Common Weakness Enumeration

CWE-549

Allowed

Missing Password Field Masking

Abstraction: Base · Status: Draft

The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.

26 vulnerabilities reference this CWE, most recent first.

GHSA-CPM5-CQR9-7P79

Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2022-12-09 20:01
VLAI
Summary
Jenkins BigPanda Notifier Plugin Missing Password Field Masking
Details

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:bigpanda-jenkins"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-41248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-23T13:18:08Z",
    "nvd_published_at": "2022-09-21T16:15:00Z",
    "severity": "LOW"
  },
  "details": "BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file `BigpandaGlobalNotifier.xml` on the Jenkins controller as part of its configuration.\n\nThis API key can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-cpm5-cqr9-7p79",
  "modified": "2022-12-09T20:01:45Z",
  "published": "2022-09-22T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41248"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/bigpanda-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2243"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/09/21/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins BigPanda Notifier Plugin Missing Password Field Masking"
}

GHSA-FJPM-J8HW-F3CW

Vulnerability from github – Published: 2024-10-18 21:32 – Updated: 2024-10-18 21:32
VLAI
Details

A vulnerability was found in Topdata Inner Rep Plus WebServer 2.01. It has been classified as problematic. Affected is an unknown function of the file /InnerRepPlus.html of the component Operator Details Form. The manipulation leads to missing password field masking. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-18T19:15:13Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Topdata Inner Rep Plus WebServer 2.01. It has been classified as problematic. Affected is an unknown function of the file /InnerRepPlus.html of the component Operator Details Form. The manipulation leads to missing password field masking. It is possible to launch the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-fjpm-j8hw-f3cw",
  "modified": "2024-10-18T21:32:18Z",
  "published": "2024-10-18T21:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10122"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.280914"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.280914"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.421292"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-H59V-X7WR-GQ9P

Vulnerability from github – Published: 2026-01-14 15:32 – Updated: 2026-01-14 15:32
VLAI
Details

Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector. This issue affects Y Soft SafeQ 6 in versions before MU106.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T13:16:09Z",
    "severity": "MODERATE"
  },
  "details": "Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools.\u00a0The affected customers are only those with a password-protected scan workflow connector.\nThis issue affects Y Soft SafeQ 6 in versions before MU106.",
  "id": "GHSA-h59v-x7wr-gq9p",
  "modified": "2026-01-14T15:32:59Z",
  "published": "2026-01-14T15:32:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13175"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/en/posts/2026/01/CVE-2025-13175"
    },
    {
      "type": "WEB",
      "url": "https://docs.ysoft.cloud/safeq6/latest/safeq6/release-notes-build-106"
    },
    {
      "type": "WEB",
      "url": "https://www.ysoft.com/safeq"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MF4P-WJRM-CMJP

Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-12-16 19:53
VLAI
Summary
AWS secrets displayed without masking by Jenkins S3 Explorer Plugin
Details

S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:s3explorer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-43426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-19T21:22:54Z",
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "severity": "LOW"
  },
  "details": "S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file `s3explorer.xml` on the Jenkins controller as part of its configuration.\n\nWhile this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-mf4p-wjrm-cmjp",
  "modified": "2022-12-16T19:53:45Z",
  "published": "2022-10-19T19:00:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43426"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/s3explorer-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2480"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AWS secrets displayed without masking by Jenkins S3 Explorer Plugin"
}

GHSA-W54X-XFXG-4GXQ

Vulnerability from github – Published: 2025-08-28 13:33 – Updated: 2026-07-02 20:27
VLAI
Summary
NeuVector process with sensitive arguments lead to leakage
Details

Impact

When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example,

java -cp /app ... Djavax.net.ssl.trustStorePassword=<Password>

The command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:

(?i)(password|passwd|token)

Also, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:

kubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector

Sample secret-patterns.yaml content:

Pattern_list:
  - (?i)(pawd|pword)
  - (?i)(secret)

NeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.

Note: If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn't immediately find a match.

Patches

This issue is fixed in NeuVector version 5.4.6 and later.

Workarounds

There is no workaround. Upgrade to a patched version of NeuVector as soon as possible.

References

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/neuvector/neuvector"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250902144615-f9ddbdf42031"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-549"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-28T13:33:23Z",
    "nvd_published_at": "2025-09-17T13:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, \n\n```\njava -cp /app ... Djavax.net.ssl.trustStorePassword=\u003cPassword\u003e\n```\n\nThe command with the password appears in the NeuVector security event. To prevent this, NeuVector uses the following default regular expression to detect and redact sensitive data from process commands:\n\n```\n(?i)(password|passwd|token)\n```\n\nAlso, you can define custom patterns to redact by creating a Kubernetes ConfigMap. For example:\n\n```\nkubectl create configmap neuvector-custom-rules --from-file=secret-patterns.yaml -n neuvector\n```\n\nSample `secret-patterns.yaml` content:\n\n```\nPattern_list:\n  - (?i)(pawd|pword)\n  - (?i)(secret)\n```\n\nNeuVector uses the default and custom regex to decide whether the process command in a security event should be redacted.\n\n**Note:** If numerous regular expression (regex) patterns are configured in the Kubernetes ConfigMap for extended coverage of sensitive data matching, it can significantly impact performance of NeuVector enforcer, particularly in scenarios involving large inputs or frequent execution. The primary factor contributing to performance issues in regex is backtracking, where the regex engine attempts various matching paths when a pattern doesn\u0027t immediately find a match.\n\n### Patches\n\nThis issue is fixed in NeuVector version **5.4.6** and later.\n\n### Workarounds\n\nThere is no workaround. Upgrade to a patched version of NeuVector as soon as possible.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
  "id": "GHSA-w54x-xfxg-4gxq",
  "modified": "2026-07-02T20:27:23Z",
  "published": "2025-08-28T13:33:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54467"
    },
    {
      "type": "WEB",
      "url": "https://github.com/neuvector/neuvector/commit/f9ddbdf420319cede3c490c1de03f48d953896ae"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-54467"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/neuvector/neuvector"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NeuVector process with sensitive arguments lead to leakage"
}

GHSA-X83H-6QGP-HW2H

Vulnerability from github – Published: 2024-01-16 03:30 – Updated: 2024-01-16 03:30
VLAI
Details

Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).This issue affects Hitachi Device Manager: before 8.8.5-04.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522",
      "CWE-549"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T01:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).This issue affects Hitachi Device Manager: before 8.8.5-04.\n\n",
  "id": "GHSA-x83h-6qgp-hw2h",
  "modified": "2024-01-16T03:30:18Z",
  "published": "2024-01-16T03:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49106"
    },
    {
      "type": "WEB",
      "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-101/index.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation Requirements

Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.

No CAPEC attack patterns related to this CWE.