Common Weakness Enumeration

CWE-922

Allowed-with-Review

Insecure Storage of Sensitive Information

Abstraction: Class · Status: Incomplete

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

437 vulnerabilities reference this CWE, most recent first.

GHSA-39RR-HFC3-8PCC

Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to view a contact's phone number in system logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T23:15:14Z",
    "severity": "LOW"
  },
  "details": "The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. An app may be able to view a contact\u0027s phone number in system logs.",
  "id": "GHSA-39rr-hfc3-8pcc",
  "modified": "2026-04-02T21:31:52Z",
  "published": "2024-07-30T00:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40832"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120911"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214119"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214119"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3C76-P447-JMG2

Vulnerability from github – Published: 2024-10-23 15:31 – Updated: 2024-10-23 15:31
VLAI
Details

HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-23T15:15:30Z",
    "severity": "MODERATE"
  },
  "details": "HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.",
  "id": "GHSA-3c76-p447-jmg2",
  "modified": "2024-10-23T15:31:08Z",
  "published": "2024-10-23T15:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30122"
    },
    {
      "type": "WEB",
      "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0115627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CPQ-RW36-CPPV

Vulnerability from github – Published: 2024-06-26 18:30 – Updated: 2024-06-26 20:07
VLAI
Summary
Secret file credentials stored unencrypted in rare cases by Plain Credentials Plugin
Details

When creating secret file credentials Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be stored unencrypted (only Base64 encoded) on the Jenkins controller file system.

These credentials can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials).

Plain Credentials Plugin 183.va_de8f1dd5a_2b_ no longer attempts to decrypt the content of the file when creating secret file credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:plain-credentials"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "183.va"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-26T20:07:12Z",
    "nvd_published_at": "2024-06-26T17:15:27Z",
    "severity": "MODERATE"
  },
  "details": "When creating secret file credentials Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be stored unencrypted (only Base64 encoded) on the Jenkins controller file system.\n\nThese credentials can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials).\n\nPlain Credentials Plugin 183.va_de8f1dd5a_2b_ no longer attempts to decrypt the content of the file when creating secret file credentials.\n",
  "id": "GHSA-3cpq-rw36-cppv",
  "modified": "2024-06-26T20:07:12Z",
  "published": "2024-06-26T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39459"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/plain-credentials-plugin/commit/ade8f1dd5a2bc69357995fd50baac56d73f80813"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/plain-credentials-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-2495"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/06/26/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Secret file credentials stored unencrypted in rare cases by Plain Credentials Plugin "
}

GHSA-3FR9-M4CP-5GR8

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32
VLAI
Details

This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:15Z",
    "severity": "MODERATE"
  },
  "details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.3. An app may be able to access user-sensitive data.",
  "id": "GHSA-3fr9-m4cp-5gr8",
  "modified": "2025-11-03T21:32:24Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/122068"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jan/15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3JVJ-RG8C-7P8M

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06
VLAI
Details

Exposure of sensitive information to an unauthorized actor issue exists in ELECOM wireless LAN routers, which allows a network-adjacent attacker to obtain sensitive information. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-37563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of sensitive information to an unauthorized actor issue exists in ELECOM wireless LAN routers, which allows a network-adjacent attacker to obtain sensitive information. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier.",
  "id": "GHSA-3jvj-rg8c-7p8m",
  "modified": "2024-04-04T06:06:14Z",
  "published": "2023-07-13T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37563"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN05223215"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20230711-01"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20230810-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3M6R-3GW2-H96X

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31
VLAI
Details

SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33004"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-524",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:17:13Z",
    "severity": "MODERATE"
  },
  "details": "SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application.",
  "id": "GHSA-3m6r-3gw2-h96x",
  "modified": "2024-05-14T18:31:01Z",
  "published": "2024-05-14T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33004"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3449093"
    },
    {
      "type": "WEB",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MF7-99RR-74GR

Vulnerability from github – Published: 2024-04-25 09:32 – Updated: 2026-04-08 18:32
VLAI
Details

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T09:15:08Z",
    "severity": "MODERATE"
  },
  "details": "The Essential Addons for Elementor \u2013 Best Elementor Templates, Widgets, Kits \u0026 WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status.",
  "id": "GHSA-3mf7-99rr-74gr",
  "modified": "2026-04-08T18:32:59Z",
  "published": "2024-04-25T09:32:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3733"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3075644/essential-addons-for-elementor-lite/tags/5.9.16/includes/Traits/Ajax_Handler.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3d604f7a-947c-43f4-bba6-e7e98b2d7844?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MQ9-XHGQ-R7GJ

Vulnerability from github – Published: 2026-02-04 20:46 – Updated: 2026-02-04 20:46
VLAI
Summary
EVE: SSH as Root Unlockable Without Triggering Measured Boot
Details

Impact

On boot, the Pillar container checks for /config/authorized_keys. If present with a valid public key, it enables SSH on port 22 with root login. The /config partition is not protected by measured boot, is mutable and unencrypted.

This enables an attacker with physical access to the device to take out the disk, modify the /config partition using a separate server, then insert it, without the inserted key being flagged as an integrity voilation my measured boot and remote attestation.

Patches

Patched in 9.4.3-lts

Workarounds

None (apart from preventing physical access to the device)

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/lf-edge/eve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20220708121648-5fef4d92e758"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-04T20:46:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOn boot, the Pillar container checks for /config/authorized_keys. If present with a valid public key, it enables SSH on port 22 with root login. The /config partition is not protected by measured boot, is mutable and unencrypted.\n\nThis enables an attacker with physical access to the device to take out the disk, modify the /config partition using a separate server, then insert it, without the inserted key being flagged as an integrity voilation my measured boot and remote attestation.\n\n### Patches\n\nPatched in 9.4.3-lts\n\n### Workarounds\n\nNone (apart from preventing physical access to the device)",
  "id": "GHSA-3mq9-xhgq-r7gj",
  "modified": "2026-02-04T20:46:16Z",
  "published": "2026-02-04T20:46:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/eve/security/advisories/GHSA-3mq9-xhgq-r7gj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43631"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/eve/commit/5fef4d92e75838cc78010edaed5247dfbdae1889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lf-edge/eve/commit/aa3501d6c57206ced222c33aea15a9169d629141"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/cve-2023-43631"
    },
    {
      "type": "WEB",
      "url": "https://asrg.io/security-advisories/ssh-as-root-unlockable-without-triggering-measured-boot"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lf-edge/eve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EVE: SSH as Root Unlockable Without Triggering Measured Boot"
}

GHSA-3PX8-GF2C-QQRH

Vulnerability from github – Published: 2025-07-08 03:31 – Updated: 2025-07-08 03:31
VLAI
Details

The GuiXT application, which is integrated with SAP GUI for Windows, uses obfuscation algorithms instead of secure symmetric ciphers for storing the credentials of an RFC user on the client PC. This leads to a high impact on confidentiality because any attacker who gains access to the user hive of this user�s windows registry could recreate the original password. There is no impact on integrity or availability of the application

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42979"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T01:15:25Z",
    "severity": "MODERATE"
  },
  "details": "The GuiXT application, which is integrated with SAP GUI for Windows, uses obfuscation algorithms instead of secure symmetric ciphers for storing the credentials of an RFC user on the client PC. This leads to a high impact on confidentiality because any attacker who gains access to the user hive of this user\ufffds windows registry could recreate the original password. There is no impact on integrity or availability of the application",
  "id": "GHSA-3px8-gf2c-qqrh",
  "modified": "2025-07-08T03:31:01Z",
  "published": "2025-07-08T03:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42979"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3607513"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3VVH-6QRH-25VG

Vulnerability from github – Published: 2022-11-11 19:00 – Updated: 2022-11-16 19:00
VLAI
Details

Improper access control in the Intel(R) WAPI Security software for Windows 10/11 before version 22.2150.0.1 may allow an authenticated user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-11T16:15:00Z",
    "severity": "LOW"
  },
  "details": "Improper access control in the Intel(R) WAPI Security software for Windows 10/11 before version 22.2150.0.1 may allow an authenticated user to potentially enable information disclosure via local access.",
  "id": "GHSA-3vvh-6qrh-25vg",
  "modified": "2022-11-16T19:00:25Z",
  "published": "2022-11-11T19:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33973"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00720.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.