CWE-219
AllowedStorage of File with Sensitive Data Under Web Root
Abstraction: Variant · Status: Draft
The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties.
10 vulnerabilities reference this CWE, most recent first.
CVE-2024-56159 (GCVE-0-2024-56159)
Vulnerability from cvelistv5 – Published: 2024-12-19 18:58 – Updated: 2024-12-20 20:44- CWE-219 - Storage of File with Sensitive Data Under Web Root
| URL | Tags |
|---|---|
| https://github.com/withastro/astro/security/advis… | x_refsource_CONFIRM |
| https://github.com/withastro/astro/issues/12703 | x_refsource_MISC |
| https://github.com/getsentry/sentry-javascript/bl… | x_refsource_MISC |
| https://github.com/withastro/astro/blob/176fe9f11… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56159",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T20:44:11.061378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:44:36.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "astro",
"vendor": "withastro",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.8"
},
{
"status": "affected",
"version": "\u003c 4.16.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **astro@5.0.8**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.9**, and backported to Astro v4 in **astro@4.16.18**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **astro@5.0.8**, and the fix for **static-output** projects was released in **astro@5.0.9** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-219",
"description": "CWE-219: Storage of File with Sensitive Data Under Web Root",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T18:58:31.989Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
},
{
"name": "https://github.com/withastro/astro/issues/12703",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/issues/12703"
},
{
"name": "https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50"
},
{
"name": "https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139"
}
],
"source": {
"advisory": "GHSA-49w6-73cw-chjr",
"discovery": "UNKNOWN"
},
"title": "Server source code is exposed to the public if sourcemaps are enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56159",
"datePublished": "2024-12-19T18:58:31.989Z",
"dateReserved": "2024-12-17T18:16:49.854Z",
"dateUpdated": "2024-12-20T20:44:36.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39776 (GCVE-0-2024-39776)
Vulnerability from cvelistv5 – Published: 2024-08-22 19:49 – Updated: 2024-08-22 20:40| Vendor | Product | Version | |
|---|---|---|---|
| Avtec | Outpost 0810 |
Affected:
0 , < v5.0.0
(custom)
|
|
| Avtec | Outpost Uploader Utility |
Affected:
0 , < v5.0.0
(custom)
|
|
| avtec | outpost_0810 |
Affected:
0 , < 5.0.0
(custom)
cpe:2.3:a:avtec:outpost_0810:*:*:*:*:*:*:*:* |
|
| avtec | outpost_uploader_utility |
Affected:
0 , < 5.0.0
(custom)
cpe:2.3:a:avtec:outpost_uploader_utility:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:avtec:outpost_0810:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "outpost_0810",
"vendor": "avtec",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:avtec:outpost_uploader_utility:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "outpost_uploader_utility",
"vendor": "avtec",
"versions": [
{
"lessThan": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39776",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T20:39:42.113807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T20:40:44.874Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Outpost 0810",
"vendor": "Avtec",
"versions": [
{
"lessThan": "v5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Outpost Uploader Utility",
"vendor": "Avtec",
"versions": [
{
"lessThan": "v5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonathan Fournier of Field Effect reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAvtec Outpost stores sensitive information in an insecure location without proper access controls in place.\u003c/span\u003e"
}
],
"value": "Avtec Outpost stores sensitive information in an insecure location without proper access controls in place."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-219",
"description": "CWE-219",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-22T19:54:43.161Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-04"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAvtec recommends users update to Outpost v5.0 to resolve.\u003c/p\u003e\u003cul\u003e\u003cli\u003eWhen upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec\u0027s \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connect.avtecinc.com/bundle/Outpost_Uploader_Utility_User_Guide/page/Content/Outpost_User_Guide/Reset_Web_Auth.html\"\u003eOutpost Uploader Utility User Guide\u003c/a\u003e\u0026nbsp;for more information.\u003c/li\u003e\u003cli\u003eRestrict access to port 80 or disable web interface if possible.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAdditionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://connect.avtecinc.com/bundle/Scout_Release_Notes_5_8/resource/Release_Notes_Scout.pdf\"\u003eScout Release Notes\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "Avtec recommends users update to Outpost v5.0 to resolve.\n\n * When upgrading to Outpost Version 5.0.0 or later, reset the list of users to the default. More information and instructions can be found on Avtec\u0027s Outpost Uploader Utility User Guide https://connect.avtecinc.com/bundle/Outpost_Uploader_Utility_User_Guide/page/Content/Outpost_User_Guide/Reset_Web_Auth.html \u00a0for more information.\n * Restrict access to port 80 or disable web interface if possible.\n\n\nAdditionally, Avtec recommends checking devices for Scout firmware versions prior to 5.8.1, which was commonly coupled with Outpost firmware. If so, the devices may also need to be updated to the latest firmware. For more information, please visit Scout Release Notes https://connect.avtecinc.com/bundle/Scout_Release_Notes_5_8/resource/Release_Notes_Scout.pdf ."
}
],
"source": {
"advisory": "ICSA-24-235-04",
"discovery": "EXTERNAL"
},
"title": "Avtec Outpost Storage of File with Sensitive Data Under Web Root",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2024-39776",
"datePublished": "2024-08-22T19:49:38.118Z",
"dateReserved": "2024-08-12T21:29:23.315Z",
"dateUpdated": "2024-08-22T20:40:44.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39467 (GCVE-0-2023-39467)
Vulnerability from cvelistv5 – Published: 2024-05-03 01:59 – Updated: 2024-08-02 18:10- CWE-219 - Storage of File with Sensitive Data Under Web Root
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| https://www.trianglemicroworks.com/products/scada… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Triangle MicroWorks | SCADA Data Gateway |
Affected:
5.1.3.20324
|
|
| trianglemicroworks | scada_data_gateway |
Affected:
5.1.3.20324
cpe:2.3:a:trianglemicroworks:scada_data_gateway:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:trianglemicroworks:scada_data_gateway:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scada_data_gateway",
"vendor": "trianglemicroworks",
"versions": [
{
"status": "affected",
"version": "5.1.3.20324"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-07T19:22:23.242020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:26:51.263Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1035",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1035/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SCADA Data Gateway",
"vendor": "Triangle MicroWorks",
"versions": [
{
"status": "affected",
"version": "5.1.3.20324"
}
]
}
],
"dateAssigned": "2023-08-02T21:44:31.427Z",
"datePublic": "2023-08-04T18:43:42.003Z",
"descriptions": [
{
"lang": "en",
"value": "Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of certificate web directory. The issue results from the exposure of sensitive information in the application webroot. An attacker can leverage this vulnerability to disclose sensitive information. Was ZDI-CAN-20798."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-219",
"description": "CWE-219: Storage of File with Sensitive Data Under Web Root",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T01:59:29.616Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1035",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1035/"
},
{
"name": "vendor-provided URL",
"tags": [
"vendor-advisory"
],
"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
}
],
"source": {
"lang": "en",
"value": "Uri Katz of Claroty Team82"
},
"title": "Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-39467",
"datePublished": "2024-05-03T01:59:29.616Z",
"dateReserved": "2023-08-02T21:37:23.123Z",
"dateUpdated": "2024-08-02T18:10:20.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36306 (GCVE-0-2022-36306)
Vulnerability from cvelistv5 – Published: 2022-08-16 00:32 – Updated: 2024-08-03 10:00- CWE-219 - CWE-548
| URL | Tags |
|---|---|
| https://helpdesk.airspan.com/browse/TRN3-1691 | x_refsource_CONFIRM |
| https://github.com/metaredteam/external-disclosur… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Airspan | AirVelocity |
Affected:
unspecified , ≤ 15.18.00.2511
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.280Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://helpdesk.airspan.com/browse/TRN3-1691"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-9v93-3qpc-hxj9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AirVelocity",
"vendor": "Airspan",
"versions": [
{
"lessThanOrEqual": "15.18.00.2511",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2022-07-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An authenticated attacker can enumerate and download sensitive files, including the eNodeB\u0027s web management UI\u0027s TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still present in 15.18.00.2511, and may affect other AirVelocity and AirSpeed models."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-219",
"description": "CWE-219, CWE-548",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-16T00:32:07.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://helpdesk.airspan.com/browse/TRN3-1691"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-9v93-3qpc-hxj9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2022-07-19",
"ID": "CVE-2022-36306",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AirVelocity",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "15.18.00.2511"
}
]
}
}
]
},
"vendor_name": "Airspan"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An authenticated attacker can enumerate and download sensitive files, including the eNodeB\u0027s web management UI\u0027s TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still present in 15.18.00.2511, and may affect other AirVelocity and AirSpeed models."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-219, CWE-548"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://helpdesk.airspan.com/browse/TRN3-1691",
"refsource": "CONFIRM",
"url": "https://helpdesk.airspan.com/browse/TRN3-1691"
},
{
"name": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-9v93-3qpc-hxj9",
"refsource": "MISC",
"url": "https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-9v93-3qpc-hxj9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2022-36306",
"datePublished": "2022-08-16T00:32:07.000Z",
"dateReserved": "2022-07-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T10:00:04.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21236 (GCVE-0-2022-21236)
Vulnerability from cvelistv5 – Published: 2022-01-28 19:10 – Updated: 2025-04-15 19:22- CWE-219 - Sensitive Data Under Web Root
| URL | Tags |
|---|---|
| https://talosintelligence.com/vulnerability_repor… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:31:59.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1446"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21236",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T18:24:20.854791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T19:22:14.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-219",
"description": "CWE-219: Sensitive Data Under Web Root",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-28T19:10:01.000Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1446"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "talos-cna@cisco.com",
"ID": "CVE-2022-21236",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure vulnerability exists due to a web server misconfiguration in the Reolink RLC-410W v3.0.0.136_20121102. A specially-crafted HTTP request can lead to a disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability."
}
]
},
"impact": {
"cvss": {
"baseScore": 8.1,
"baseSeverity": "High",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-219: Sensitive Data Under Web Root"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1446",
"refsource": "MISC",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1446"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2022-21236",
"datePublished": "2022-01-28T19:10:01.000Z",
"dateReserved": "2022-01-11T00:00:00.000Z",
"dateUpdated": "2025-04-15T19:22:14.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-49W6-73CW-CHJR
Vulnerability from github – Published: 2024-12-19 15:12 – Updated: 2025-11-27 08:02Summary
A bug in the build process allows any unauthenticated user to read parts of the server source code.
Details
During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible folder. https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139
Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.
While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in src/pages) are predictably named. For example. the sourcemap file for src/pages/index.astro gets named dist/client/pages/index.astro.mjs.map.
PoC
Here is one example of an affected open-source website: https://creatorsgarten.org/pages/index.astro.mjs.map
The file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.
The above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro
The above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com (search results link):
path:astro.config.mjs @sentry/astro
This vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the dist/client (referred to as config.build.client in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains .map files corresponding to the code that runs on the server.
Impact
All server-output (SSR) projects on Astro 5 versions v5.0.3 through v5.0.6 (inclusive), that have sourcemaps enabled, either directly or through an add-on such as sentry, are affected. The fix for server-output projects was released in astro@5.0.7.
Additionally, all static-output (SSG) projects built using Astro 4 versions 4.16.17 or older, or Astro 5 versions 5.0.7 or older, that have sourcemaps enabled are also affected. The fix for static-output projects was released in astro@5.0.8, and backported to Astro v4 in astro@4.16.18.
The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.
There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .
There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.
- Network attack vector.
- Low attack complexity.
- No privileges required.
- No interaction required from an authorized user.
- Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed.
Remediation
The fix for server-output projects was released in astro@5.0.7, and the fix for static-output projects was released in astro@5.0.8 and backported to Astro v4 in astro@4.16.18. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-alpha.0"
},
{
"fixed": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.17"
},
"package": {
"ecosystem": "npm",
"name": "astro"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.16.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56159"
],
"database_specific": {
"cwe_ids": [
"CWE-219"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-19T15:12:33Z",
"nvd_published_at": "2024-12-19T19:15:08Z",
"severity": "HIGH"
},
"details": "### Summary\nA bug in the build process allows any unauthenticated user to read parts of the server source code.\n\n### Details\nDuring build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder.\nhttps://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139\n\nAny outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website.\n\nWhile some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`.\n\n### PoC\nHere is one example of an affected open-source website:\nhttps://creatorsgarten.org/pages/index.astro.mjs.map\n\n\u003cimage width=\"500\" height=\"263\" src=\"https://github.com/user-attachments/assets/773c5532-87af-42b8-838e-8f5472bf9f68\"/\u003e\n\nThe file can be saved and opened using https://evanw.github.io/source-map-visualization/ to reconstruct the source code.\n\n\u003cimage width=\"500\" height=\"271\" src=\"https://github.com/user-attachments/assets/7d35d0ca-3a29-4666-be21-cfefe311ac9d\"/\u003e\n\nThe above accurately mirrors the source code as seen in the repository: https://github.com/creatorsgarten/creatorsgarten.org/blob/main/src/pages/index.astro\n\n\u003cimage width=\"500\" height=\"298\" src=\"https://github.com/user-attachments/assets/39e77197-8382-4556-a024-c526dacccc1c\"/\u003e\n\n\nThe above was found as the 4th result (and the first one on Astro 5.0+) when making the following search query on GitHub.com ([search results link](https://github.com/search?q=path%3Aastro.config.mjs+%40sentry%2Fastro\u0026type=code)):\n```\npath:astro.config.mjs @sentry/astro\n```\n\nThis vulnerability is the root cause of https://github.com/withastro/astro/issues/12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server.\n\n### Impact\nAll **server-output** (SSR) projects on Astro 5 versions **v5.0.3** through **v5.0.6** (inclusive), that have **sourcemaps enabled**, either directly or through an add-on such as [sentry](https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50), are affected. The fix for **server-output** projects was released in **astro@5.0.7**.\n\nAdditionally, all **static-output** (SSG) projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.7 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.8**, and backported to Astro v4 in **astro@4.16.18**.\n\nThe immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code.\n\nThere is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code .\n\nThere is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability.\n\n- Network attack vector.\n- Low attack complexity.\n- No privileges required.\n- No interaction required from an authorized user.\n- Scope is limited to first party. Although the source code of closed-source third-party software may also be exposed. \n\n### Remediation\nThe fix for **server-output** projects was released in **astro@5.0.7**, and the fix for **static-output** projects was released in **astro@5.0.8** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.",
"id": "GHSA-49w6-73cw-chjr",
"modified": "2025-11-27T08:02:36Z",
"published": "2024-12-19T15:12:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56159"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/issues/12703"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/039d022b1bbaacf9ea83071d27affc5318e0e515"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/commit/c879f501ff01b1a3c577de776a1f7100d78f8dd5"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50"
},
{
"type": "PACKAGE",
"url": "https://github.com/withastro/astro"
},
{
"type": "WEB",
"url": "https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Astro\u0027s server source code is exposed to the public if sourcemaps are enabled"
}
GHSA-82JV-MJPV-6MH8
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-08-08 15:31Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.
{
"affected": [],
"aliases": [
"CVE-2002-2024"
],
"database_specific": {
"cwe_ids": [
"CWE-219"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.",
"id": "GHSA-82jv-mjpv-6mh8",
"modified": "2024-08-08T15:31:26Z",
"published": "2022-04-30T18:22:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2024"
},
{
"type": "WEB",
"url": "http://bugs.horde.org/show_bug.cgi?id=916"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/8768.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/4445"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9347-HGFF-8MJV
Vulnerability from github – Published: 2024-08-22 21:31 – Updated: 2024-08-22 21:31Avtec Outpost stores sensitive information in an insecure location without proper access controls in place.
{
"affected": [],
"aliases": [
"CVE-2024-39776"
],
"database_specific": {
"cwe_ids": [
"CWE-219"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T20:15:08Z",
"severity": "HIGH"
},
"details": "Avtec Outpost stores sensitive information in an insecure location without proper access controls in place.",
"id": "GHSA-9347-hgff-8mjv",
"modified": "2024-08-22T21:31:29Z",
"published": "2024-08-22T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39776"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FM6R-RCHP-RG6X
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the configuration of certificate web directory. The issue results from the exposure of sensitive information in the application webroot. An attacker can leverage this vulnerability to disclose sensitive information. Was ZDI-CAN-20798.
{
"affected": [],
"aliases": [
"CVE-2023-39467"
],
"database_specific": {
"cwe_ids": [
"CWE-219"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:12Z",
"severity": "MODERATE"
},
"details": "Triangle MicroWorks SCADA Data Gateway certificate Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Triangle MicroWorks SCADA Data Gateway. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of certificate web directory. The issue results from the exposure of sensitive information in the application webroot. An attacker can leverage this vulnerability to disclose sensitive information. Was ZDI-CAN-20798.",
"id": "GHSA-fm6r-rchp-rg6x",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39467"
},
{
"type": "WEB",
"url": "https://www.trianglemicroworks.com/products/scada-data-gateway/what\u0027s-new"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1035"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XVP7-8VM8-XFXX
Vulnerability from github – Published: 2025-10-20 17:55 – Updated: 2026-06-08 23:28Summary
The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug (Which in this version of node is an alias for console.log). This is exposing sensitive information in log files including, but not limited to:
- Gocardless bearer tokens.
- Account IBAN and Bank Account numbers.
- PII of the account holder.
- Transaction details (Payee bank information, Recipient account numbers, Transaction IDs)...
Details
Whenever GoCardless responds to a request, the payload is printed to the debug log: https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L25-L27
This in turn logs the following information to Docker (all values removed here. These fields are possibly dependent on what is returned by each institution so may differ):
{
"account": {
"resourceId": "",
"iban": "",
"bban": "",
"currency": "",
"name": "<full legal name in the bank>",
"product": "",
"status": "",
"bic": "",
"usage": "",
"id": "",
"created": "",
"last_accessed": "",
"institution_id": "",
"owner_name": "",
"institution": {
"id": "",
"name": "",
"bic": "",
"transaction_total_days": "",
"countries": [
""
],
"logo": "",
"max_access_valid_for_days": "",
"supported_features": [
"",
"",
""
],
"identification_codes": []
}
}
}
https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L83-L85
This is the first of the 10 transactions:
{
"top10Transactions": [{
"transactionId": "",
"entryReference": "",
"bookingDate": "",
"valueDate": "",
"transactionAmount": {
"amount": "",
"currency": ""
},
"creditorName": "",
"creditorAccount": {
"bban": ""
},
"debtorName": "",
"debtorAccount": {
"bban": ""
},
"remittanceInformationUnstructured": "",
"remittanceInformationStructuredArray": [
{"reference": "", "referenceType": ""}
],
"additionalInformation": "",
"proprietaryBankTransactionCode": "",
"debtorAgent": "",
"internalTransactionId": "",
"payeeName": "",
"date": ""
}]
}
Additionally, in the error handling for GoCardless, there is a catch all for unclassified errors that prints the entire stack trace to the console.
https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/app-gocardless.js#L263-L264
Our bank was offline today for maintenance which threw a 503 error from Gocardless. The entire response payload was dumped to console, which includes the Bearer tokens for accessing GoCardless:
Something went wrong ServiceError: Institution service unavailable
at handleGoCardlessError (file:///app/src/app-gocardless/services/gocardless-service.js:59:13)
at Object.getTransactions (file:///app/src/app-gocardless/services/gocardless-service.js:530:7)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.getNormalizedTransactions (file:///app/src/app-gocardless/services/gocardless-service.js:267:26)
at async file:///app/src/app-gocardless/app-gocardless.js:186:13 {
details: h [AxiosError]: Request failed with status code 503
at te (file:///app/node_modules/nordigen-node/dist/index.esm.js:13:914)
at IncomingMessage.<anonymous> (file:///app/node_modules/nordigen-node/dist/index.esm.js:17:16315)
at IncomingMessage.emit (node:events:529:35)
at endReadableNT (node:internal/streams/readable:1400:12)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
code: 'ERR_BAD_RESPONSE',
config: {
transitional: {
silentJSONParsing: true,
forcedJSONParsing: true,
clarifyTimeoutError: false
},
adapter: [ 'xhr', 'http' ],
transformRequest: [ [Function (anonymous)] ],
transformResponse: [ [Function (anonymous)] ],
timeout: 0,
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
maxContentLength: -1,
maxBodyLength: -1,
env: {
FormData: [Function: _] {
LINE_BREAK: '\r\n',
DEFAULT_CONTENT_TYPE: 'application/octet-stream'
},
Blob: [class Blob]
},
validateStatus: [Function: validateStatus],
headers: T [AxiosHeaders] {
Accept: 'application/json',
'Content-Type': 'application/json',
'User-Agent': 'Nordigen-Node-v2',
'Authorization': 'Bearer eyJ0eXAi... (the full token is in the response)',
'Accept-Encoding': 'gzip, compress, deflate, br'
},
method: 'get',
url: URL {
href: 'https://bankaccountdata.gocardless.com/api/v2/accounts/<Account id Was Here>?date_from=2024-12-22',
origin: 'https://bankaccountdata.gocardless.com',
protocol: 'https:',
username: '',
password: '',
host: 'bankaccountdata.gocardless.com',
hostname: 'bankaccountdata.gocardless.com',
port: '',
pathname: '/api/v2/accounts/<Account id Was Here>/transactions',
search: '?date_from=2024-12-22',
searchParams: URLSearchParams { 'date_from' => '2024-12-22' },
hash: ''
},
data: undefined
},
And quite a few pages more.
PoC
- Setup an Actualbudget server inside of Docker. In this instance I was using the Docker Compose script posted in the repository: https://github.com/actualbudget/actual/blob/master/packages/sync-server/docker-compose.yml
- Link a gocardless account to Actualbudget and sync a bank account
- Observe in the container using
docker logs actual-actual_server-1 -fthat sensitive details are logged to the console and ingested by docker.
Impact
Information disclosure. The services are available both on-premises and in environments that are not under the control of the end user, such as third-party providers who offer this application as a managed solution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.10.0"
},
"package": {
"ecosystem": "npm",
"name": "@actual-app/sync-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-215",
"CWE-219"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-20T17:55:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` (Which in this version of node is an alias for `console.log`). This is exposing sensitive information in log files including, but not limited to:\n\n- Gocardless bearer tokens.\n- Account IBAN and Bank Account numbers.\n- PII of the account holder.\n- Transaction details (Payee bank information, Recipient account numbers, Transaction IDs)...\n\n### Details\n\nWhenever GoCardless responds to a request, the payload is printed to the debug log: \nhttps://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L25-L27\n\nThis in turn logs the following information to Docker (all values removed here. These fields are possibly dependent on what is returned by each institution so may differ):\n\n```json\n{\n \"account\": {\n \"resourceId\": \"\",\n \"iban\": \"\",\n \"bban\": \"\",\n \"currency\": \"\",\n \"name\": \"\u003cfull legal name in the bank\u003e\",\n \"product\": \"\",\n \"status\": \"\",\n \"bic\": \"\",\n \"usage\": \"\",\n \"id\": \"\",\n \"created\": \"\",\n \"last_accessed\": \"\",\n \"institution_id\": \"\",\n \"owner_name\": \"\",\n \"institution\": {\n \"id\": \"\",\n \"name\": \"\",\n \"bic\": \"\",\n \"transaction_total_days\": \"\",\n \"countries\": [\n \"\"\n ],\n \"logo\": \"\",\n \"max_access_valid_for_days\": \"\",\n \"supported_features\": [\n \"\",\n \"\",\n \"\"\n ],\n \"identification_codes\": []\n }\n }\n}\n```\n\nhttps://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L83-L85\n\nThis is the first of the 10 transactions:\n```json\n{\n \"top10Transactions\": [{\n \"transactionId\": \"\",\n \"entryReference\": \"\",\n \"bookingDate\": \"\",\n \"valueDate\": \"\",\n \"transactionAmount\": {\n \"amount\": \"\",\n \"currency\": \"\"\n },\n \"creditorName\": \"\",\n \"creditorAccount\": {\n \"bban\": \"\"\n },\n \"debtorName\": \"\",\n \"debtorAccount\": {\n \"bban\": \"\"\n },\n \"remittanceInformationUnstructured\": \"\",\n \"remittanceInformationStructuredArray\": [\n {\"reference\": \"\", \"referenceType\": \"\"}\n ],\n \"additionalInformation\": \"\",\n \"proprietaryBankTransactionCode\": \"\",\n \"debtorAgent\": \"\",\n \"internalTransactionId\": \"\",\n \"payeeName\": \"\",\n \"date\": \"\"\n }]\n}\n```\n\nAdditionally, in the error handling for GoCardless, there is a catch all for unclassified errors that prints the entire stack trace to the console.\n\nhttps://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/app-gocardless.js#L263-L264\n\nOur bank was offline today for maintenance which threw a 503 error from Gocardless. The entire response payload was dumped to console, which includes the Bearer tokens for accessing GoCardless:\n\n```java\nSomething went wrong ServiceError: Institution service unavailable\n at handleGoCardlessError (file:///app/src/app-gocardless/services/gocardless-service.js:59:13)\n at Object.getTransactions (file:///app/src/app-gocardless/services/gocardless-service.js:530:7)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n at async Object.getNormalizedTransactions (file:///app/src/app-gocardless/services/gocardless-service.js:267:26)\n at async file:///app/src/app-gocardless/app-gocardless.js:186:13 {\n details: h [AxiosError]: Request failed with status code 503\n at te (file:///app/node_modules/nordigen-node/dist/index.esm.js:13:914)\n at IncomingMessage.\u003canonymous\u003e (file:///app/node_modules/nordigen-node/dist/index.esm.js:17:16315)\n at IncomingMessage.emit (node:events:529:35)\n at endReadableNT (node:internal/streams/readable:1400:12)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {\n code: \u0027ERR_BAD_RESPONSE\u0027,\n config: {\n transitional: {\n silentJSONParsing: true,\n forcedJSONParsing: true,\n clarifyTimeoutError: false\n },\n adapter: [ \u0027xhr\u0027, \u0027http\u0027 ],\n transformRequest: [ [Function (anonymous)] ],\n transformResponse: [ [Function (anonymous)] ],\n timeout: 0,\n xsrfCookieName: \u0027XSRF-TOKEN\u0027,\n xsrfHeaderName: \u0027X-XSRF-TOKEN\u0027,\n maxContentLength: -1,\n maxBodyLength: -1,\n env: {\n FormData: [Function: _] {\n LINE_BREAK: \u0027\\r\\n\u0027,\n DEFAULT_CONTENT_TYPE: \u0027application/octet-stream\u0027\n },\n Blob: [class Blob]\n },\n validateStatus: [Function: validateStatus],\n headers: T [AxiosHeaders] {\n Accept: \u0027application/json\u0027,\n \u0027Content-Type\u0027: \u0027application/json\u0027,\n \u0027User-Agent\u0027: \u0027Nordigen-Node-v2\u0027,\n \u0027Authorization\u0027: \u0027Bearer eyJ0eXAi... (the full token is in the response)\u0027,\n \u0027Accept-Encoding\u0027: \u0027gzip, compress, deflate, br\u0027\n },\n method: \u0027get\u0027,\n url: URL {\n href: \u0027https://bankaccountdata.gocardless.com/api/v2/accounts/\u003cAccount id Was Here\u003e?date_from=2024-12-22\u0027,\n origin: \u0027https://bankaccountdata.gocardless.com\u0027,\n protocol: \u0027https:\u0027,\n username: \u0027\u0027,\n password: \u0027\u0027,\n host: \u0027bankaccountdata.gocardless.com\u0027,\n hostname: \u0027bankaccountdata.gocardless.com\u0027,\n port: \u0027\u0027,\n pathname: \u0027/api/v2/accounts/\u003cAccount id Was Here\u003e/transactions\u0027,\n search: \u0027?date_from=2024-12-22\u0027,\n searchParams: URLSearchParams { \u0027date_from\u0027 =\u003e \u00272024-12-22\u0027 },\n hash: \u0027\u0027\n },\n data: undefined\n },\n```\nAnd quite a few pages more.\n\n### PoC\n- Setup an Actualbudget server inside of Docker. In this instance I was using the Docker Compose script posted in the repository: https://github.com/actualbudget/actual/blob/master/packages/sync-server/docker-compose.yml\n- Link a gocardless account to Actualbudget and sync a bank account\n- Observe in the container using `docker logs actual-actual_server-1 -f` that sensitive details are logged to the console and ingested by docker. \n\n### Impact\nInformation disclosure. The services are available both on-premises and in environments that are not under the control of the end user, such as third-party providers who offer this application as a managed solution.",
"id": "GHSA-xvp7-8vm8-xfxx",
"modified": "2026-06-08T23:28:41Z",
"published": "2025-10-20T17:55:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/security/advisories/GHSA-xvp7-8vm8-xfxx"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/commit/97482a082d502887ef22514b93e35e4c67f4f30f"
},
{
"type": "PACKAGE",
"url": "https://github.com/actualbudget/actual"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/app-gocardless.js#L263-L264"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L25-L27"
},
{
"type": "WEB",
"url": "https://github.com/actualbudget/actual/blob/36c40d90d2fe09eb1f25a6e2f77f6dd40638b267/packages/sync-server/src/app-gocardless/banks/integration-bank.js#L83-L85"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers"
}
Mitigation
Avoid storing information under the web root directory.
Mitigation
Access control permissions should be set to prevent reading/writing of sensitive files inside/outside of the web directory.
No CAPEC attack patterns related to this CWE.