CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
CVE-2023-48700 (GCVE-0-2023-48700)
Vulnerability from cvelistv5 – Published: 2023-11-21 22:30 – Updated: 2024-08-02 21:37| URL | Tags |
|---|---|
| https://github.com/nautobot/nautobot-plugin-devic… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| nautobot | nautobot-plugin-device-onboarding |
Affected:
>= 2.0.0, < 3.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.443Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nautobot-plugin-device-onboarding",
"vendor": "nautobot",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256: Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T22:30:58.030Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nautobot/nautobot-plugin-device-onboarding/security/advisories/GHSA-qf3c-rw9f-jh7v"
}
],
"source": {
"advisory": "GHSA-qf3c-rw9f-jh7v",
"discovery": "UNKNOWN"
},
"title": "Clear Text Credentials Exposed via Onboarding Task"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48700",
"datePublished": "2023-11-21T22:30:58.030Z",
"dateReserved": "2023-11-17T19:43:37.553Z",
"dateUpdated": "2024-08-02T21:37:54.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48305 (GCVE-0-2023-48305)
Vulnerability from cvelistv5 – Published: 2023-11-21 22:17 – Updated: 2024-11-27 16:07- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/issues/38461 | x_refsource_MISC |
| https://github.com/nextcloud/server/pull/40013 | x_refsource_MISC |
| https://hackerone.com/reports/2101165 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 25.0.0, < 25.0.11
Affected: >= 26.0.0, < 26.0.6 Affected: >= 27.0.0, < 27.1.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.527Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr"
},
{
"name": "https://github.com/nextcloud/server/issues/38461",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/issues/38461"
},
{
"name": "https://github.com/nextcloud/server/pull/40013",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/pull/40013"
},
{
"name": "https://hackerone.com/reports/2101165",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/2101165"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:07:07.762399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:07:21.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.11"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.6"
},
{
"status": "affected",
"version": "\u003e= 27.0.0, \u003c 27.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users\u0027 passwords would be leaked. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. As a workaround, change config setting `loglevel` to `1` or higher (should always be higher than 1 in production environments)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T22:17:36.124Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr"
},
{
"name": "https://github.com/nextcloud/server/issues/38461",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/issues/38461"
},
{
"name": "https://github.com/nextcloud/server/pull/40013",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/40013"
},
{
"name": "https://hackerone.com/reports/2101165",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2101165"
}
],
"source": {
"advisory": "GHSA-35p6-4992-w5fr",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Server user_ldap app logs user passwords in the log file on level debug"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48305",
"datePublished": "2023-11-21T22:17:36.124Z",
"dateReserved": "2023-11-14T17:41:15.572Z",
"dateUpdated": "2024-11-27T16:07:21.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45151 (GCVE-0-2023-45151)
Vulnerability from cvelistv5 – Published: 2023-10-16 18:41 – Updated: 2024-09-16 14:57- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://github.com/nextcloud/security-advisories/… | x_refsource_CONFIRM |
| https://github.com/nextcloud/server/pull/38398 | x_refsource_MISC |
| https://hackerone.com/reports/1994324 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | security-advisories |
Affected:
>= 25.0.0, < 25.0.8
Affected: >= 26.0.0, < 26.0.3 Affected: >= 27.0.0, < 27.0.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9"
},
{
"name": "https://github.com/nextcloud/server/pull/38398",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/pull/38398"
},
{
"name": "https://hackerone.com/reports/1994324",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1994324"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T14:57:28.810714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:57:44.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 25.0.8"
},
{
"status": "affected",
"version": "\u003e= 26.0.0, \u003c 26.0.3"
},
{
"status": "affected",
"version": "\u003e= 27.0.0, \u003c 27.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T18:41:28.713Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9"
},
{
"name": "https://github.com/nextcloud/server/pull/38398",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/38398"
},
{
"name": "https://hackerone.com/reports/1994324",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1994324"
}
],
"source": {
"advisory": "GHSA-hhgv-jcg9-p4m9",
"discovery": "UNKNOWN"
},
"title": "OAuth2 client_secret stored in plain text in the Nextcloud database"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45151",
"datePublished": "2023-10-16T18:41:28.713Z",
"dateReserved": "2023-10-04T16:02:46.331Z",
"dateUpdated": "2024-09-16T14:57:44.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44159 (GCVE-0-2023-44159)
Vulnerability from cvelistv5 – Published: 2023-09-27 12:02 – Updated: 2024-09-23 18:06| URL | Tags |
|---|---|
| https://security-advisory.acronis.com/advisories/… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Acronis | Acronis Cyber Protect 15 |
Affected:
unspecified , < 35979
(semver)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:59:51.005Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "SEC-5787",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-5787"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T17:30:58.152838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T18:06:19.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux",
"Windows"
],
"product": "Acronis Cyber Protect 15",
"vendor": "Acronis",
"versions": [
{
"lessThan": "35979",
"status": "affected",
"version": "unspecified",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sensitive information disclosure due to cleartext storage of sensitive information. The following products are affected: Acronis Cyber Protect 15 (Linux, Windows) before build 35979."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-27T12:02:06.679Z",
"orgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"shortName": "Acronis"
},
"references": [
{
"name": "SEC-5787",
"tags": [
"vendor-advisory"
],
"url": "https://security-advisory.acronis.com/advisories/SEC-5787"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "73dc0fef-1c66-4a72-9d2d-0a0f4012c175",
"assignerShortName": "Acronis",
"cveId": "CVE-2023-44159",
"datePublished": "2023-09-27T12:02:06.679Z",
"dateReserved": "2023-09-26T13:09:58.803Z",
"dateUpdated": "2024-09-23T18:06:19.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41964 (GCVE-0-2023-41964)
Vulnerability from cvelistv5 – Published: 2023-10-10 12:33 – Updated: 2024-09-18 20:34- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K20850144 | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| F5 | BIG-IP |
Unaffected:
17.1.0 , < *
(semver)
Affected: 16.1.0 , < 16.1.4 (semver) Affected: 15.1.0 , < 15.1.9 (semver) Affected: 14.1.0 , < * (semver) Affected: 13.1.0 , < * (semver) |
|
| F5 | BIG-IQ |
Affected:
8.1.0 , < *
(semver)
Affected: 8.2.0 , < 8.2.0.1.0.13.97-ENG (semver) Affected: 8.3.0 , < 8.3.0.0.12.118-ENG (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.374Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://my.f5.com/manage/s/article/K20850144"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T20:29:47.330254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T20:34:48.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "17.1.0",
"versionType": "semver"
},
{
"lessThan": "16.1.4",
"status": "affected",
"version": "16.1.0",
"versionType": "semver"
},
{
"lessThan": "15.1.9",
"status": "affected",
"version": "15.1.0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "14.1.0",
"versionType": "semver"
},
{
"lessThan": "*",
"status": "affected",
"version": "13.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unknown",
"modules": [
"Centralized Management"
],
"product": "BIG-IQ",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "8.2.0.1.0.13.97-ENG",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
},
{
"lessThan": "8.3.0.0.12.118-ENG",
"status": "affected",
"version": "8.3.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "F5"
}
],
"datePublic": "2023-10-18T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.\u0026nbsp;\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.\u003c/span\u003e"
}
],
"value": "\nThe BIG-IP and BIG-IQ systems do not encrypt some sensitive information written to Database (DB) variables.\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-10T12:33:51.097Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://my.f5.com/manage/s/article/K20850144"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BIG-IP and BIG-IQ Database Variable vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2023-41964",
"datePublished": "2023-10-10T12:33:51.097Z",
"dateReserved": "2023-10-05T19:17:34.525Z",
"dateUpdated": "2024-09-18T20:34:48.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41335 (GCVE-0-2023-41335)
Vulnerability from cvelistv5 – Published: 2023-09-26 20:51 – Updated: 2025-02-13 17:09- CWE-312 - Cleartext Storage of Sensitive Information
| Vendor | Product | Version | |
|---|---|---|---|
| matrix-org | synapse |
Affected:
>= 1.66.0, < 1.93.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5"
},
{
"name": "https://github.com/matrix-org/synapse/pull/16272",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/matrix-org/synapse/pull/16272"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202401-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "matrix-org",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.66.0, \u003c 1.93.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn\u0027t grant the server any added capabilities\u2014it already learns the users\u0027 passwords as part of the authentication process\u2014it does disrupt the expectation that passwords won\u0027t be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration. These temporarily stored passwords are automatically erased after a 48-hour window. This issue has been addressed in version 1.93.0. Users are advised to upgrade. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-07T11:08:09.063Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/matrix-org/synapse/security/advisories/GHSA-4f74-84v3-j9q5"
},
{
"name": "https://github.com/matrix-org/synapse/pull/16272",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/synapse/pull/16272"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/65QPC55I4D27HIZP7H2NQ34EOXHPP4AO/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AFB2Y3S2VCPCN5P2XCZTG24MBMZ7DM4/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6P4QULVUE254WI7XF2LWWOGHCYVFXFY/"
},
{
"url": "https://security.gentoo.org/glsa/202401-12"
}
],
"source": {
"advisory": "GHSA-4f74-84v3-j9q5",
"discovery": "UNKNOWN"
},
"title": "Temporary storage of plaintext passwords during password changes in matrix synapse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41335",
"datePublished": "2023-09-26T20:51:29.741Z",
"dateReserved": "2023-08-28T16:56:43.367Z",
"dateUpdated": "2025-02-13T17:09:01.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41096 (GCVE-0-2023-41096)
Vulnerability from cvelistv5 – Published: 2023-10-26 13:10 – Updated: 2024-09-25 16:23- CWE-312 - Cleartext Storage of Sensitive Information
| Vendor | Product | Version | |
|---|---|---|---|
| silabs.com | Ember ZNet SDK |
Unaffected:
7.3.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.828Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:46:44.290755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:01:22.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"SecureVault High"
],
"platforms": [
"32 bit",
"ARM"
],
"product": "Ember ZNet SDK",
"repo": "https://github.com/SiliconLabs/gecko_sdk",
"vendor": "silabs.com",
"versions": [
{
"status": "unaffected",
"version": "7.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\n allows potential modification or extraction of network credentials stored in flash.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier.\u003c/p\u003e"
}
],
"value": "Missing Encryption of Security Keys vulnerability in Silicon Labs Ember ZNet SDK on 32 bit, ARM (SecureVault High modules)\n allows potential modification or extraction of network credentials stored in flash.\n\n\nThis issue affects Silicon Labs Ember ZNet SDK: 7.3.1 and earlier."
}
],
"impacts": [
{
"capecId": "CAPEC-458",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-458 Flash Memory Attacks"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T16:23:10.406Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Keys Stored in Plaintext on Secure Vault High for Silabs Ember ZNet devices",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2023-41096",
"datePublished": "2023-10-26T13:10:34.406Z",
"dateReserved": "2023-08-23T04:17:16.169Z",
"dateUpdated": "2024-09-25T16:23:10.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41095 (GCVE-0-2023-41095)
Vulnerability from cvelistv5 – Published: 2023-10-26 13:10 – Updated: 2024-09-25 16:20- CWE-312 - Cleartext Storage of Sensitive Information
| Vendor | Product | Version | |
|---|---|---|---|
| silabs.com | OpenThread SDK |
Unaffected:
2.3.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:46:11.821Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T17:55:48.975914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T14:01:51.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"SecureVault High"
],
"platforms": [
"32 bit",
"ARM"
],
"product": "OpenThread SDK",
"repo": "https://github.com/SiliconLabs/gecko_sdk",
"vendor": "silabs.com",
"versions": [
{
"status": "unaffected",
"version": "2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Encryption of Security Keys vulnerability in Silicon Labs OpenThread SDK on 32 bit, ARM (SecureVault High modules) allows potential modification or extraction of network credentials stored in flash.\u003cbr\u003e\u003cp\u003eThis issue affects Silicon Labs OpenThread SDK: 2.3.1 and earlier.\u003c/p\u003e"
}
],
"value": "Missing Encryption of Security Keys vulnerability in Silicon Labs OpenThread SDK on 32 bit, ARM (SecureVault High modules) allows potential modification or extraction of network credentials stored in flash.\nThis issue affects Silicon Labs OpenThread SDK: 2.3.1 and earlier."
}
],
"impacts": [
{
"capecId": "CAPEC-458",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-458 Flash Memory Attacks"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T16:20:12.263Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000ZkKh7QAF?operationContext=S1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Keys Stored in Plaintext on Secure Vault High for Silabs OpenThread devices",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2023-41095",
"datePublished": "2023-10-26T13:10:11.193Z",
"dateReserved": "2023-08-23T04:17:16.169Z",
"dateUpdated": "2024-09-25T16:20:12.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40715 (GCVE-0-2023-40715)
Vulnerability from cvelistv5 – Published: 2023-09-13 12:29 – Updated: 2024-09-24 19:56- CWE-312 - Information disclosure
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiTester |
Affected:
7.2.0 , ≤ 7.2.3
(semver)
Affected: 7.1.0 , ≤ 7.1.1 (semver) Affected: 7.0.0 Affected: 4.2.0 , ≤ 4.2.1 (semver) Affected: 4.1.0 , ≤ 4.1.1 (semver) Affected: 4.0.0 Affected: 3.9.0 , ≤ 3.9.2 (semver) Affected: 3.8.0 Affected: 3.7.0 , ≤ 3.7.1 (semver) Affected: 3.6.0 Affected: 3.5.0 , ≤ 3.5.1 (semver) Affected: 3.4.0 Affected: 3.3.0 , ≤ 3.3.1 (semver) Affected: 3.2.0 Affected: 3.1.0 Affected: 3.0.0 Affected: 2.9.0 Affected: 2.8.0 Affected: 2.7.0 Affected: 2.6.0 Affected: 2.5.0 Affected: 2.4.0 , ≤ 2.4.1 (semver) Affected: 2.3.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:38:51.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-465",
"tags": [
"x_transferred"
],
"url": "https://fortiguard.com/psirt/FG-IR-22-465"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T19:40:05.656073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T19:56:35.906Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FortiTester",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.2.3",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.1.1",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"lessThanOrEqual": "4.2.1",
"status": "affected",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.1.1",
"status": "affected",
"version": "4.1.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "4.0.0"
},
{
"lessThanOrEqual": "3.9.2",
"status": "affected",
"version": "3.9.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.8.0"
},
{
"lessThanOrEqual": "3.7.1",
"status": "affected",
"version": "3.7.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.6.0"
},
{
"lessThanOrEqual": "3.5.1",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.4.0"
},
{
"lessThanOrEqual": "3.3.1",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "3.2.0"
},
{
"status": "affected",
"version": "3.1.0"
},
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "2.9.0"
},
{
"status": "affected",
"version": "2.8.0"
},
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.6.0"
},
{
"status": "affected",
"version": "2.5.0"
},
{
"lessThanOrEqual": "2.4.1",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cleartext storage of sensitive information vulnerability [CWE-312] in\u00a0FortiTester\u00a02.3.0 through 7.2.3 may allow\u00a0an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Information disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T12:29:50.478Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.com/psirt/FG-IR-22-465",
"url": "https://fortiguard.com/psirt/FG-IR-22-465"
}
],
"solutions": [
{
"lang": "en",
"value": "Please upgrade to FortiTester version 7.3.0 or above "
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2023-40715",
"datePublished": "2023-09-13T12:29:50.478Z",
"dateReserved": "2023-08-21T09:03:44.315Z",
"dateUpdated": "2024-09-24T19:56:35.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39440 (GCVE-0-2023-39440)
Vulnerability from cvelistv5 – Published: 2023-08-08 00:49 – Updated: 2024-10-08 16:25- CWE-312 - Cleartext Storage of Sensitive Information
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP BusinessObjects Business Intelligence |
Affected:
430
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3312586"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-08T16:24:00.777671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-08T16:25:51.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP BusinessObjects Business Intelligence",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "430"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the attacker needs to have local access to the system. There is no impact on availability and integrity.\u003c/p\u003e"
}
],
"value": "In SAP BusinessObjects Business Intelligence - version 420, If a user logs in to a particular program, under certain specific conditions memory might not be cleared up properly, due to which attacker might be able to get access to user credentials. For a successful attack, the attacker needs to have local access to the system. There is no impact on availability and integrity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:09:35.960Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3312586"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-39440",
"datePublished": "2023-08-08T00:49:17.862Z",
"dateReserved": "2023-08-01T21:49:02.688Z",
"dateUpdated": "2024-10-08T16:25:51.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.