CWE-311
Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
CVE-2017-9632 (GCVE-0-2017-9632)
Vulnerability from cvelistv5 – Published: 2017-08-07 08:00 – Updated: 2024-08-05 17:11
VLAI
Summary
A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch |
Affected:
PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch
|
Date Public
2017-08-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:02.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch"
}
]
}
],
"datePublic": "2017-08-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T07:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2017-9632",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch",
"version": {
"version_data": [
{
"version_value": "PDQ Manufacturing, Inc. LaserWash, Laser Jet and ProTouch"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Missing Encryption of Sensitive Data issue was discovered in PDQ Manufacturing LaserWash G5 and G5 S Series all versions, LaserWash M5, all versions, LaserWash 360 and 360 Plus, all versions, LaserWash AutoXpress and AutoExpress Plus, all versions, LaserJet, all versions, ProTouch Tandem, all versions, ProTouch ICON, all versions, and ProTouch AutoGloss, all versions. The username and password are transmitted insecurely."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-208-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2017-9632",
"datePublished": "2017-08-07T08:00:00.000Z",
"dateReserved": "2017-06-14T00:00:00.000Z",
"dateUpdated": "2024-08-05T17:11:02.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-16879 (GCVE-0-2018-16879)
Vulnerability from cvelistv5 – Published: 2019-01-03 14:00 – Updated: 2024-08-05 10:32
VLAI
Summary
Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files.
Severity
7.3 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/106310 | vdb-entryx_refsource_BID |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
Date Public
2018-12-20 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:32:54.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106310",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106310"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16879"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Tower",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "3.3.3"
}
]
}
],
"datePublic": "2018-12-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-04T18:00:57.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "106310",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106310"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16879"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-16879",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Tower",
"version": {
"version_data": [
{
"version_value": "3.3.3"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. This could lead in data leak of sensitive information such as passwords as well as denial of service attacks by deleting projects or inventory files."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.3/CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106310",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106310"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16879",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16879"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-16879",
"datePublished": "2019-01-03T14:00:00.000Z",
"dateReserved": "2018-09-11T00:00:00.000Z",
"dateUpdated": "2024-08-05T10:32:54.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17915 (GCVE-0-2018-17915)
Vulnerability from cvelistv5 – Published: 2018-10-10 15:00 – Updated: 2024-09-16 22:56
VLAI
Summary
All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.
Severity
No CVSS data available.
CWE
- CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hangzhou Xiongmai Technology Co., Ltd | XMeye P2P Cloud Server |
Affected:
All versions
|
Date Public
2018-10-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:01:14.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "XMeye P2P Cloud Server",
"vendor": "Hangzhou Xiongmai Technology Co., Ltd",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"datePublic": "2018-10-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T14:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-10-09T00:00:00",
"ID": "CVE-2018-17915",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "XMeye P2P Cloud Server",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "Hangzhou Xiongmai Technology Co., Ltd"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-282-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-17915",
"datePublished": "2018-10-10T15:00:00.000Z",
"dateReserved": "2018-10-02T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:56:29.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18984 (GCVE-0-2018-18984)
Vulnerability from cvelistv5 – Published: 2018-12-14 15:00 – Updated: 2025-05-22 16:40
VLAI
Title
Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers Missing Encryption of Sensitive Data
Summary
Medtronic CareLink and Encore Programmers
do not encrypt or do not sufficiently encrypt sensitive
PII and PHI information while at rest .
Severity
4.6 (Medium)
CWE
- CWE-311 - Missing Encryption of Sensitive Data
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Medtronic | CareLink 9790 Programmer |
Affected:
All versions
|
|
| Medtronic | CareLink 2090 Programmer |
Affected:
All versions
|
|
| Medtronic | 29901 Encore Programmer |
Affected:
All versions
|
Date Public
2018-12-14 07:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:23:08.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106215",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106215"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CareLink 9790 Programmer",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CareLink 2090 Programmer",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "29901 Encore Programmer",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Researchers Billy Rios and Jonathan Butts of Whitescope LLC reported this vulnerability"
}
],
"datePublic": "2018-12-14T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMedtronic CareLink and Encore Programmers\u003c/span\u003e\n\n do not encrypt or do not sufficiently encrypt sensitive \nPII and PHI information while at rest .\u003c/p\u003e"
}
],
"value": "Medtronic CareLink and Encore Programmers\n\n do not encrypt or do not sufficiently encrypt sensitive \nPII and PHI information while at rest ."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311 Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T16:40:53.366Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "106215",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-9790-2090-29901.html"
},
{
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01"
},
{
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/106215"
}
],
"source": {
"advisory": "ICSMA-18-347-01",
"discovery": "EXTERNAL"
},
"title": "Medtronic 9790, 2090 CareLink, and 29901 Encore Programmers Missing Encryption of Sensitive Data",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. Medtronic recommends users no longer use the 9790 for any purpose.\u003c/p\u003e\u003cp\u003eThe CareLink 2090 and 29901 Encore programmers store PHI and PII as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Please contact a Medtronic representative for proper disposal and PHI/PII retention setting instructions.\u003c/p\u003e\u003cp\u003eAll affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII. Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer.\u003c/p\u003e\u003cp\u003eMedtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, hospitals and clinicians should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eMaintain strict physical control of the programmer.\u003c/li\u003e\u003cli\u003eUse only legitimately obtained programmers and not ones provided by any third party.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eProper disposal of these programmers and the associated electronic media storing data is critical for the continued protection of any PHI and PII residing on the programmer.\u003c/p\u003e\u003cp\u003eMedtronic has released a security bulletin related to this advisory that is available, with contact information, at the following location:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e"
}
],
"value": "The CareLink 9790 Programmer has been placed into end-of-life status and is no longer supported by Medtronic. Medtronic recommends users no longer use the 9790 for any purpose.\n\nThe CareLink 2090 and 29901 Encore programmers store PHI and PII as part of their normal operating procedure. Medtronic recommends that when devices are storing PHI/PII it should be retained on these programmers for the least amount of time necessary, and should be handled, managed and secured in a manner consistent with the applicable laws for patient data privacy. Please contact a Medtronic representative for proper disposal and PHI/PII retention setting instructions.\n\nAll affected programmers allow for the manual deletion of programmer-generated reports, which could contain PHI/PII. Medtronic recommends users delete these reports when no longer needed and prior to any disposition of the programmer.\n\nMedtronic recommends users take additional defensive measures to minimize the risk of exploitation. Specifically, hospitals and clinicians should:\n\n * Maintain strict physical control of the programmer.\n * Use only legitimately obtained programmers and not ones provided by any third party.\n\n\nProper disposal of these programmers and the associated electronic media storing data is critical for the continued protection of any PHI and PII residing on the programmer.\n\nMedtronic has released a security bulletin related to this advisory that is available, with contact information, at the following location:\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2018-18984",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MISSING ENCRPTION OF SENSITIVE DATA CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106215",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106215"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-18984",
"datePublished": "2018-12-14T15:00:00.000Z",
"dateReserved": "2018-11-06T00:00:00.000Z",
"dateUpdated": "2025-05-22T16:40:53.366Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19944 (GCVE-0-2018-19944)
Vulnerability from cvelistv5 – Published: 2020-12-31 16:33 – Updated: 2024-09-17 02:11
VLAI
Title
Cleartext Transmission of Sensitive Information in SNMP
Summary
A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.qnap.com/zh-tw/security-advisory/qsa-20-22 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| QNAP Systems Inc. | QTS |
Affected:
unspecified , < 4.4.3.1354
(custom)
|
Date Public
2020-12-30 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:51:17.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-22"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"build 20200702"
],
"product": "QTS",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.4.3.1354",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Independent Security Evaluators"
}
],
"datePublic": "2020-12-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311 Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-31T16:33:27.000Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-22"
}
],
"solutions": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.4.3.1354 build 20200702 (and later)"
}
],
"source": {
"advisory": "QSA-20-22",
"discovery": "EXTERNAL"
},
"title": "Cleartext Transmission of Sensitive Information in SNMP",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@qnap.com",
"DATE_PUBLIC": "2020-12-30T02:55:00.000Z",
"ID": "CVE-2018-19944",
"STATE": "PUBLIC",
"TITLE": "Cleartext Transmission of Sensitive Information in SNMP"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "QTS",
"version": {
"version_data": [
{
"platform": "build 20200702",
"version_affected": "\u003c",
"version_value": "4.4.3.1354"
}
]
}
}
]
},
"vendor_name": "QNAP Systems Inc."
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Independent Security Evaluators"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cleartext transmission of sensitive information vulnerability has been reported to affect certain QTS devices. If exploited, this vulnerability allows a remote attacker to gain access to sensitive information. QNAP have already fixed this vulnerability in the following versions: QTS 4.4.3.1354 build 20200702 (and later)"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-311 Missing Encryption of Sensitive Data"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-319 Cleartext Transmission of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-22",
"refsource": "MISC",
"url": "https://www.qnap.com/zh-tw/security-advisory/qsa-20-22"
}
]
},
"solution": [
{
"lang": "en",
"value": "QNAP have already fixed this vulnerability in the following versions:\nQTS 4.4.3.1354 build 20200702 (and later)"
}
],
"source": {
"advisory": "QSA-20-22",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2018-19944",
"datePublished": "2020-12-31T16:33:27.820Z",
"dateReserved": "2018-12-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:11:00.534Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-4855 (GCVE-0-2018-4855)
Vulnerability from cvelistv5 – Published: 2018-07-03 14:00 – Updated: 2024-09-17 03:08
VLAI
Summary
A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords.
Severity
No CVSS data available.
CWE
- CWE-311 - Missing Encryption of Sensitive Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/104672 | vdb-entryx_refsource_BID |
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens AG | SICLOCK TC100, SICLOCK TC400 |
Affected:
SICLOCK TC100 : All versions
Affected: SICLOCK TC400 : All versions |
Date Public
2018-07-03 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T05:18:26.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104672",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104672"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SICLOCK TC100, SICLOCK TC400",
"vendor": "Siemens AG",
"versions": [
{
"status": "affected",
"version": "SICLOCK TC100 : All versions"
},
{
"status": "affected",
"version": "SICLOCK TC400 : All versions"
}
]
}
],
"datePublic": "2018-07-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-06T09:57:01.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"name": "104672",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104672"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"DATE_PUBLIC": "2018-07-03T00:00:00",
"ID": "CVE-2018-4855",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SICLOCK TC100, SICLOCK TC400",
"version": {
"version_data": [
{
"version_value": "SICLOCK TC100 : All versions"
},
{
"version_value": "SICLOCK TC400 : All versions"
}
]
}
}
]
},
"vendor_name": "Siemens AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in SICLOCK TC100 (All versions) and SICLOCK TC400 (All versions). Unencrypted storage of passwords in the client configuration files and during network transmission could allow an attacker in a privileged position to obtain access passwords."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-311: Missing Encryption of Sensitive Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104672",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104672"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2018-4855",
"datePublished": "2018-07-03T14:00:00.000Z",
"dateReserved": "2018-01-02T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:08:21.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7498 (GCVE-0-2018-7498)
Vulnerability from cvelistv5 – Published: 2018-03-28 17:00 – Updated: 2024-09-16 22:55
VLAI
Summary
In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys.
Severity
No CVSS data available.
CWE
- CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01 | x_refsource_MISC |
| http://www.securityfocus.com/bid/103537 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Philips | Philips Alice 6 System |
Affected:
Version R8.0.2 or prior.
|
Date Public
2018-03-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:31:04.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01"
},
{
"name": "103537",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103537"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Philips Alice 6 System",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "Version R8.0.2 or prior."
}
]
}
],
"datePublic": "2018-03-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-30T09:57:02.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01"
},
{
"name": "103537",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103537"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-03-27T00:00:00",
"ID": "CVE-2018-7498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Philips Alice 6 System",
"version": {
"version_data": [
{
"version_value": "Version R8.0.2 or prior."
}
]
}
}
]
},
"vendor_name": "Philips"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Philips Alice 6 System version R8.0.2 or prior, the lack of proper data encryption passes up the guarantees of confidentiality, integrity, and accountability that properly implemented encryption conveys."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01"
},
{
"name": "103537",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103537"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-7498",
"datePublished": "2018-03-28T17:00:00.000Z",
"dateReserved": "2018-02-26T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:55:54.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8849 (GCVE-0-2018-8849)
Vulnerability from cvelistv5 – Published: 2018-05-18 13:00 – Updated: 2025-06-27 16:24
VLAI
Title
Medtronic N'Vision Clinician Programmer Missing Encryption of Sensitive Data
Summary
Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.
Severity
4.6 (Medium)
CWE
- CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/104213 | vdb-entryx_refsource_BID |
| https://www.cisa.gov/news-events/ics-medical-advi… | x_refsource_MISC |
| http://www.medtronic.com/content/dam/medtronic-co… | x_refsource_CONFIRM |
| https://www.medtronic.com/security | |
| https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01 | x_refsource_MISCx_transferred |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Medtronic | N'Vision Clinician Programmer |
Affected:
all versions
|
|
| Medtronic | 8870 N’Vision removable Application Card |
Affected:
all versions
|
Date Public
2018-05-17 06:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:45.899Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104213",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104213"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "N\u0027Vision Clinician Programmer",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "8870 N\u2019Vision removable Application Card",
"vendor": "Medtronic",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Billy Rios and Jonathan Butts of Whitescope LLC reported these vulnerabilities to CISA."
}
],
"datePublic": "2018-05-17T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic N\u0027Vision Clinician Programmer 8840 N\u0027Vision Clinician Programme and 8870 N\u0027Vision removable Application Card do not encrypt PII and PHI while at rest.\u003c/p\u003e"
}
],
"value": "Medtronic N\u0027Vision Clinician Programmer 8840 N\u0027Vision Clinician Programme and 8870 N\u0027Vision removable Application Card do not encrypt PII and PHI while at rest."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-27T16:24:54.910Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "104213",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104213"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-137-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf"
},
{
"url": "https://www.medtronic.com/security"
}
],
"source": {
"advisory": "ICSMA-18-137-01",
"discovery": "EXTERNAL"
},
"title": "Medtronic N\u0027Vision Clinician Programmer Missing Encryption of Sensitive Data",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMedtronic has not developed a product update to address the \nvulnerabilities, but is reinforcing security reminders within this \nadvisory to help reduce the risk associated with the vulnerabilities.\u003c/p\u003e\n\u003cp\u003eThe 8870 Therapy Application card stores PHI and PII as part of its \nnormal operating procedure and should be handled, managed and secured in\n a manner consistent with the applicable laws for patient data privacy.\u003c/p\u003e\n\u003cp\u003eMedtronic recommends users take additional defensive measures to \nminimize the risk of exploitation of these vulnerabilities. \nSpecifically, hospitals and clinicians should:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMaintain strict physical control of the 8870 application card.\u003c/li\u003e\n\u003cli\u003eUse only legitimately obtained 8870 cards and not cards provided by \nany third party as firmware and system updates are provided directly by \nMedtronic using new 8870 application cards.\u003c/li\u003e\n\u003cli\u003e8840 Programmers and 8870 Therapy Application compact flash cards \nare the property of Medtronic and should be returned to Medtronic when \nno longer in use. If that is not an option, you should securely dispose \nof them.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eMedtronic has released additional patient focused information, at the following location:\u003c/p\u003e\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.medtronic.com/security\"\u003ehttps://www.medtronic.com/security\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Medtronic has not developed a product update to address the \nvulnerabilities, but is reinforcing security reminders within this \nadvisory to help reduce the risk associated with the vulnerabilities.\n\n\nThe 8870 Therapy Application card stores PHI and PII as part of its \nnormal operating procedure and should be handled, managed and secured in\n a manner consistent with the applicable laws for patient data privacy.\n\n\nMedtronic recommends users take additional defensive measures to \nminimize the risk of exploitation of these vulnerabilities. \nSpecifically, hospitals and clinicians should:\n\n\n\n * Maintain strict physical control of the 8870 application card.\n\n * Use only legitimately obtained 8870 cards and not cards provided by \nany third party as firmware and system updates are provided directly by \nMedtronic using new 8870 application cards.\n\n * 8840 Programmers and 8870 Therapy Application compact flash cards \nare the property of Medtronic and should be returned to Medtronic when \nno longer in use. If that is not an option, you should securely dispose \nof them.\n\n\n\n\nMedtronic has released additional patient focused information, at the following location:\n\n\n https://www.medtronic.com/security"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-05-17T00:00:00",
"ID": "CVE-2018-8849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "N\u0027Vision Clinician Programmer",
"version": {
"version_data": [
{
"version_value": "8840 N\u0027Vision Clinician Programmer, all versions"
},
{
"version_value": "8870 N\u0027Vision removable Application Card, all versions"
}
]
}
}
]
},
"vendor_name": "Medtronic"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Medtronic N\u0027Vision Clinician Programmer 8840 N\u0027Vision Clinician Programmer, all versions, and 8870 N\u0027Vision removable Application Card, all versions does not encrypt PII and PHI while at rest."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104213",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104213"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01"
},
{
"name": "http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf",
"refsource": "CONFIRM",
"url": "http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic-NVision-8840_Security-Bulletin_FINAL.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-8849",
"datePublished": "2018-05-18T13:00:00.000Z",
"dateReserved": "2018-03-20T00:00:00.000Z",
"dateUpdated": "2025-06-27T16:24:54.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8864 (GCVE-0-2018-8864)
Vulnerability from cvelistv5 – Published: 2018-05-25 16:00 – Updated: 2024-09-16 21:57
VLAI
Summary
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
Severity
No CVSS data available.
CWE
- CWE-311 - MISSING ENCRYPTION OF SENSITIVE DATA CWE-311
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/103721 | vdb-entryx_refsource_BID |
| https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Acoustic Technology, Inc. (ATI Systems) | ATI Emergency Mass Notification Systems |
Affected:
The following ATI's Emergency Mass Notification Systems devices are affected: HPSS16, HPSS32, MHPSS, and ALERT4000.
|
Date Public
2018-04-10 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:10:46.245Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103721",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103721"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ATI Emergency Mass Notification Systems",
"vendor": "Acoustic Technology, Inc. (ATI Systems)",
"versions": [
{
"status": "affected",
"version": "The following ATI\u0027s Emergency Mass Notification Systems devices are affected: HPSS16, HPSS32, MHPSS, and ALERT4000."
}
]
}
],
"datePublic": "2018-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-26T09:57:01.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"name": "103721",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103721"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2018-04-10T00:00:00",
"ID": "CVE-2018-8864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ATI Emergency Mass Notification Systems",
"version": {
"version_data": [
{
"version_value": "The following ATI\u0027s Emergency Mass Notification Systems devices are affected: HPSS16, HPSS32, MHPSS, and ALERT4000."
}
]
}
}
]
},
"vendor_name": "Acoustic Technology, Inc. (ATI Systems)"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "MISSING ENCRYPTION OF SENSITIVE DATA CWE-311"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103721",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103721"
},
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-100-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2018-8864",
"datePublished": "2018-05-25T16:00:00.000Z",
"dateReserved": "2018-03-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:57:32.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-13418 (GCVE-0-2019-13418)
Vulnerability from cvelistv5 – Published: 2019-08-12 21:12 – Updated: 2024-08-04 23:49
VLAI
Summary
Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized.
Severity
No CVSS data available.
CWE
- CWE-311 - Missing Encryption of Sensitive Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://search-guard.com/cve-advisory/ | x_refsource_MISC |
| https://docs.search-guard.com/6.x-25/changelog-se… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| floragunn | Search Guard |
Affected:
unspecified , < 24.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:49:24.950Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://search-guard.com/cve-advisory/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Search Guard",
"vendor": "floragunn",
"versions": [
{
"lessThan": "24.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-311",
"description": "CWE-311: Missing Encryption of Sensitive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-12T21:12:11.000Z",
"orgId": "9f311a02-c44f-4938-8530-9219246b8255",
"shortName": "floragunn"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://search-guard.com/cve-advisory/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@search-guard.com",
"ID": "CVE-2019-13418",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Search Guard",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "24.0"
}
]
}
}
]
},
"vendor_name": "floragunn"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Search Guard versions before 24.0 had an issue that values of string arrays in documents are not properly anonymized."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-311: Missing Encryption of Sensitive Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search-guard.com/cve-advisory/",
"refsource": "MISC",
"url": "https://search-guard.com/cve-advisory/"
},
{
"name": "https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0",
"refsource": "CONFIRM",
"url": "https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9f311a02-c44f-4938-8530-9219246b8255",
"assignerShortName": "floragunn",
"cveId": "CVE-2019-13418",
"datePublished": "2019-08-12T21:12:11.000Z",
"dateReserved": "2019-07-08T00:00:00.000Z",
"dateUpdated": "2024-08-04T23:49:24.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Requirements
Description:
- Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that encryption is properly integrated into the system design, including but not necessarily limited to:
- Identify the separate needs and contexts for encryption:
- Using threat modeling or other techniques, assume that data can be compromised through a separate vulnerability or weakness, and determine where encryption will be most effective. Ensure that data that should be private is not being inadvertently exposed using weaknesses such as insecure permissions (CWE-732). [REF-7]
- {'xhtml:li': ['Encryption that is needed to store or transmit private data of the users of the system', 'Encryption that is needed to protect the system itself from unauthorized disclosure or tampering']}
- {'xhtml:li': ['One-way (i.e., only the user or recipient needs to have the key). This can be achieved using public key cryptography, or other techniques in which the encrypting party (i.e., the product) does not need to have access to a private key.', 'Two-way (i.e., the encryption can be automatically performed on behalf of a user, but the key must be available so that the plaintext can be automatically recoverable by that user). This requires storage of the private key in a format that is recoverable only by the user (or perhaps by the operating system) in a way that cannot be recovered by others.']}
Mitigation ID: MIT-24
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis.
- For example, US government systems require FIPS 140-2 certification.
- Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak.
- Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]
Mitigation ID: MIT-46
Phase: Architecture and Design
Strategy: Separation of Privilege
Description:
- Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
- Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
Mitigation ID: MIT-25
Phases: Implementation, Architecture and Design
Description:
- When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Mitigation ID: MIT-33
Phase: Implementation
Strategy: Attack Surface Reduction
Description:
- Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
CAPEC-157: Sniffing Attacks
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.
CAPEC-158: Sniffing Network Traffic
In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.
CAPEC-204: Lifting Sensitive Data Embedded in Cache
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CAPEC-383: Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
CAPEC-609: Cellular Traffic Intercept
Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.
CAPEC-65: Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.