CWE-212
AllowedImproper Removal of Sensitive Information Before Storage or Transfer
Abstraction: Base · Status: Incomplete
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
155 vulnerabilities reference this CWE, most recent first.
GHSA-7F63-RXJ5-2547
Vulnerability from github – Published: 2023-01-03 00:30 – Updated: 2025-04-10 18:31In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
{
"affected": [],
"aliases": [
"CVE-2022-3460"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-03T00:15:00Z",
"severity": "HIGH"
},
"details": "In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.",
"id": "GHSA-7f63-rxj5-2547",
"modified": "2025-04-10T18:31:42Z",
"published": "2023-01-03T00:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3460"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/post/2022/sa2022-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7Q9J-33VM-8375
Vulnerability from github – Published: 2025-05-23 06:30 – Updated: 2025-05-24 03:30gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript through 10.05.0 lacks argument sanitization for the # case.
{
"affected": [],
"aliases": [
"CVE-2025-48708"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-23T04:15:32Z",
"severity": "LOW"
},
"details": "gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript through 10.05.0 lacks argument sanitization for the # case.",
"id": "GHSA-7q9j-33vm-8375",
"modified": "2025-05-24T03:30:19Z",
"published": "2025-05-23T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48708"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=708446"
},
{
"type": "WEB",
"url": "https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b587663c623b4462f9e78686a31fd880207303ee"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/05/23/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8372-7VHW-CM6Q
Vulnerability from github – Published: 2026-04-17 21:47 – Updated: 2026-05-05 11:56Summary
config.get redaction bypass through sourceConfig and runtimeConfig aliases.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.
Technical Details
The fix explicitly overwrites sourceConfig and runtimeConfig with the same redacted copies used for resolved and config, including the invalid-snapshot branch. Tests now cover both alias fields.
Fix
The issue was fixed in #66030. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix.
Fix Commit(s)
86734ef93a2f25063371b04f1946eb300548acd4- PR: #66030
Release Process Note
Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.
Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43528"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-17T21:47:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nconfig.get redaction bypass through sourceConfig and runtimeConfig aliases.\n\n## Affected Packages / Versions\n\n- Package: `openclaw`\n- Ecosystem: npm\n- Affected versions: `\u003c 2026.4.14`\n- Patched versions: `\u003e= 2026.4.14`\n\n## Impact\n\nAn authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.\n\n## Technical Details\n\nThe fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields.\n\n## Fix\n\nThe issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix.\n\n## Fix Commit(s)\n\n- `86734ef93a2f25063371b04f1946eb300548acd4`\n- PR: #66030\n\n## Release Process Note\n\nUsers should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix.\n\n## Credits\n\nThanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.",
"id": "GHSA-8372-7vhw-cm6q",
"modified": "2026-05-05T11:56:39Z",
"published": "2026-04-17T21:47:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/66030"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases"
}
GHSA-86VF-RP56-MHF8
Vulnerability from github – Published: 2026-04-08 00:30 – Updated: 2026-04-08 00:30Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects non release branches.
{
"affected": [],
"aliases": [
"CVE-2026-39937"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T22:16:24Z",
"severity": "HIGH"
},
"details": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects non release branches.",
"id": "GHSA-86vf-rp56-mhf8",
"modified": "2026-04-08T00:30:26Z",
"published": "2026-04-08T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39937"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T418122"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8WJ3-CPMR-8WHP
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-18 19:19Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the develop branch and is expected to be part of version 2.2.2.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.2.1"
},
"package": {
"ecosystem": "Packagist",
"name": "cockpit-hq/cockpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2818"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-287",
"CWE-305"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:19:58Z",
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.",
"id": "GHSA-8wj3-cpmr-8whp",
"modified": "2022-08-18T19:19:58Z",
"published": "2022-08-16T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2818"
},
{
"type": "WEB",
"url": "https://github.com/cockpit-hq/cockpit/commit/4bee1b903ee20818f4a8ecb9d974b9536cc54cb4"
},
{
"type": "PACKAGE",
"url": "https://github.com/cockpit-hq/cockpit"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/ee27e5df-516b-4cf4-9f28-346d907b5491"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cockpit Content Platform vulnerable to 2FA bypass"
}
GHSA-963W-7FRP-MF37
Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).
{
"affected": [],
"aliases": [
"CVE-2022-0171"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-459"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-26T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).",
"id": "GHSA-963w-7frp-mf37",
"modified": "2022-09-02T00:01:10Z",
"published": "2022-08-27T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0171"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0171"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2038940"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=683412ccf61294d727ead4a73d97397396e69a6b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5257"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99J7-MHFH-W84P
Vulnerability from github – Published: 2022-07-20 01:30 – Updated: 2022-08-10 23:31Impact
Potential/accidental leaking of Slack OAuth client information in application debug logs.
Patches
More strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.
Workarounds
Don't print/output in logs request and responses for OAuth and client configurations.
For more information
If you have any questions or comments about this advisory: * Open an issue in the repo * Email us at me@abdolence.dev
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "slack-morphism"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.41.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31162"
],
"database_specific": {
"cwe_ids": [
"CWE-1258",
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-20T01:30:21Z",
"nvd_published_at": "2022-07-22T04:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nPotential/accidental leaking of Slack OAuth client information in application debug logs.\n\n### Patches\nMore strict and secure debug formatting was introduced in v0.41 for OAuth secret types to avoid the possibility of printing sensitive information in application logs.\n\n### Workarounds\nDon\u0027t print/output in logs request and responses for OAuth and client configurations.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in the [repo](https://github.com/abdolence/slack-morphism-rust)\n* Email us at [me@abdolence.dev](mailto:me@abdolence.dev)\n",
"id": "GHSA-99j7-mhfh-w84p",
"modified": "2022-08-10T23:31:07Z",
"published": "2022-07-20T01:30:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/security/advisories/GHSA-99j7-mhfh-w84p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31162"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/pull/133"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/commit/4923fb7d458ed28c0302244c54cb4df0acee7ee6"
},
{
"type": "PACKAGE",
"url": "https://github.com/abdolence/slack-morphism-rust"
},
{
"type": "WEB",
"url": "https://github.com/abdolence/slack-morphism-rust/releases/tag/v0.41.0"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0086.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Slack Morphism for Rust before 0.41.0 can leak Slack OAuth client information in application debug logs"
}
GHSA-9M7C-M33F-3429
Vulnerability from github – Published: 2025-08-28 15:10 – Updated: 2025-08-28 18:52Impact
The PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in data/configuration.properties), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.
XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.
Patches
This vulnerability has been patched in XWiki 16.4.8, 16.10.7 and 17.4.0RC1.
Workarounds
We're not aware of any workarounds except for upgrading.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
},
"ranges": [
{
"events": [
{
"introduced": "14.4.2"
},
{
"fixed": "16.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-export-pdf-api"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.4.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58049"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-257"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-28T15:10:13Z",
"nvd_published_at": "2025-08-28T18:15:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent directory when the job is finished. The job status includes the job request. The PDF export job request is initialized, before the job starts, with some context information that is needed to replicate the HTTP request (used to trigger the export) in the background thread used to run the export job. This context information includes the cookies from the HTTP request that triggered the export. As a result, the user cookies (including the encrypted username and password) are stored in the permanent directory after the PDF export is finished. As the encryption key is stored in the same data directory (by default it is generated in ``data/configuration.properties``), this means that this job status contains the equivalent of the plain text password of the user who requested the PDF export.\n\nXWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory.\n\n### Patches\n\nThis vulnerability has been patched in XWiki 16.4.8, 16.10.7 and 17.4.0RC1.\n\n### Workarounds\n\nWe\u0027re not aware of any workarounds except for upgrading.",
"id": "GHSA-9m7c-m33f-3429",
"modified": "2025-08-28T18:52:19Z",
"published": "2025-08-28T15:10:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58049"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-23151"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
}
GHSA-9XQP-XM5R-JJ9C
Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access.
{
"affected": [],
"aliases": [
"CVE-2024-41156"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-29T13:15:04Z",
"severity": "LOW"
},
"details": "Profile files from TRO600 series radios are extracted in plain-text\nand encrypted file formats. Profile files provide potential attackers\nvaluable configuration information about the Tropos network. Profiles\ncan only be exported by authenticated users with write access.",
"id": "GHSA-9xqp-xm5r-jj9c",
"modified": "2024-10-29T15:32:04Z",
"published": "2024-10-29T15:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41156"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000147\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9XRJ-2966-HG7Q
Vulnerability from github – Published: 2024-10-21 18:31 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
net: ethernet: lantiq_etop: fix memory disclosure
When applying padding, the buffer is not zeroed, which results in memory disclosure. The mentioned data is observed on the wire. This patch uses skb_put_padto() to pad Ethernet frames properly. The mentioned function zeroes the expanded buffer.
In case the packet cannot be padded it is silently dropped. Statistics are also not incremented. This driver does not support statistics in the old 32-bit format or the new 64-bit format. These will be added in the future. In its current form, the patch should be easily backported to stable versions.
Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets in hardware, so software padding must be applied.
{
"affected": [],
"aliases": [
"CVE-2024-49997"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: lantiq_etop: fix memory disclosure\n\nWhen applying padding, the buffer is not zeroed, which results in memory\ndisclosure. The mentioned data is observed on the wire. This patch uses\nskb_put_padto() to pad Ethernet frames properly. The mentioned function\nzeroes the expanded buffer.\n\nIn case the packet cannot be padded it is silently dropped. Statistics\nare also not incremented. This driver does not support statistics in the\nold 32-bit format or the new 64-bit format. These will be added in the\nfuture. In its current form, the patch should be easily backported to\nstable versions.\n\nEthernet MACs on Amazon-SE and Danube cannot do padding of the packets\nin hardware, so software padding must be applied.",
"id": "GHSA-9xrj-2966-hg7q",
"modified": "2026-05-12T12:32:12Z",
"published": "2024-10-21T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49997"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1097bf16501ed5e35358d848b0a94ad2830b0f65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/185df159843d30fb71f821e7ea4368c2a3bfcd36"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2bf4c101d7c99483b8b15a0c8f881e3f399f7e18"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/431b122933b197820d319eb3987a67d04346ce9e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/45c0de18ff2dc9af01236380404bbd6a46502c69"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/469856f76f4802c5d7e3d20e343185188de1e2db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60c068444c20bf9a3e22b65b5f6f3d9edc852931"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/905f06a34f960676e7dc77bea00f2f8fe18177ad"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e66e38d07b31e177ca430758ed97fbc79f27d966"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
Mitigation MIT-46
Strategy: Separation of Privilege
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation MIT-57
Strategy: Attack Surface Reduction
- Some tools can automatically analyze documents to redact, strip, or "sanitize" private information, although some human review might be necessary. Tools may vary in terms of which document formats can be processed.
- When calling an external program to automatically generate or convert documents, invoke the program with any available options that avoid generating sensitive metadata. Some formats have well-defined fields that could contain private data, such as Exchangeable image file format (Exif), which can contain potentially sensitive metadata such as geolocation, date, and time [REF-1515] [REF-1516].
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation
Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state.
CAPEC-168: Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.