CWE-256
Plaintext Storage of a Password
The product stores a password in plaintext within resources such as memory or files.
CVE-2024-28782 (GCVE-0-2024-28782)
Vulnerability from cvelistv5
Published
2024-04-03 12:00
Modified
2025-08-27 15:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
IBM QRadar Suite Software 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 285698.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7145683 | vendor-advisory | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/285698 | vdb-entry |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | IBM | QRadar Suite Software |
Version: 1.10.12.0 ≤ 1.10.18.0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T20:12:03.761443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T15:49:06.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:56:58.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.ibm.com/support/pages/node/7145683"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/285698"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QRadar Suite Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.18.0",
"status": "affected",
"version": "1.10.12.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cloud Pak for Security",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.11.0",
"status": "affected",
"version": "1.10.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 285698."
}
],
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.10.18.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 285698."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-03T12:00:55.863Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.ibm.com/support/pages/node/7145683"
},
{
"tags": [
"vdb-entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/285698"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM QRadar Suite Software information disclosure",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-28782",
"datePublished": "2024-04-03T12:00:55.863Z",
"dateReserved": "2024-03-10T12:23:24.002Z",
"dateUpdated": "2025-08-27T15:49:06.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3622 (GCVE-0-2024-3622)
Vulnerability from cvelistv5
Published
2024-04-25 17:46
Modified
2025-08-27 12:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-3622 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2274400 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | |||||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T20:17:28.802624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-13T20:17:47.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:58.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3622"
},
{
"name": "RHBZ#2274400",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274400"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quay/mirror-registry",
"defaultStatus": "affected",
"packageName": "mirror-registry"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:mirror_registry:1"
],
"defaultStatus": "affected",
"packageName": "mirror-registry-container",
"product": "mirror registry for Red Hat OpenShift",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue."
}
],
"datePublic": "2024-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:23:20.704Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3622"
},
{
"name": "RHBZ#2274400",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274400"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Mirror-registry: plain-text default csrf secret key",
"x_redhatCweChain": "CWE-256: Plaintext Storage of a Password"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3622",
"datePublished": "2024-04-25T17:46:29.152Z",
"dateReserved": "2024-04-10T18:02:57.781Z",
"dateUpdated": "2025-08-27T12:23:20.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3623 (GCVE-0-2024-3623)
Vulnerability from cvelistv5
Published
2024-04-25 17:46
Modified
2025-08-27 12:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay's database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-3623 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2274404 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | |||||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T20:17:07.218125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-13T20:17:13.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3623"
},
{
"name": "RHBZ#2274404",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274404"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quay/mirror-registry",
"defaultStatus": "affected",
"packageName": "mirror-registry"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:mirror_registry:1"
],
"defaultStatus": "affected",
"packageName": "mirror-registry-container",
"product": "mirror registry for Red Hat OpenShift",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue."
}
],
"datePublic": "2024-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay\u0027s database."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T12:23:40.634Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3623"
},
{
"name": "RHBZ#2274404",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274404"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Mirror-registry: default database secret key stored in plain-text on initial configuration file",
"x_redhatCweChain": "CWE-256: Plaintext Storage of a Password"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3623",
"datePublished": "2024-04-25T17:46:47.141Z",
"dateReserved": "2024-04-10T18:03:02.203Z",
"dateUpdated": "2025-08-27T12:23:40.634Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3624 (GCVE-0-2024-3624)
Vulnerability from cvelistv5
Published
2024-04-25 17:46
Modified
2025-08-30 10:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
A flaw was found in how Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay's database.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-3624 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2274407 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | |||||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T19:07:33.725829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:32:11.306Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:00.402Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3624"
},
{
"name": "RHBZ#2274407",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274407"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quay/mirror-registry",
"defaultStatus": "affected",
"packageName": "mirror-registry"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:mirror_registry:1"
],
"defaultStatus": "affected",
"packageName": "mirror-registry-container",
"product": "mirror registry for Red Hat OpenShift",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue."
}
],
"datePublic": "2024-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in how Quay\u0027s database is stored in plain-text in mirror-registry on the jinja\u0027s config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay\u0027s database."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T10:28:12.426Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3624"
},
{
"name": "RHBZ#2274407",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274407"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Mirror-registry: database user and password stored in plain-text",
"x_redhatCweChain": "CWE-256: Plaintext Storage of a Password"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3624",
"datePublished": "2024-04-25T17:46:52.447Z",
"dateReserved": "2024-04-10T18:03:04.115Z",
"dateUpdated": "2025-08-30T10:28:12.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3625 (GCVE-0-2024-3625)
Vulnerability from cvelistv5
Published
2024-04-25 17:46
Modified
2025-08-30 10:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
A flaw was found in Quay, where Quay's database is stored in plain text in mirror-registry on Jinja's config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay's Redis instance.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-3625 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2274408 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | |||||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-25T19:19:11.675831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T17:42:22.595Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:59.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3625"
},
{
"name": "RHBZ#2274408",
"tags": [
"issue-tracking",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274408"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quay/mirror-registry",
"defaultStatus": "affected",
"packageName": "mirror-registry"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:mirror_registry:1"
],
"defaultStatus": "affected",
"packageName": "mirror-registry-container",
"product": "mirror registry for Red Hat OpenShift",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue."
}
],
"datePublic": "2024-04-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Quay, where Quay\u0027s database is stored in plain text in mirror-registry on Jinja\u0027s config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay\u0027s Redis instance."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T10:28:31.252Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2024-3625"
},
{
"name": "RHBZ#2274408",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274408"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-04-10T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Mirror-registry: redis password stored in plain-text",
"x_redhatCweChain": "CWE-256: Plaintext Storage of a Password"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2024-3625",
"datePublished": "2024-04-25T17:46:52.179Z",
"dateReserved": "2024-04-10T18:03:06.061Z",
"dateUpdated": "2025-08-30T10:28:31.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43186 (GCVE-0-2024-43186)
Vulnerability from cvelistv5
Published
2025-03-28 23:49
Modified
2025-09-01 01:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7184980 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | InfoSphere Information Server |
Version: 11.7 cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-31T14:23:03.458890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T14:39:27.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "InfoSphere Information Server",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions."
}
],
"value": "IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T01:00:28.126Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7184980"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM InfoSphere Information Server information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-43186",
"datePublished": "2025-03-28T23:49:20.873Z",
"dateReserved": "2024-08-07T13:29:34.028Z",
"dateUpdated": "2025-09-01T01:00:28.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45638 (GCVE-0-2024-45638)
Vulnerability from cvelistv5
Published
2025-03-14 14:49
Modified
2025-09-01 01:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
IBM Security QRadar 3.12 EDR stores user credentials in plain text which can be read by a local privileged user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7185938 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | QRadar EDR |
Version: 3.12 cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T18:41:27.680123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:50:23.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_qradar_edr:3.12:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "QRadar EDR",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "3.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security QRadar 3.12 EDR stores user credentials in plain text which can be read by a local privileged user."
}
],
"value": "IBM Security QRadar 3.12 EDR stores user credentials in plain text which can be read by a local privileged user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-01T01:05:22.574Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7185938"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM QRadar EDR information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45638",
"datePublished": "2025-03-14T14:49:52.646Z",
"dateReserved": "2024-09-03T13:50:17.059Z",
"dateUpdated": "2025-09-01T01:05:22.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5960 (GCVE-0-2024-5960)
Vulnerability from cvelistv5
Published
2024-09-18 14:49
Modified
2025-09-12 06:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eliz Software | Panel |
Version: 0 < v2.3.24 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eliz_software:panel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "panel",
"vendor": "eliz_software",
"versions": [
{
"lessThan": "v2.3.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T18:17:26.727297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T18:17:37.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Panel",
"vendor": "Eliz Software",
"versions": [
{
"lessThan": "v2.3.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Serhat YAPICI"
}
],
"datePublic": "2024-09-18T08:53:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.\u003cp\u003eThis issue affects Panel: before v2.3.24.\u003c/p\u003e"
}
],
"value": "Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24."
}
],
"impacts": [
{
"capecId": "CAPEC-560",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-560 Use of Known Domain Credentials"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T06:35:39.722Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"url": "https://www.usom.gov.tr/bildirim/tr-24-1497"
}
],
"source": {
"advisory": "TR-24-1497",
"defect": [
"TR-24-1497"
],
"discovery": "UNKNOWN"
},
"title": "Plaintext Storage of a Password in Eliz Software\u0027s Panel",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-5960",
"datePublished": "2024-09-18T14:49:32.180Z",
"dateReserved": "2024-06-13T07:52:35.830Z",
"dateUpdated": "2025-09-12T06:35:39.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1709 (GCVE-0-2025-1709)
Vulnerability from cvelistv5
Published
2025-07-03 11:20
Modified
2025-07-03 13:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.endress.com | x_Endress+Hauser | |
| https://sick.com/psirt | x_SICK PSIRT Security Advisories | |
| https://www.cisa.gov/resources-tools/resources/ics-recommended-practices | x_ICS-CERT recommended practices on Industrial Security | |
| https://www.first.org/cvss/calculator/3.1 | x_CVSS v3.1 Calculator | |
| https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json | x_The canonical URL. | |
| https://sick.com/psirt | vendor-advisory | |
| https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Endress+Hauser | Endress+Hauser MEAC300-FNADE4 |
Version: 0 < |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-03T12:59:53.849231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T13:17:00.475Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Endress+Hauser MEAC300-FNADE4",
"vendor": "Endress+Hauser",
"versions": [
{
"lessThanOrEqual": "\u003c=0.16.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Endress+Hauser MEAC300-FNADE4",
"vendor": "Endress+Hauser",
"versions": [
{
"status": "unaffected",
"version": "\u003e=0.17.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSeveral credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded).\u003c/p\u003e"
}
],
"value": "Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"environmentalScore": 6.5,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 6.5,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-03T11:20:20.793Z",
"orgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"shortName": "SICK AG"
},
"references": [
{
"tags": [
"x_Endress+Hauser"
],
"url": "https://www.endress.com"
},
{
"tags": [
"x_SICK PSIRT Security Advisories"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"x_ICS-CERT recommended practices on Industrial Security"
],
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"tags": [
"x_CVSS v3.1 Calculator"
],
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"tags": [
"x_The canonical URL."
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://sick.com/psirt"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCustomers are strongly advised to update to the newest version.\u003c/p\u003e"
}
],
"value": "Customers are strongly advised to update to the newest version."
}
],
"source": {
"advisory": "SCA-2025-0008",
"discovery": "INTERNAL"
},
"title": "CVE-2025-1709",
"x_generator": {
"engine": "csaf2cve 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6863dd2-93fc-443d-bef1-79f0b5020988",
"assignerShortName": "SICK AG",
"cveId": "CVE-2025-1709",
"datePublished": "2025-07-03T11:20:20.793Z",
"dateReserved": "2025-02-26T08:40:04.800Z",
"dateUpdated": "2025-07-03T13:17:00.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-33079 (GCVE-0-2025-33079)
Vulnerability from cvelistv5
Published
2025-05-27 01:05
Modified
2025-08-26 15:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-256 - Plaintext Storage of a Password
Summary
IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.ibm.com/support/pages/node/7234720 | vendor-advisory, patch |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | IBM | Controller |
Version: 11.1.0 cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:* |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T19:36:56.538109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T19:37:15.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:controller:11.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:controller:11.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.1.0"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Cognos Controller",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "11.0.0, 11.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"value": "IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T15:03:51.764Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7234720"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "It is strongly recommended that you apply the most recent security updates:\u003cbr\u003e\u003cbr\u003eIBM Controller 11.1.0 FP4 from Fix Central\u003cbr\u003eIBM Cognos Controller 11.0.1 FP5 from Fix Central\u003cbr\u003e"
}
],
"value": "It is strongly recommended that you apply the most recent security updates:\n\nIBM Controller 11.1.0 FP4 from Fix Central\nIBM Cognos Controller 11.0.1 FP5 from Fix Central"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Controller information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-33079",
"datePublished": "2025-05-27T01:05:12.455Z",
"dateReserved": "2025-04-15T17:50:20.368Z",
"dateUpdated": "2025-08-26T15:03:51.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Avoid storing passwords in easily accessible locations.
Mitigation
Phase: Architecture and Design
Description:
- Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
Phases:
Description:
- A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.