before Storage or Transfer

Abstraction: Base · Status: Incomplete

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

155 vulnerabilities reference this CWE, most recent first.

GHSA-5F88-RR7V-C4QV

Vulnerability from github – Published: 2025-11-13 15:30 – Updated: 2025-11-13 15:30
VLAI
Details

Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-13T15:15:51Z",
    "severity": "MODERATE"
  },
  "details": "Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.",
  "id": "GHSA-5f88-rr7v-c4qv",
  "modified": "2025-11-13T15:30:31Z",
  "published": "2025-11-13T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62483"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5M8F-V3GW-H94W

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-10-27 16:52
VLAI
Summary
Jenkins Support Core Plugin stores sensitive data in plain text
Details

Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:support-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.79.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-27T21:24:40Z",
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.",
  "id": "GHSA-5m8f-v3gw-h94w",
  "modified": "2023-10-27T16:52:02Z",
  "published": "2022-02-16T00:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin/commit/c6d20da4f372f03bd3e4844f0df2f109df68a63c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin/commit/e90487a87bc0a3445c887203f5badec17af905c5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/support-core-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Support Core Plugin stores sensitive data in plain text"
}

GHSA-5QRF-45P7-8VRC

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03
VLAI
Details

An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the dumpxml command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-27T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An information disclosure vulnerability was found in libvirt in versions before 6.3.0. HTTP cookies used to access network-based disks were saved in the XML dump of the guest domain. This flaw allows an attacker to access potentially sensitive information in the domain configuration via the `dumpxml` command.",
  "id": "GHSA-5qrf-45p7-8vrc",
  "modified": "2022-05-24T19:03:34Z",
  "published": "2022-05-24T19:03:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14301"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1848640"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210629-0007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5X7M-6737-26CR

Vulnerability from github – Published: 2024-04-15 20:24 – Updated: 2025-01-09 18:56
VLAI
Summary
SixLabors.ImageSharp vulnerable to data leakage
Details

Impact

A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.

Patches

The problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.

Workarounds

None

References

None

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SixLabors.ImageSharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "SixLabors.ImageSharp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-226"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-15T20:24:06Z",
    "nvd_published_at": "2024-04-15T20:15:11Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA data leakage flaw was found in ImageSharp\u0027s JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially crafted JPEG or TGA image file to a software using ImageSharp, potentially disclosing sensitive information from other parts of the software in the resulting image buffer.\n\n### Patches\nThe problem has been patched. All users are advised to upgrade to v3.1.4 or v2.1.8.\n\n### Workarounds\nNone\n\n### References\nNone\n",
  "id": "GHSA-5x7m-6737-26cr",
  "modified": "2025-01-09T18:56:34Z",
  "published": "2024-04-15T20:24:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SixLabors/ImageSharp/security/advisories/GHSA-5x7m-6737-26cr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SixLabors/ImageSharp/commit/8f0b4d3e680e78d479a88e7b1472bccd8f096d68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SixLabors/ImageSharp/commit/da5f09a42513489fe359578d81cec2f15ba588ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SixLabors/ImageSharp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SixLabors.ImageSharp vulnerable to data leakage"
}

GHSA-6239-28C2-9MRM

Vulnerability from github – Published: 2021-08-30 17:22 – Updated: 2022-08-04 11:22
VLAI
Summary
Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault
Details

HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-38554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T17:14:06Z",
    "nvd_published_at": "2021-08-13T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "HashiCorp Vault and Vault Enterprise\u2019s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.",
  "id": "GHSA-6239-28c2-9mrm",
  "modified": "2022-08-04T11:22:29Z",
  "published": "2021-08-30T17:22:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38554"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2021-19-vault-s-ui-cached-user-viewed-secrets-between-shared-browser-sessions/28166"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/releases/tag/v1.6.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/vault/releases/tag/v1.7.4"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202207-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault"
}

GHSA-6GXW-85Q2-Q646

Vulnerability from github – Published: 2025-11-25 14:18 – Updated: 2025-11-27 08:42
VLAI
Summary
Grype has a credential disclosure vulnerability in its JSON output
Details

A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.

Impact

In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.

Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).

In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.

The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.

Patches

The patch has been released in v0.104.1.

Workaround

Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

For example, replacing the command:

# using `--output json=path` (or `--file`) leaks credentials
grype --output json=test.json alpine:latest

with

# no use of `--output json=path` or `--file`. Output is sanitized...
grype --output json alpine:latest > test.json

...results in the same test.json output, but the credentials will be properly sanitized.

Resources

Patch pull request: https://github.com/anchore/grype/pull/3068

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/anchore/grype"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.68.0"
            },
            {
              "fixed": "0.104.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-25T14:18:46Z",
    "nvd_published_at": "2025-11-25T20:16:00Z",
    "severity": "HIGH"
  },
  "details": "A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and the output of grype is written using the `--file` or `--output json=\u003cfile\u003e` option, the registry credentials will be included unsanitized in the output file.\n\n## Impact\n\nIn Grype versions `v0.68.0` through `v0.104.0`, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.\n\nRegistry credentials can be set via the Grype configuration file (e.g. `registry.auth[].username`, `registry.auth[].password`, `registry.auth[].token`) or environment variables (e.g., `GRYPE_REGISTRY_AUTH_USERNAME`, `GRYPE_REGISTRY_AUTH_PASSWORD`, `GRYPE_REGISTRY_AUTH_TOKEN`).\n\nIn order for the authentication details to be improperly included, the Grype file output format must be set to `json` with output target set to a file. For example `--output json=file.json` or `--output json --file file.json`. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.\n\nThe authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the `Descriptor.Registry.Auth` fields would also include the unsanitized registry credentials. There are no known templates that include these fields.\n\n## Patches\nThe patch has been released in `v0.104.1`.\n\n## Workaround\nUsers running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the `--file` or `--output` options.\n\nFor example, replacing the command:\n\n```\n# using `--output json=path` (or `--file`) leaks credentials\ngrype --output json=test.json alpine:latest\n```\n\nwith\n\n```\n# no use of `--output json=path` or `--file`. Output is sanitized...\ngrype --output json alpine:latest \u003e test.json\n```\n\n...results in the same `test.json` output, but the credentials will be properly sanitized.\n\n## Resources\nPatch pull request: https://github.com/anchore/grype/pull/3068",
  "id": "GHSA-6gxw-85q2-q646",
  "modified": "2025-11-27T08:42:37Z",
  "published": "2025-11-25T14:18:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/security/advisories/GHSA-6gxw-85q2-q646"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65965"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/pull/3068"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/commit/39f7fa17af2739cafe9b27176d4a68f7c05f21c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/anchore/grype/commit/c99f79de49a58dc16d7fd8f35160b169b87db9de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anchore/grype"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Grype has a credential disclosure vulnerability in its JSON output"
}

GHSA-6H5X-7C5M-7CR7

Vulnerability from github – Published: 2022-05-13 00:01 – Updated: 2022-05-25 19:28
VLAI
Summary
Exposure of Sensitive Information in eventsource
Details

When fetching an url with a link to an external site (Redirect), the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "eventsource"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "eventsource"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:27:47Z",
    "nvd_published_at": "2022-05-12T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "When fetching an url with a link to an external site (Redirect), the users Cookies \u0026 Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be \"sanitized.\"",
  "id": "GHSA-6h5x-7c5m-7cr7",
  "modified": "2022-05-25T19:28:43Z",
  "published": "2022-05-13T00:01:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EventSource/eventsource/pull/273#issuecomment-1127624508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EventSource/eventsource/commit/f9f6416567bff62c1af2f4314be51d9870e94bc2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eventsource/eventsource"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Sensitive Information in eventsource"
}

GHSA-6R3R-QJM5-8FVP

Vulnerability from github – Published: 2024-02-18 06:30 – Updated: 2024-08-22 15:31
VLAI
Details

Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-18T06:15:08Z",
    "severity": "HIGH"
  },
  "details": "Information management vulnerability in the Gallery module.Successful exploitation of this vulnerability may affect service confidentiality.",
  "id": "GHSA-6r3r-qjm5-8fvp",
  "modified": "2024-08-22T15:31:15Z",
  "published": "2024-02-18T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52376"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/2"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202402-0000001834855405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-754H-5R27-7X3R

Vulnerability from github – Published: 2020-09-02 17:29 – Updated: 2023-01-24 18:07
VLAI
Summary
RCE in Symfony
Details

Description

The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Resolution

HTTP headers designed for internal use in HttpCache are now stripped from remote responses before being passed to HttpCache.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/http-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/http-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-02T17:29:29Z",
    "nvd_published_at": "2020-09-02T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Description\n-----------\n\nThe `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible.\n\nResolution\n----------\n\nHTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.",
  "id": "GHSA-754h-5r27-7x3r",
  "modified": "2023-01-24T18:07:50Z",
  "published": "2020-09-02T17:29:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/symfony/http-kernel"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2020-15094"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RCE in Symfony"
}

GHSA-7638-R9R3-RMJJ

Vulnerability from github – Published: 2021-07-19 15:19 – Updated: 2023-08-29 18:32
VLAI
Summary
Buildah processes using chroot isolation may leak environment values to intermediate processes
Details

Impact

When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running buildah in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original buildah process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during buildah run. The commands that buildah is instructed to run can read that information if they choose to.

Patches

Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later.

Workarounds

As a workaround, invoking buildah in a container under env -i to have it started with a reinitialized environment should prevent the leakage.

For more information

If you have any questions or comments about this advisory: * Open an issue in buildah * Email us at the buildah general mailing list, or the podman security mailing list if it's sensitive.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.16.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.17.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17.0"
            },
            {
              "fixed": "1.17.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.19.8"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.18.0"
            },
            {
              "fixed": "1.19.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.21.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/containers/buildah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.20.0"
            },
            {
              "fixed": "1.21.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-15T20:26:57Z",
    "nvd_published_at": "2022-03-03T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen running processes using \"chroot\" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602).  This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments.  If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`.  The commands that `buildah` is instructed to run can read that information if they choose to.\n\n### Patches\nUsers should upgrade packages, or images which contain packages, to include version 1.21.3 or later.\n\n### Workarounds\nAs a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [buildah](https://github.com/containers/buildah/issues)\n* Email us at [the buildah general mailing list](mailto:buildah@lists.buildah.io), or [the podman security mailing list](mailto:security@lists.podman.io) if it\u0027s sensitive.",
  "id": "GHSA-7638-r9r3-rmjj",
  "modified": "2023-08-29T18:32:51Z",
  "published": "2021-07-19T15:19:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3602"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1969264"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/containers/buildah"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0345"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2021-3602"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Buildah processes using chroot isolation may leak environment values to intermediate processes"
}

Mitigation
Requirements

Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.

Mitigation MIT-46
Architecture and Design

Strategy: Separation of Privilege

  • Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Implementation Operation

Strategy: Attack Surface Reduction

  • Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
  • When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Implementation

Strategy: Attack Surface Reduction

Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Mitigation
Implementation

Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.

CAPEC-168: Windows ::DATA Alternate Data Stream

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.