CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-C339-MWFC-FMR2
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2026-03-18 21:46A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openshift/hive"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2241"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-17T21:27:56Z",
"nvd_published_at": "2025-03-17T17:15:40Z",
"severity": "HIGH"
},
"details": "A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.",
"id": "GHSA-c339-mwfc-fmr2",
"modified": "2026-03-18T21:46:24Z",
"published": "2025-03-17T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2241"
},
{
"type": "WEB",
"url": "https://github.com/openshift/hive/pull/2612"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-2241"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351350"
},
{
"type": "PACKAGE",
"url": "https://github.com/openshift/hive"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Openshift Hive Exposes VCenter Credentials via ClusterProvision"
}
GHSA-C33F-M87Q-92QC
Vulnerability from github – Published: 2025-02-28 09:30 – Updated: 2025-02-28 09:30The connection string visible to users with access to FRSCore database on Foreseer Reporting Software (FRS) VM, this string can be used for gaining administrative access to the 4crXref database. This vulnerability has been resolved in the latest version 1.5.100 of FRS.
{
"affected": [],
"aliases": [
"CVE-2025-22492"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T09:15:12Z",
"severity": "MODERATE"
},
"details": "The connection string visible to users with access to FRSCore database on Foreseer Reporting Software (FRS) VM, this\nstring can be used for gaining administrative access to the 4crXref database. This vulnerability has been resolved in the latest version 1.5.100 of FRS.",
"id": "GHSA-c33f-m87q-92qc",
"modified": "2025-02-28T09:30:55Z",
"published": "2025-02-28T09:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22492"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1009.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C4VH-HHGM-3RM3
Vulnerability from github – Published: 2023-05-10 21:30 – Updated: 2024-04-04 04:01A Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords. See SEL Service Bulletin dated 2022-11-15 for more details.
{
"affected": [],
"aliases": [
"CVE-2023-31150"
],
"database_specific": {
"cwe_ids": [
"CWE-257",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T20:15:10Z",
"severity": "MODERATE"
},
"details": "\nA Storing Passwords in a Recoverable Format vulnerability in the Schweitzer Engineering Laboratories Real-Time Automation Controller (SEL RTAC) database system could allow an authenticated attacker to retrieve passwords.\nSee SEL Service Bulletin dated 2022-11-15 for more details.\n\n\n",
"id": "GHSA-c4vh-hhgm-3rm3",
"modified": "2024-04-04T04:01:34Z",
"published": "2023-05-10T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31150"
},
{
"type": "WEB",
"url": "https://selinc.com/support/security-notifications/external-reports"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/blog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C5H4-7VC8-8W5M
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21816"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-16T11:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.",
"id": "GHSA-c5h4-7vc8-8w5m",
"modified": "2022-05-24T19:08:19Z",
"published": "2022-05-24T19:08:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21816"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1281"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C6F2-5665-5P8P
Vulnerability from github – Published: 2024-02-06 03:33 – Updated: 2024-04-29 21:30Intelbras Roteador ACtion RF 1200 1.2.2 esposes the Password in Cookie resulting in Login Bypass.
{
"affected": [],
"aliases": [
"CVE-2024-22773"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T01:15:09Z",
"severity": "HIGH"
},
"details": "Intelbras Roteador ACtion RF 1200 1.2.2 esposes the Password in Cookie resulting in Login Bypass.",
"id": "GHSA-c6f2-5665-5p8p",
"modified": "2024-04-29T21:30:32Z",
"published": "2024-02-06T03:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22773"
},
{
"type": "WEB",
"url": "https://medium.com/%40wagneralves_87750/poc-cve-2024-22773-febf0d3a5433"
},
{
"type": "WEB",
"url": "https://medium.com/@wagneralves_87750/poc-cve-2024-22773-febf0d3a5433"
},
{
"type": "WEB",
"url": "https://www.intelbras.com/en/router-wi-fi-5-dual-band-ac-1200-action-rf-1200"
},
{
"type": "WEB",
"url": "https://www.intelbras.com/en/router-wi-fi-5-dual-band-ac-1200-with-giga-port-action-rg-1200"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=-r0TWJq55DU\u0026t=7s"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C7PC-PGF6-MFH5
Vulnerability from github – Published: 2022-11-10 21:46 – Updated: 2022-11-10 21:46Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Resolving versions: Ibexa DXP v1.0.13, v2.3.12
Workarounds
Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
References
This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.
For more information
If you have any questions or comments about this advisory, please contact Support via your service portal.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-rc1"
},
{
"fixed": "1.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "ezsystems/ezplatform-graphql"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-beta1"
},
{
"fixed": "2.3.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41876"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-10T21:46:14Z",
"nvd_published_at": "2022-11-10T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nUnauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.\n\n### Patches\n\nResolving versions: Ibexa DXP v1.0.13, v2.3.12\n\n### Workarounds\nRemove the \"passwordHash\" entry from \"src/bundle/Resources/config/graphql/User.types.yaml\" in the GraphQL package, and other properties like hash type, email, login if you prefer.\n\n### References\n\nThis issue was reported to us by Philippe Tranca (\"trancap\") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. \n\n### For more information\nIf you have any questions or comments about this advisory, please contact Support via your service portal.",
"id": "GHSA-c7pc-pgf6-mfh5",
"modified": "2022-11-10T21:46:14Z",
"published": "2022-11-10T21:46:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ezsystems/ezplatform-graphql/security/advisories/GHSA-c7pc-pgf6-mfh5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41876"
},
{
"type": "WEB",
"url": "https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips"
},
{
"type": "PACKAGE",
"url": "https://github.com/ezsystems/ezplatform-graphql"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "ezplatform-graphql GraphQL queries can expose password hashes"
}
GHSA-C96H-4JR8-99GM
Vulnerability from github – Published: 2023-12-14 03:30 – Updated: 2023-12-14 03:30IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.
{
"affected": [],
"aliases": [
"CVE-2023-45184"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T02:15:12Z",
"severity": "MODERATE"
},
"details": "IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.",
"id": "GHSA-c96h-4jr8-99gm",
"modified": "2023-12-14T03:30:54Z",
"published": "2023-12-14T03:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45184"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268270"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7091942"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CGCM-7W4Q-57F9
Vulnerability from github – Published: 2023-12-14 15:30 – Updated: 2023-12-14 15:30IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.
{
"affected": [],
"aliases": [
"CVE-2023-45182"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T14:15:42Z",
"severity": "HIGH"
},
"details": "\nIBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.\n\n",
"id": "GHSA-cgcm-7w4q-57f9",
"modified": "2023-12-14T15:30:22Z",
"published": "2023-12-14T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45182"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/268265"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7091942"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CGJV-G7X3-8JRM
Vulnerability from github – Published: 2024-11-14 18:30 – Updated: 2024-11-14 18:30In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from GET /v1/users/me and GET /v1/users/me/org endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.
{
"affected": [],
"aliases": [
"CVE-2024-3502"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-201",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T18:15:18Z",
"severity": "CRITICAL"
},
"details": "In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.",
"id": "GHSA-cgjv-g7x3-8jrm",
"modified": "2024-11-14T18:30:37Z",
"published": "2024-11-14T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3502"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/17e95f6c99c7d5ac4ee5451c5857b97a12892c74"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/c2aff952-2dec-4538-8905-190c484aae94"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJ4V-24XQ-MCM6
Vulnerability from github – Published: 2024-01-03 21:30 – Updated: 2025-06-17 21:31Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. This allows the attacker, with access to the android device, to potentially retrieve users' clear text authentication credentials.
{
"affected": [],
"aliases": [
"CVE-2023-5879"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-03T20:15:21Z",
"severity": "MODERATE"
},
"details": "Users\u2019 product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. This allows the attacker, with access to the android device, to potentially retrieve users\u0027 clear text authentication credentials.",
"id": "GHSA-cj4v-24xq-mcm6",
"modified": "2025-06-17T21:31:34Z",
"published": "2024-01-03T21:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5879"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/2024/01/03/genie-aladdin-connect-retrofit-garage-door-opener-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.