Common Weakness Enumeration

CWE-402

Allowed-with-Review

Transmission of Private Resources into a New Sphere ('Resource Leak')

Abstraction: Class · Status: Draft

The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.

44 vulnerabilities reference this CWE, most recent first.

CVE-2021-23263 (GCVE-0-2021-23263)

Vulnerability from cvelistv5 – Published: 2021-12-02 15:40 – Updated: 2024-09-16 23:36
VLAI
Title
Transmission of Private Resources into a New Sphere ('Resource Leak') in Crafter Engine
Summary
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
CWE
  • CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
Impacted products
Vendor Product Version
Crafter Software Crafter CMS Affected: 3.1 , < 3.1.15 (custom)
Create a notification for this product.
Date Public
2021-12-01 00:00
Credits
Carlos Ortiz
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T19:05:54.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Crafter CMS",
          "vendor": "Crafter Software",
          "versions": [
            {
              "lessThan": "3.1.15",
              "status": "affected",
              "version": "3.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Carlos Ortiz"
        }
      ],
      "datePublic": "2021-12-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-402",
              "description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-02T15:40:58.000Z",
        "orgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
        "shortName": "crafter"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@craftersoftware.com",
          "DATE_PUBLIC": "2021-12-01T15:40:00.000Z",
          "ID": "CVE-2021-23263",
          "STATE": "PUBLIC",
          "TITLE": "Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027) in Crafter Engine"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Crafter CMS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "3.1",
                            "version_value": "3.1.15"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Crafter Software"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Carlos Ortiz"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary)."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106",
              "refsource": "MISC",
              "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120106"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4ff2b028-869f-4b00-a7b2-05997f6f14fd",
    "assignerShortName": "crafter",
    "cveId": "CVE-2021-23263",
    "datePublished": "2021-12-02T15:40:58.466Z",
    "dateReserved": "2021-01-08T00:00:00.000Z",
    "dateUpdated": "2024-09-16T23:36:18.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2017-8442 (GCVE-0-2017-8442)

Vulnerability from cvelistv5 – Published: 2017-07-07 20:00 – Updated: 2024-08-05 16:34
VLAI
Summary
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.
Severity
No CVSS data available.
CWE
  • CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
Assigner
References
URL Tags
https://www.elastic.co/community/security x_refsource_CONFIRM
Impacted products
Date Public
2017-07-06 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:34:23.206Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.elastic.co/community/security"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Elasticsearch X-Pack Security",
          "vendor": "Elastic",
          "versions": [
            {
              "status": "affected",
              "version": "5.0.0 to 5.4.3"
            }
          ]
        }
      ],
      "datePublic": "2017-07-06T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-402",
              "description": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-07-07T19:57:01.000Z",
        "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
        "shortName": "elastic"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.elastic.co/community/security"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2017-8442",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Elasticsearch X-Pack Security",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.0.0 to 5.4.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Elastic"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-402: Transmission of Private Resources into a New Sphere (\u0027Resource Leak\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.elastic.co/community/security",
              "refsource": "CONFIRM",
              "url": "https://www.elastic.co/community/security"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a",
    "assignerShortName": "elastic",
    "cveId": "CVE-2017-8442",
    "datePublished": "2017-07-07T20:00:00.000Z",
    "dateReserved": "2017-05-02T00:00:00.000Z",
    "dateUpdated": "2024-08-05T16:34:23.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-22Q5-9PHM-744V

Vulnerability from github – Published: 2025-03-19 20:34 – Updated: 2025-03-19 20:34
VLAI
Summary
XWiki allows unregistered users to access private pages information through REST endpoint
Details

Impact

Protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).

Patches

The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

Workarounds

There's no workaround except upgrading or applying manually the changes of the commits (see references) in xwiki-platform-rest-server and recompiling / rebuilding it.

References

  • Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630
  • Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639
  • Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9M1"
            },
            {
              "fixed": "15.10.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-rest-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-29925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-19T20:34:43Z",
    "nvd_published_at": "2025-03-19T18:15:25Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nProtected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn\u0027t have view rights on them. \nIt\u0027s particularly true if the entire wiki is protected with \"Prevent unregistered user to view pages\": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639).\n\n### Patches\n\nThe problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.\n\n### Workarounds\n\nThere\u0027s no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-server` and recompiling / rebuilding it.\n\n### References\n\n * Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630\n * Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639\n * Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-22q5-9phm-744v",
  "modified": "2025-03-19T20:34:43Z",
  "published": "2025-03-19T20:34:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29925"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22630"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22639"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki allows unregistered users to access private pages information through REST endpoint"
}

GHSA-25XC-JWFQ-39JW

Vulnerability from github – Published: 2021-04-19 14:50 – Updated: 2022-08-15 20:03
VLAI
Summary
OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure
Details

Vulnerability in OSGi integration in com.vaadin:flow-server versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.

  • https://vaadin.com/security/cve-2021-31407
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.7"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "2.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.vaadin:flow-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-31407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-16T23:15:42Z",
    "nvd_published_at": "2021-04-23T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability in OSGi integration in `com.vaadin:flow-server` versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.\n\n- https://vaadin.com/security/cve-2021-31407",
  "id": "GHSA-25xc-jwfq-39jw",
  "modified": "2022-08-15T20:03:44Z",
  "published": "2021-04-19T14:50:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/security/advisories/GHSA-25xc-jwfq-39jw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31407"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/osgi/issues/50"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/10229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vaadin/flow/pull/10269"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vaadin/flow"
    },
    {
      "type": "WEB",
      "url": "https://vaadin.com/security/cve-2021-31407"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OSGi applications using Vaadin 12-14 and 19 vulnerable to server classes and resources exposure"
}

GHSA-2WR2-8QJQ-GH55

Vulnerability from github – Published: 2021-12-16 15:27 – Updated: 2021-12-06 21:35
VLAI
Summary
Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search
Details

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.craftercms:crafter-search"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-23264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-06T21:35:33Z",
    "nvd_published_at": "2021-12-02T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.",
  "id": "GHSA-2wr2-8qjq-gh55",
  "modified": "2021-12-06T21:35:33Z",
  "published": "2021-12-16T15:27:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftercms/craftercms/commit/0e256ef0372c7be9d6e2fefc4652dd4fd94770a1"
    },
    {
      "type": "WEB",
      "url": "https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search"
}

GHSA-34H3-8MW4-QW57

Vulnerability from github – Published: 2024-03-29 20:16 – Updated: 2024-03-29 20:16
VLAI
Summary
@electron/packager's build process memory potentially leaked into final executable
Details

Impact

A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory could contain sensitive information such as environment variables, secrets files, etc.

Patches

This issue is patched in 18.3.1

Workarounds

No workarounds, please update to a patched version of @electron/packager immediately if impacated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@electron/packager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "18.3.0"
            },
            {
              "fixed": "18.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "18.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29900"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-29T20:16:22Z",
    "nvd_published_at": "2024-03-29T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. This memory _could_ contain sensitive information such as environment variables, secrets files, etc.\n\n### Patches\nThis issue is patched in 18.3.1\n\n### Workarounds\nNo workarounds, please update to a patched version of `@electron/packager` immediately if impacated.\n",
  "id": "GHSA-34h3-8mw4-qw57",
  "modified": "2024-03-29T20:16:22Z",
  "published": "2024-03-29T20:16:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/packager/security/advisories/GHSA-34h3-8mw4-qw57"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29900"
    },
    {
      "type": "WEB",
      "url": "https://github.com/electron/packager/commit/d421d4bd3ced889a4143c5c3ab6d95e3be249eee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/packager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@electron/packager\u0027s build process memory potentially leaked into final executable"
}

GHSA-3Q75-RP5F-JFF5

Vulnerability from github – Published: 2025-07-03 15:31 – Updated: 2025-07-03 15:31
VLAI
Details

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T13:15:28Z",
    "severity": "MODERATE"
  },
  "details": "In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.",
  "id": "GHSA-3q75-rp5f-jff5",
  "modified": "2025-07-03T15:31:20Z",
  "published": "2025-07-03T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49618"
    },
    {
      "type": "WEB",
      "url": "https://www.linkedin.com/posts/gaetano-cesano-976420200_qualche-giorno-fa-stavo-testando-plesk-obsidian-activity-7341794923198709761-by9G"
    },
    {
      "type": "WEB",
      "url": "https://www.plesk.com/blog/plesk-news-announcements/plesk-obsidian-18-0-69-is-here"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5732-H43F-839F

Vulnerability from github – Published: 2024-12-06 21:30 – Updated: 2024-12-06 21:30
VLAI
Details

Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-06T19:15:12Z",
    "severity": "HIGH"
  },
  "details": "Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to obtain the devices serial number if physically adjacent and sniffing the RAW WIFI signal.",
  "id": "GHSA-5732-h43f-839f",
  "modified": "2024-12-06T21:30:39Z",
  "published": "2024-12-06T21:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47146"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5GVR-285Q-PWC3

Vulnerability from github – Published: 2024-02-04 15:30 – Updated: 2024-06-28 18:31
VLAI
Details

A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-327",
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-04T14:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.",
  "id": "GHSA-5gvr-285q-pwc3",
  "modified": "2024-06-28T18:31:42Z",
  "published": "2024-02-04T15:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1881"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:1882"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2758"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3414"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3421"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3618"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3627"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6240"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843"
    },
    {
      "type": "WEB",
      "url": "https://people.redhat.com/~hkario/marvin"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240628-0002"
    },
    {
      "type": "WEB",
      "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-788F-3F4F-VV6F

Vulnerability from github – Published: 2023-09-20 21:31 – Updated: 2024-04-04 07:46
VLAI
Details

An information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-402"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T20:15:11Z",
    "severity": "HIGH"
  },
  "details": "An information leak was found in OpenStack\u0027s undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials.",
  "id": "GHSA-788f-3f4f-vv6f",
  "modified": "2024-04-04T07:46:49Z",
  "published": "2023-09-20T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3596"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2022:8897"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2022-3596"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136596"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.