CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
CVE-2015-3952 (GCVE-0-2015-3952)
Vulnerability from cvelistv5 – Published: 2019-03-25 15:42 – Updated: 2024-08-06 06:04- CWE-312 - Cleartext storage of sensitive information CWE-312
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Hospira | Plum A+ Infusion System |
Affected:
<= 13.4
|
|
| Hospira | Plum A+3 Infusion System |
Affected:
<= 13.6
|
|
| Hospira | Symbiq Infusion System |
Affected:
<= 3.13
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:04:01.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Plum A+ Infusion System",
"vendor": "Hospira",
"versions": [
{
"status": "affected",
"version": "\u003c= 13.4"
}
]
},
{
"product": "Plum A+3 Infusion System",
"vendor": "Hospira",
"versions": [
{
"status": "affected",
"version": "\u003c= 13.6"
}
]
},
{
"product": "Symbiq Infusion System",
"vendor": "Hospira",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.13"
}
]
}
],
"datePublic": "2015-06-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext storage of sensitive information CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-25T15:42:39.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2015-3952",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Plum A+ Infusion System",
"version": {
"version_data": [
{
"version_value": "\u003c= 13.4"
}
]
}
},
{
"product_name": "Plum A+3 Infusion System",
"version": {
"version_data": [
{
"version_value": "\u003c= 13.6"
}
]
}
},
{
"product_name": "Symbiq Infusion System",
"version": {
"version_data": [
{
"version_value": "\u003c= 3.13"
}
]
}
}
]
},
"vendor_name": "Hospira"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wireless keys are stored in plain text on Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospira has also released the Plum 360 Infusion System which is not vulnerable to this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext storage of sensitive information CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-161-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2015-3952",
"datePublished": "2019-03-25T15:42:39.000Z",
"dateReserved": "2015-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:04:01.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1012 (GCVE-0-2015-1012)
Vulnerability from cvelistv5 – Published: 2019-03-25 18:20 – Updated: 2024-08-06 04:26- CWE-312 - Cleartext storage of sensitive information CWE-312
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Hospira | LifeCare PCA Infusion System |
Affected:
<= 5.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:26:11.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "LifeCare PCA Infusion System",
"vendor": "Hospira",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.0"
}
]
}
],
"datePublic": "2015-05-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira has developed a new version of the PCS Infusion System, version 7.0 that addresses the identified vulnerabilities. Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext storage of sensitive information CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-25T18:20:12.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2015-1012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "LifeCare PCA Infusion System",
"version": {
"version_data": [
{
"version_value": "\u003c= 5.0"
}
]
}
}
]
},
"vendor_name": "Hospira"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira has developed a new version of the PCS Infusion System, version 7.0 that addresses the identified vulnerabilities. Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext storage of sensitive information CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-125-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2015-1012",
"datePublished": "2019-03-25T18:20:12.000Z",
"dateReserved": "2015-01-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T04:26:11.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5433 (GCVE-0-2014-5433)
Vulnerability from cvelistv5 – Published: 2019-03-26 15:07 – Updated: 2024-08-06 11:41- CWE-312 - Cleartext storage of sensitive information CWE-312
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Baxter | SIGMA Spectrum Infusion System |
Affected:
6.05 (model 35700BAX) with wireless battery module (WBM) version 16
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:41:49.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SIGMA Spectrum Infusion System",
"vendor": "Baxter",
"versions": [
{
"status": "affected",
"version": "6.05 (model 35700BAX) with wireless battery module (WBM) version 16"
}
]
}
],
"datePublic": "2015-06-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16, which may allow an attacker to gain access the host network. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext storage of sensitive information CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-26T15:07:39.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2014-5433",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SIGMA Spectrum Infusion System",
"version": {
"version_data": [
{
"version_value": "6.05 (model 35700BAX) with wireless battery module (WBM) version 16"
}
]
}
}
]
},
"vendor_name": "Baxter"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An unauthenticated remote attacker may be able to execute commands to view wireless account credentials that are stored in cleartext on Baxter SIGMA Spectrum Infusion System version 6.05 (model 35700BAX) with wireless battery module (WBM) version 16, which may allow an attacker to gain access the host network. Baxter has released a new version of the SIGMA Spectrum Infusion System, Version 8, which incorporates hardware and software changes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext storage of sensitive information CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-181-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2014-5433",
"datePublished": "2019-03-26T15:07:39.000Z",
"dateReserved": "2014-08-22T00:00:00.000Z",
"dateUpdated": "2024-08-06T11:41:49.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-22WJ-VF5F-WRVJ
Vulnerability from github – Published: 2022-11-23 21:30 – Updated: 2024-07-03 17:59The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.h2database:h2"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.198"
},
{
"fixed": "2.2.220"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45868"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-23T22:31:05Z",
"nvd_published_at": "2022-11-23T21:15:00Z",
"severity": "HIGH"
},
"details": "The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states \"This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that.\"",
"id": "GHSA-22wj-vf5f-wrvj",
"modified": "2024-07-03T17:59:02Z",
"published": "2022-11-23T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45868"
},
{
"type": "WEB",
"url": "https://github.com/h2database/h2database/issues/3686"
},
{
"type": "WEB",
"url": "https://github.com/h2database/h2database/pull/3833"
},
{
"type": "WEB",
"url": "https://github.com/h2database/h2database/commit/581ed18ff9d6b3761d851620ed88a3994a351a0d"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-22wj-vf5f-wrvj"
},
{
"type": "PACKAGE",
"url": "https://github.com/h2database/h2database"
},
{
"type": "WEB",
"url": "https://github.com/h2database/h2database/blob/96832bf5a97cdc0adc1f2066ed61c54990d66ab5/h2/src/main/org/h2/server/web/WebServer.java#L346-L347"
},
{
"type": "WEB",
"url": "https://github.com/h2database/h2database/releases/tag/version-2.2.220"
},
{
"type": "WEB",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/sonatype-2022-6243"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Password exposure in H2 Database "
}
GHSA-23F5-GR55-W97F
Vulnerability from github – Published: 2023-02-27 18:32 – Updated: 2023-03-04 06:30Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an information disclosure vulnerability via the /debug endpoint. This vulnerability allows attackers to access cleartext credentials needed to authenticate to the AS400 system.
{
"affected": [],
"aliases": [
"CVE-2023-26760"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T16:15:00Z",
"severity": "HIGH"
},
"details": "Sme.UP ERP TOKYO V6R1M220406 was discovered to contain an information disclosure vulnerability via the /debug endpoint. This vulnerability allows attackers to access cleartext credentials needed to authenticate to the AS400 system.",
"id": "GHSA-23f5-gr55-w97f",
"modified": "2023-03-04T06:30:21Z",
"published": "2023-02-27T18:32:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26760"
},
{
"type": "WEB",
"url": "https://www.swascan.com/it/security-advisory-sme-up-erp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23FG-RQ88-2H56
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI displays user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 207610.
{
"affected": [],
"aliases": [
"CVE-2021-29904"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-23T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI displays user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 207610.",
"id": "GHSA-23fg-rq88-2h56",
"modified": "2022-05-24T19:15:29Z",
"published": "2022-05-24T19:15:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29904"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/207610"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6491525"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-2538-XC2C-WH7P
Vulnerability from github – Published: 2025-09-19 21:31 – Updated: 2025-09-24 21:30Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using the network account an attacker can change network parameters via the appliance interface, enabling local misconfiguration, network disruption or further escalation depending on deployment.
{
"affected": [],
"aliases": [
"CVE-2025-34200"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-19T19:15:40Z",
"severity": "HIGH"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using the network account an attacker can change network parameters via the appliance interface, enabling local misconfiguration, network disruption or further escalation depending on deployment.",
"id": "GHSA-2538-xc2c-wh7p",
"modified": "2025-09-24T21:30:36Z",
"published": "2025-09-19T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34200"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-clear-text-password"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-network-account-password-stored-in-cleartext"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-255M-X7W5-9W65
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-05-22 21:30Use of Hard-coded Credentials vulnerability in ABB ASPECT-Enterprise, ABB NEXUS Series, ABB MATRIX Series.This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
{
"affected": [],
"aliases": [
"CVE-2024-51547"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T05:15:12Z",
"severity": "CRITICAL"
},
"details": "Use of Hard-coded Credentials vulnerability in ABB ASPECT-Enterprise, ABB NEXUS Series, ABB MATRIX Series.This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.",
"id": "GHSA-255m-x7w5-9w65",
"modified": "2025-05-22T21:30:42Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51547"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A6775\u0026LanguageCode=en\u0026DocumentPartId=pdf%20-%20Public%20Advisory\u0026Action=Launch"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-25RF-WFP7-MV9X
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.
{
"affected": [],
"aliases": [
"CVE-2025-36105"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-526"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T16:50:21Z",
"severity": "MODERATE"
},
"details": "IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.",
"id": "GHSA-25rf-wfp7-mv9x",
"modified": "2026-03-10T18:31:16Z",
"published": "2026-03-10T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36105"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7262806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-28FQ-P2C7-42PX
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Management system, stores users’ information by cleartext in the cookie, which divulges password to attackers.
{
"affected": [],
"aliases": [
"CVE-2020-3935"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-11T12:15:00Z",
"severity": "MODERATE"
},
"details": "Secom Co. Dr.ID, a Door Access Control and Personnel Attendance Management system, stores users\u2019 information by cleartext in the cookie, which divulges password to attackers.",
"id": "GHSA-28fq-p2c7-42px",
"modified": "2022-05-24T22:28:03Z",
"published": "2022-05-24T22:28:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3935"
},
{
"type": "WEB",
"url": "https://gist.github.com/chtsecurity/4db471b34c3959e5ab9ec31570e4760b"
},
{
"type": "WEB",
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201910018"
},
{
"type": "WEB",
"url": "https://www.chtsecurity.com/news/1bb85fcd-9048-4587-b4d3-b18335572bac"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-3319-d7b65-2.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.