CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-XH6M-7CR7-XX66
Vulnerability from github – Published: 2024-02-27 21:54 – Updated: 2025-05-30 12:36Impact
In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.
Patches
Fix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1
Workarounds
There is no known workaround.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "4.2"
},
{
"last_affected": "4.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "5.0"
},
{
"last_affected": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "5.1"
},
{
"last_affected": "5.1.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.4"
},
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "5.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast-all"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.hazelcast:hazelcast-all"
},
"ranges": [
{
"events": [
{
"introduced": "4.2"
},
{
"last_affected": "4.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45859"
],
"database_specific": {
"cwe_ids": [
"CWE-281",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-27T21:54:15Z",
"nvd_published_at": "2024-02-28T22:15:26Z",
"severity": "HIGH"
},
"details": "### Impact\nIn Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don\u0027t check permissions properly, allowing authenticated users to access data stored in the cluster.\n\n### Patches\nFix versions: 5.2.5, 5.3.5, 5.4.0-BETA-1\n\n### Workarounds\nThere is no known workaround.",
"id": "GHSA-xh6m-7cr7-xx66",
"modified": "2025-05-30T12:36:04Z",
"published": "2024-02-27T21:54:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-xh6m-7cr7-xx66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45859"
},
{
"type": "WEB",
"url": "https://github.com/hazelcast/hazelcast/pull/25509"
},
{
"type": "PACKAGE",
"url": "https://github.com/hazelcast/hazelcast"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Missing permission checks on Hazelcast client protocol"
}
GHSA-XH6M-FR4R-MQJ3
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32This issue was addressed with improved redaction of sensitive information. This issue is fixed in iPadOS 17.7.4, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3. An app may be able to fingerprint the user.
{
"affected": [],
"aliases": [
"CVE-2025-24117"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:16Z",
"severity": "MODERATE"
},
"details": "This issue was addressed with improved redaction of sensitive information. This issue is fixed in iPadOS 17.7.4, visionOS 2.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3. An app may be able to fingerprint the user.",
"id": "GHSA-xh6m-fr4r-mqj3",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24117"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122066"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122067"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122068"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122071"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122073"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/14"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/15"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XQJ3-24QW-FG69
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.
{
"affected": [],
"aliases": [
"CVE-2019-19562"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T00:15:00Z",
"severity": "MODERATE"
},
"details": "An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.",
"id": "GHSA-xqj3-24qw-fg69",
"modified": "2022-05-24T17:34:15Z",
"published": "2022-05-24T17:34:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19562"
},
{
"type": "WEB",
"url": "https://media.daimler.com/marsMediaSite/en/instance/ko/Mercedes-Benz-and-360-Group-to-join-forces-Mercedes-Benz-and-360-Group-with-its-Cyber-Security-Brain-work-together-to-strengthen-car-IT-security-for-industry.xhtml?oid=45208829"
},
{
"type": "WEB",
"url": "https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XRJ7-X7GP-WWQR
Vulnerability from github – Published: 2024-02-09 18:31 – Updated: 2024-08-19 20:48Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. This issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides.
An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost".
Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-solrj-streaming"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-solrj-streaming"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "8.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-solrj"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-solrj"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "8.11.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50298"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-09T20:57:43Z",
"nvd_published_at": "2024-02-09T18:15:08Z",
"severity": "MODERATE"
},
"details": "Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. This issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.\n\nSolr Streaming Expressions allows users to extract data from other Solr Clouds, using a \"zkHost\" parameter.\n\nWhen original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever \"zkHost\" the user provides.\n\nAn attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server\u0027s address in \"zkHost\".\n\nStreaming Expressions are exposed via the \"/streaming\" handler, with \"read\" permissions.\n\nUsers are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.\n\nFrom these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.",
"id": "GHSA-xrj7-x7gp-wwqr",
"modified": "2024-08-19T20:48:46Z",
"published": "2024-02-09T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50298"
},
{
"type": "WEB",
"url": "https://github.com/apache/lucene-solr/commit/61c956c426b2cfb85ccef55d1afca4335eacd269"
},
{
"type": "WEB",
"url": "https://github.com/apache/solr/commit/e2bf1f434aad873fbb24c21d46ac00e888806d98"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/solr"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-17098"
},
{
"type": "WEB",
"url": "https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/09/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/09/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Apache Solr\u0027s Streaming Expressions allow users to extract data from other Solr Clouds"
}
GHSA-XRPR-8XPG-CF34
Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2024-10-30 21:30In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541757.
{
"affected": [],
"aliases": [
"CVE-2024-20050"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T03:15:08Z",
"severity": "MODERATE"
},
"details": "In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541757; Issue ID: ALPS08541757.",
"id": "GHSA-xrpr-8xpg-cf34",
"modified": "2024-10-30T21:30:37Z",
"published": "2024-04-01T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20050"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XXCM-4V4P-F9RR
Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2025-07-31 21:31A vulnerability was discovered in the storage policy for certain sets of sensitive credential information in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.
{
"affected": [],
"aliases": [
"CVE-2025-37110"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T20:15:32Z",
"severity": "MODERATE"
},
"details": "A vulnerability was discovered in the storage policy for certain sets of sensitive credential information in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information.",
"id": "GHSA-xxcm-4v4p-f9rr",
"modified": "2025-07-31T21:31:54Z",
"published": "2025-07-31T21:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37110"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04891en_us"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XXWQ-5H7X-MM4X
Vulnerability from github – Published: 2024-07-19 12:31 – Updated: 2024-07-19 12:31A vulnerability in Zowe CLI allows local, privileged actors to display securely stored properties in cleartext within a terminal using the '--show-inputs-only' flag.
{
"affected": [],
"aliases": [
"CVE-2024-6916"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-19T11:15:04Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Zowe CLI allows local, privileged actors to display securely stored properties in cleartext within a terminal using the \u0027--show-inputs-only\u0027 flag.",
"id": "GHSA-xxwq-5h7x-mm4x",
"modified": "2024-07-19T12:31:28Z",
"published": "2024-07-19T12:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6916"
},
{
"type": "WEB",
"url": "https://github.com/zowe/zowe-cli/packages/imperative"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.