CWE-549
AllowedMissing Password Field Masking
Abstraction: Base · Status: Draft
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
26 vulnerabilities reference this CWE, most recent first.
CVE-2022-22550 (GCVE-0-2022-22550)
Vulnerability from cvelistv5 – Published: 2022-04-12 17:50 – Updated: 2024-09-17 00:26- CWE-549 - Missing Password Field Masking
| URL | Tags |
|---|---|
| https://www.dell.com/support/kbdoc/000195815 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Dell | PowerScale OneFS |
Affected:
8.2.2-9.3.0.x
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:14:55.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.dell.com/support/kbdoc/000195815"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PowerScale OneFS",
"vendor": "Dell",
"versions": [
{
"status": "affected",
"version": "8.2.2-9.3.0.x"
}
]
}
],
"datePublic": "2022-01-31T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549: Missing Password Field Masking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-12T17:50:41.000Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.dell.com/support/kbdoc/000195815"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secure@dell.com",
"DATE_PUBLIC": "2022-01-31",
"ID": "CVE-2022-22550",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PowerScale OneFS",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "8.2.2-9.3.0.x"
}
]
}
}
]
},
"vendor_name": "Dell"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over."
}
]
},
"impact": {
"cvss": {
"baseScore": 6.7,
"baseSeverity": "Medium",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-549: Missing Password Field Masking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.dell.com/support/kbdoc/000195815",
"refsource": "MISC",
"url": "https://www.dell.com/support/kbdoc/000195815"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2022-22550",
"datePublished": "2022-04-12T17:50:41.229Z",
"dateReserved": "2022-01-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:26:01.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-20914 (GCVE-0-2022-20914)
Vulnerability from cvelistv5 – Published: 2022-08-10 08:11 – Updated: 2024-11-01 18:55| URL | Tags |
|---|---|
| https://tools.cisco.com/security/center/content/C… | vendor-advisoryx_refsource_CISCO |
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Identity Services Engine Software |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:31:57.400Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-20914",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:40:35.600564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:55:19.720Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Identity Services Engine Software",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2022-08-03T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-10T08:11:17.000Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
}
],
"source": {
"advisory": "cisco-sa-ise-pwd-WH64AhQF",
"defect": [
[
"CSCwb02346"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2022-08-03T23:00:00",
"ID": "CVE-2022-20914",
"STATE": "PUBLIC",
"TITLE": "Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco Identity Services Engine Software",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to obtain sensitive information. This vulnerability is due to excessive verbosity in a specific REST API output. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to obtain sensitive information, including administrative credentials for an external authentication server. Note: To successfully exploit this vulnerability, the attacker must have valid ERS administrative credentials."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "4.9",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-549"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20220803 Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-pwd-WH64AhQF"
}
]
},
"source": {
"advisory": "cisco-sa-ise-pwd-WH64AhQF",
"defect": [
[
"CSCwb02346"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2022-20914",
"datePublished": "2022-08-10T08:11:17.610Z",
"dateReserved": "2021-11-02T00:00:00.000Z",
"dateUpdated": "2024-11-01T18:55:19.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1342 (GCVE-0-2022-1342)
Vulnerability from cvelistv5 – Published: 2022-06-15 16:09 – Updated: 2024-09-17 03:55| URL | Tags |
|---|---|
| https://devolutions.net/security/advisories/DEVO-… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Devolutions | Remote Desktop Manager |
Affected:
unspecified , ≤ 2022.1.24
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:03:05.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Remote Desktop Manager",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2022.1.24",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-549",
"description": "CWE-549",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-15T16:09:30.000Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@devolutions.net",
"DATE_PUBLIC": "2022-04-21T00:00:00",
"ID": "CVE-2022-1342",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Remote Desktop Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2022.1.24"
}
]
}
}
]
},
"vendor_name": "Devolutions"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-549"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://devolutions.net/security/advisories/DEVO-2022-0003",
"refsource": "MISC",
"url": "https://devolutions.net/security/advisories/DEVO-2022-0003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2022-1342",
"datePublished": "2022-06-15T16:09:30.876Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:55:09.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2X3G-RR4W-4QRP
Vulnerability from github – Published: 2025-03-19 18:30 – Updated: 2025-03-21 15:41Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.0.31.v4a"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:zohoqengine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.31.v4a_b_1db_6d6a_f2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30197"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-549"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T13:17:59Z",
"nvd_published_at": "2025-03-19T16:15:34Z",
"severity": "LOW"
},
"details": "Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.",
"id": "GHSA-2x3g-rr4w-4qrp",
"modified": "2025-03-21T15:41:33Z",
"published": "2025-03-19T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30197"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/zohoqengine-plugin/commit/4ab1db6d6af21f43dd15cc328599445519875fa8"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/zohoqengine-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-03-19/#SECURITY-3511"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins Zoho QEngine Plugin Displays Unmasked API Keys"
}
GHSA-4352-JXWG-88RM
Vulnerability from github – Published: 2025-02-04 00:32 – Updated: 2025-03-13 19:19Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:zoom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-0148"
],
"database_specific": {
"cwe_ids": [
"CWE-549"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:19:18Z",
"nvd_published_at": "2025-02-03T23:15:08Z",
"severity": "LOW"
},
"details": "Missing password field masking in the Zoom Jenkins Marketplace plugin before version 1.6 may allow an unauthenticated user to conduct a disclosure of information via adjacent network access.",
"id": "GHSA-4352-jxwg-88rm",
"modified": "2025-03-13T19:19:18Z",
"published": "2025-02-04T00:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0148"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/zoom-plugin"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Zoom Plugin is Missing Password Field Masking"
}
GHSA-43H6-XXQH-8CXP
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).
This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.
{
"affected": [],
"aliases": [
"CVE-2026-3314"
],
"database_specific": {
"cwe_ids": [
"CWE-549"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T07:16:18Z",
"severity": "MODERATE"
},
"details": "Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules).\n\nThis issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00.",
"id": "GHSA-43h6-xxqh-8cxp",
"modified": "2026-05-26T13:30:54Z",
"published": "2026-05-26T13:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3314"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-120/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5H4V-FJX7-95CQ
Vulnerability from github – Published: 2023-06-02 06:30 – Updated: 2024-11-01 00:31Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.
{
"affected": [],
"aliases": [
"CVE-2023-2062"
],
"database_specific": {
"cwe_ids": [
"CWE-549",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T05:15:10Z",
"severity": "MODERATE"
},
"details": "Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.",
"id": "GHSA-5h4v-fjx7-95cq",
"modified": "2024-11-01T00:31:59Z",
"published": "2023-06-02T06:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2062"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU92908006"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2023-004.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7F8P-4MQ8-5MPQ
Vulnerability from github – Published: 2023-05-17 03:30 – Updated: 2024-04-04 04:12Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software.
{
"affected": [],
"aliases": [
"CVE-2023-1763"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-549"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-17T01:15:09Z",
"severity": "MODERATE"
},
"details": "Canon IJ Network Tool/Ver.4.7.5 and earlier (supported OS: OS X 10.9.5-macOS 13),IJ Network Tool/Ver.4.7.3 and earlier (supported OS: OS X 10.7.5-OS X 10.8) allows an attacker to acquire sensitive information on the Wi-Fi connection setup of the printer from the software.",
"id": "GHSA-7f8p-4mq8-5mpq",
"modified": "2024-04-04T04:12:56Z",
"published": "2023-05-17T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1763"
},
{
"type": "WEB",
"url": "https://psirt.canon/advisory-information/cp2023-002"
},
{
"type": "WEB",
"url": "https://psirt.canon/hardening"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9RR5-8349-J433
Vulnerability from github – Published: 2025-12-09 18:30 – Updated: 2025-12-09 18:30Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.
{
"affected": [],
"aliases": [
"CVE-2025-42904"
],
"database_specific": {
"cwe_ids": [
"CWE-549"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T16:17:52Z",
"severity": "MODERATE"
},
"details": "Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.",
"id": "GHSA-9rr5-8349-j433",
"modified": "2025-12-09T18:30:37Z",
"published": "2025-12-09T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42904"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3662324"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C978-WQ47-PVVW
Vulnerability from github – Published: 2025-11-12 21:30 – Updated: 2025-11-15 03:13Summary
If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.
Example
Using sudo-rs:
geiger@cerberus:~$ sudo -s
[sudo: authenticate] Password: sudo-rs: timed out
geiger@cerberus:~$ testtesttest
"testtesttest" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.
Impact
This could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.
Versions affected
Passwords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).
Credits
This issue was discovered and reported by @DevLaTron.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "sudo-rs"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.7"
},
{
"fixed": "0.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64170"
],
"database_specific": {
"cwe_ids": [
"CWE-549"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-12T21:30:11Z",
"nvd_published_at": "2025-11-12T21:15:53Z",
"severity": "LOW"
},
"details": "### Summary\nIf a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens, the keystrokes that were entered are echoed back to the console.\n\n### Example\nUsing sudo-rs:\n```\ngeiger@cerberus:~$ sudo -s\n[sudo: authenticate] Password: sudo-rs: timed out\ngeiger@cerberus:~$ testtesttest\n```\n\n\"testtesttest\" was entered at the password prompt but not confirmed by pressing return and then waiting for the timeout.\n\n### Impact\nThis could reveal partial password information, possibly exposing history files when not carefully handled by the user and on screen, usable for Social Engineering or Pass-By attacks.\n\n### Versions affected\nPasswords timeouts were added in sudo-rs 0.2.7 (with a default set to 5 minutes).\n\n### Credits\nThis issue was discovered and reported by @DevLaTron.",
"id": "GHSA-c978-wq47-pvvw",
"modified": "2025-11-15T03:13:07Z",
"published": "2025-11-12T21:30:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64170"
},
{
"type": "WEB",
"url": "https://github.com/trifectatechfoundation/sudo-rs/commit/0e3d3837aec3ee9fb5dcb8bfe11e8adb367f58f4"
},
{
"type": "PACKAGE",
"url": "https://github.com/trifectatechfoundation/sudo-rs"
},
{
"type": "WEB",
"url": "https://github.com/trifectatechfoundation/sudo-rs/releases/tag/v0.2.10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "sudo-rs: Partial password reveal is possible after timeout"
}
Mitigation
Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
No CAPEC attack patterns related to this CWE.