CWE-921
AllowedStorage of Sensitive Data in a Mechanism without Access Control
Abstraction: Base · Status: Incomplete
The product stores sensitive information in a file system or device that does not have built-in access control.
17 vulnerabilities reference this CWE, most recent first.
GHSA-36CM-H8GV-MG97
Vulnerability from github – Published: 2023-05-19 18:30 – Updated: 2023-05-19 23:45RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "francoisjacquet/rosariosis"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2665"
],
"database_specific": {
"cwe_ids": [
"CWE-921",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-19T23:45:12Z",
"nvd_published_at": "2023-05-12T01:15:09Z",
"severity": "HIGH"
},
"details": "RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.",
"id": "GHSA-36cm-h8gv-mg97",
"modified": "2023-05-19T23:45:12Z",
"published": "2023-05-19T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2665"
},
{
"type": "WEB",
"url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
},
{
"type": "PACKAGE",
"url": "https://github.com/francoisjacquet/rosariosis"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "RosarioSIS Stores Sensitive Data in a Mechanism without Access Control"
}
GHSA-4WRV-C229-VC5P
Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application.
{
"affected": [],
"aliases": [
"CVE-2025-30016"
],
"database_specific": {
"cwe_ids": [
"CWE-921"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T08:15:17Z",
"severity": "CRITICAL"
},
"details": "SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity \u0026 Availability of the application.",
"id": "GHSA-4wrv-c229-vc5p",
"modified": "2025-04-08T09:31:11Z",
"published": "2025-04-08T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30016"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3572688"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9W44-6HCW-V783
Vulnerability from github – Published: 2025-02-28 18:31 – Updated: 2025-02-28 18:31Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.
{
"affected": [],
"aliases": [
"CVE-2025-24843"
],
"database_specific": {
"cwe_ids": [
"CWE-921"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T17:15:17Z",
"severity": "MODERATE"
},
"details": "Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.",
"id": "GHSA-9w44-6hcw-v783",
"modified": "2025-02-28T18:31:05Z",
"published": "2025-02-28T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24843"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01"
},
{
"type": "WEB",
"url": "https://www.dariohealth.com/contact"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJ57-J5CW-2MWP
Vulnerability from github – Published: 2022-05-25 19:37 – Updated: 2026-03-11 19:49Impact
Unprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.
Patches
Ignition 2.14.0 and later adds a new systemd service, ignition-delete-config.service, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.
If you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking ignition-delete-config.service. For example:
{
"ignition": {
"version": "3.0.0"
},
"systemd": {
"units": [
{
"name": "ignition-delete-config.service",
"mask": true
}
]
}
}
Workarounds
Avoid storing secrets in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it's best to store secrets in a dedicated platform such as Hashicorp Vault.
Advice to Linux distributions
Linux distributions that ship Ignition should ensure the new ignition-delete-config.service is installed and enabled by default.
In addition, we recommend shipping a service similar to ignition-delete-config.service that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking ignition-delete-config.service on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.
References
For more information, see #1300 and #1350.
For more information
If you have any questions or comments about this advisory, open an issue in Ignition or email the CoreOS development mailing list.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/coreos/ignition/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.35.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/coreos/ignition"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1706"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-863",
"CWE-921"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:37:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nUnprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.\n\n### Patches\nIgnition 2.14.0 and later [adds](https://github.com/coreos/ignition/pull/1350) a new systemd service, `ignition-delete-config.service`, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.\n\nIf you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking `ignition-delete-config.service`. For example:\n\n```json\n{\n \"ignition\": {\n \"version\": \"3.0.0\"\n },\n \"systemd\": {\n \"units\": [\n {\n \"name\": \"ignition-delete-config.service\",\n \"mask\": true\n }\n ]\n }\n}\n```\n\n### Workarounds\n[Avoid storing secrets](https://coreos.github.io/ignition/operator-notes/#secrets) in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it\u0027s best to store secrets in a dedicated platform such as [Hashicorp Vault](https://www.vaultproject.io/).\n\n### Advice to Linux distributions\nLinux distributions that ship Ignition should ensure the new `ignition-delete-config.service` is installed and enabled by default.\n\nIn addition, we recommend shipping a service similar to `ignition-delete-config.service` that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking `ignition-delete-config.service` on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.\n\n### References\nFor more information, see #1300 and #1350.\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in Ignition](https://github.com/coreos/ignition/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).",
"id": "GHSA-hj57-j5cw-2mwp",
"modified": "2026-03-11T19:49:57Z",
"published": "2022-05-25T19:37:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/issues/1300"
},
{
"type": "WEB",
"url": "https://github.com/coreos/ignition/pull/1350"
},
{
"type": "PACKAGE",
"url": "https://github.com/coreos/ignition"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ignition config accessible to unprivileged software on VMware"
}
GHSA-JW8X-6495-233V
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-10-25 16:47A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stop_words_ attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the stop_words_ attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scikit-learn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-5206"
],
"database_specific": {
"cwe_ids": [
"CWE-921",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-17T22:31:08Z",
"nvd_published_at": "2024-06-06T19:16:06Z",
"severity": "MODERATE"
},
"details": "A sensitive data leakage vulnerability was identified in scikit-learn\u0027s TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.",
"id": "GHSA-jw8x-6495-233v",
"modified": "2024-10-25T16:47:32Z",
"published": "2024-06-06T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5206"
},
{
"type": "WEB",
"url": "https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/scikit-learn/PYSEC-2024-110.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/scikit-learn/scikit-learn"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "scikit-learn sensitive data leakage vulnerability"
}
GHSA-QVFQ-26W4-9F8V
Vulnerability from github – Published: 2025-02-11 03:30 – Updated: 2025-02-11 03:30SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.
{
"affected": [],
"aliases": [
"CVE-2025-24870"
],
"database_specific": {
"cwe_ids": [
"CWE-921"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T01:15:11Z",
"severity": "MODERATE"
},
"details": "SAP GUI for Windows \u0026 RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.",
"id": "GHSA-qvfq-26w4-9f8v",
"modified": "2025-02-11T03:30:56Z",
"published": "2025-02-11T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24870"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3562336"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W545-288R-RF3P
Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2025-04-15 21:31** UNSUPPPORTED WHEN ASSIGNED **
Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.
{
"affected": [],
"aliases": [
"CVE-2023-41965"
],
"database_specific": {
"cwe_ids": [
"CWE-921",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T20:15:10Z",
"severity": "HIGH"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\nSending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.",
"id": "GHSA-w545-288r-rf3p",
"modified": "2025-04-15T21:31:26Z",
"published": "2023-09-18T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41965"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.