Common Weakness Enumeration

CWE-549

Allowed

Missing Password Field Masking

Abstraction: Base · Status: Draft

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

26 vulnerabilities reference this CWE, most recent first.

CVE-2022-22550 (GCVE-0-2022-22550)

Vulnerability from cvelistv5 – Published: 2022-04-12 17:50 – Updated: 2024-09-17 00:26
VLAI
Summary
Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.
CWE
  • CWE-549 - Missing Password Field Masking
Assigner
References
Impacted products
Vendor Product Version
Dell PowerScale OneFS Affected: 8.2.2-9.3.0.x
Create a notification for this product.
Date Public
2022-01-31 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:14:55.811Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/kbdoc/000195815"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PowerScale OneFS",
          "vendor": "Dell",
          "versions": [
            {
              "status": "affected",
              "version": "8.2.2-9.3.0.x"
            }
          ]
        }
      ],
      "datePublic": "2022-01-31T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549: Missing Password Field Masking",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-12T17:50:41.000Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.dell.com/support/kbdoc/000195815"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secure@dell.com",
          "DATE_PUBLIC": "2022-01-31",
          "ID": "CVE-2022-22550",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PowerScale OneFS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_value": "8.2.2-9.3.0.x"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Dell"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over."
            }
          ]
        },
        "impact": {
          "cvss": {
            "baseScore": 6.7,
            "baseSeverity": "Medium",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-549: Missing Password Field Masking"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.dell.com/support/kbdoc/000195815",
              "refsource": "MISC",
              "url": "https://www.dell.com/support/kbdoc/000195815"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2022-22550",
    "datePublished": "2022-04-12T17:50:41.229Z",
    "dateReserved": "2022-01-04T00:00:00.000Z",
    "dateUpdated": "2024-09-17T00:26:01.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-20914 (GCVE-0-2022-20914)

Vulnerability from cvelistv5 – Published: 2022-08-10 08:11 – Updated: 2024-11-01 18:55
VLAI
Title
Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability
Summary
A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://tools.cisco.com/security/center/content/C… vendor-advisoryx_refsource_CISCO
Impacted products
Date Public
2022-08-03 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T02:31:57.400Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-20914",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-01T18:40:35.600564Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-01T18:55:19.720Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco Identity Services Engine Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2022-08-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-10T08:11:17.000Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ise-pwd-WH64AhQF",
        "defect": [
          [
            "CSCwb02346"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2022-08-03T23:00:00",
          "ID": "CVE-2022-20914",
          "STATE": "PUBLIC",
          "TITLE": "Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco Identity Services Engine Software",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "4.9",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-549"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-ise-pwd-WH64AhQF",
          "defect": [
            [
              "CSCwb02346"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2022-20914",
    "datePublished": "2022-08-10T08:11:17.610Z",
    "dateReserved": "2021-11-02T00:00:00.000Z",
    "dateUpdated": "2024-11-01T18:55:19.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-1342 (GCVE-0-2022-1342)

Vulnerability from cvelistv5 – Published: 2022-06-15 16:09 – Updated: 2024-09-17 03:55
VLAI
Summary
A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
Devolutions Remote Desktop Manager Affected: unspecified , ≤ 2022.1.24 (custom)
Create a notification for this product.
Date Public
2022-04-21 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T00:03:05.876Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Remote Desktop Manager",
          "vendor": "Devolutions",
          "versions": [
            {
              "lessThanOrEqual": "2022.1.24",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-04-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-549",
              "description": "CWE-549",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-15T16:09:30.000Z",
        "orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
        "shortName": "DEVOLUTIONS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@devolutions.net",
          "DATE_PUBLIC": "2022-04-21T00:00:00",
          "ID": "CVE-2022-1342",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Remote Desktop Manager",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2022.1.24"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Devolutions"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-549"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://devolutions.net/security/advisories/DEVO-2022-0003",
              "refsource": "MISC",
              "url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
    "assignerShortName": "DEVOLUTIONS",
    "cveId": "CVE-2022-1342",
    "datePublished": "2022-06-15T16:09:30.876Z",
    "dateReserved": "2022-04-13T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:55:09.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2X3G-RR4W-4QRP

Vulnerability from github – Published: 2025-03-19 18:30 – Updated: 2025-03-21 15:41
VLAI
Summary
Jenkins Zoho QEngine Plugin Displays Unmasked API Keys
Details

Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.0.31.v4a"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:zohoqengine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.31.v4a_b_1db_6d6a_f2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T13:17:59Z",
    "nvd_published_at": "2025-03-19T16:15:34Z",
    "severity": "LOW"
  },
  "details": "Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-2x3g-rr4w-4qrp",
  "modified": "2025-03-21T15:41:33Z",
  "published": "2025-03-19T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/zohoqengine-plugin/commit/4ab1db6d6af21f43dd15cc328599445519875fa8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/zohoqengine-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jenkins Zoho QEngine Plugin Displays Unmasked API Keys"
}

GHSA-4352-JXWG-88RM

Vulnerability from github – Published: 2025-02-04 00:32 – Updated: 2025-03-13 19:19
VLAI
Summary
Jenkins Zoom Plugin is Missing Password Field Masking
Details

Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:zoom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-0148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-13T19:19:18Z",
    "nvd_published_at": "2025-02-03T23:15:08Z",
    "severity": "LOW"
  },
  "details": "Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.",
  "id": "GHSA-4352-jxwg-88rm",
  "modified": "2025-03-13T19:19:18Z",
  "published": "2025-02-04T00:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0148"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/zoom-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Zoom Plugin is Missing Password Field Masking"
}

GHSA-43H6-XXQH-8CXP

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).

This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-3314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T07:16:18Z",
    "severity": "MODERATE"
  },
  "details": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\n\nThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.",
  "id": "GHSA-43h6-xxqh-8cxp",
  "modified": "2026-05-26T13:30:54Z",
  "published": "2026-05-26T13:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3314"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5H4V-FJX7-95CQ

Vulnerability from github – Published: 2023-06-02 06:30 – Updated: 2024-11-01 00:31
VLAI
Details

Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-02T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.",
  "id": "GHSA-5h4v-fjx7-95cq",
  "modified": "2024-11-01T00:31:59Z",
  "published": "2023-06-02T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2062"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU92908006"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F8P-4MQ8-5MPQ

Vulnerability from github – Published: 2023-05-17 03:30 – Updated: 2024-04-04 04:12
VLAI
Details

Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-17T01:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software.",
  "id": "GHSA-7f8p-4mq8-5mpq",
  "modified": "2024-04-04T04:12:56Z",
  "published": "2023-05-17T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1763"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/advisory-information/cp2023-002"
    },
    {
      "type": "WEB",
      "url": "https://psirt.canon/hardening"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RR5-8349-J433

Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30
VLAI
Details

Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T16:17:52Z",
    "severity": "MODERATE"
  },
  "details": "Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.",
  "id": "GHSA-9rr5-8349-j433",
  "modified": "2025-12-09T18:30:37Z",
  "published": "2025-12-09T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42904"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3662324"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C978-WQ47-PVVW

Vulnerability from github – Published: 2025-11-12 21:30 – Updated: 2025-11-15 03:13
VLAI
Summary
sudo-rs: Partial password reveal is possible after timeout
Details

Summary

If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.

Example

Using sudo-rs:

geiger@cerberus:~$ sudo -s
[sudo: authenticate] Password: sudo-rs: timed out
geiger@cerberus:~$ testtesttest

"testtesttest" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.

Impact

This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.

Versions affected

Passwords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).

Credits

This issue was discovered and reported by @DevLaTron.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "sudo-rs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.7"
            },
            {
              "fixed": "0.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-12T21:30:11Z",
    "nvd_published_at": "2025-11-12T21:15:53Z",
    "severity": "LOW"
  },
  "details": "### Summary\nIf a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.\n\n### Example\nUsing sudo-rs:\n```\ngeiger@cerberus:~$ sudo -s\n[sudo: authenticate] Password: sudo-rs: timed out\ngeiger@cerberus:~$ testtesttest\n```\n\n\"testtesttest\" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.\n\n### Impact\nThis could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.\n\n### Versions affected\nPasswords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).\n\n### Credits\nThis issue was discovered and reported by @DevLaTron.",
  "id": "GHSA-c978-wq47-pvvw",
  "modified": "2025-11-15T03:13:07Z",
  "published": "2025-11-12T21:30:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64170"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/commit/0e3d3837aec3ee9fb5dcb8bfe11e8adb367f58f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trifectatechfoundation/sudo-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sudo-rs: Partial password reveal is possible after timeout"
}

Mitigation
Implementation Requirements

Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.

No CAPEC attack patterns related to this CWE.