Common Weakness Enumeration

CWE-921

Allowed

Storage of Sensitive Data in a Mechanism without Access Control

Abstraction: Base · Status: Incomplete

The product stores sensitive information in a file system or device that does not have built-in access control.

17 vulnerabilities reference this CWE, most recent first.

GHSA-36CM-H8GV-MG97

Vulnerability from github – Published: 2023-05-19 18:30 – Updated: 2023-05-19 23:45
VLAI
Summary
RosarioSIS Stores Sensitive Data in a Mechanism without Access Control
Details

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the salaries module. In addition, the file names contain a date in a YYYY-MM-DD format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "francoisjacquet/rosariosis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-19T23:45:12Z",
    "nvd_published_at": "2023-05-12T01:15:09Z",
    "severity": "HIGH"
  },
  "details": "RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.",
  "id": "GHSA-36cm-h8gv-mg97",
  "modified": "2023-05-19T23:45:12Z",
  "published": "2023-05-19T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/francoisjacquet/rosariosis"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RosarioSIS Stores Sensitive Data in a Mechanism without Access Control"
}

GHSA-4WRV-C229-VC5P

Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31
VLAI
Details

SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T08:15:17Z",
    "severity": "CRITICAL"
  },
  "details": "SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity \u0026 Availability of the application.",
  "id": "GHSA-4wrv-c229-vc5p",
  "modified": "2025-04-08T09:31:11Z",
  "published": "2025-04-08T09:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30016"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3572688"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9W44-6HCW-V783

Vulnerability from github – Published: 2025-02-28 18:31 – Updated: 2025-02-28 18:31
VLAI
Details

Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-28T17:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.",
  "id": "GHSA-9w44-6hcw-v783",
  "modified": "2025-02-28T18:31:05Z",
  "published": "2025-02-28T18:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24843"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01"
    },
    {
      "type": "WEB",
      "url": "https://www.dariohealth.com/contact"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HJ57-J5CW-2MWP

Vulnerability from github – Published: 2022-05-25 19:37 – Updated: 2026-03-11 19:49
VLAI
Summary
Ignition config accessible to unprivileged software on VMware
Details

Impact

Unprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment. If the Ignition config contains secrets, this can result in the compromise of sensitive information.

Patches

Ignition 2.14.0 and later adds a new systemd service, ignition-delete-config.service, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot. This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.

If you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking ignition-delete-config.service. For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "systemd": {
    "units": [
      {
        "name": "ignition-delete-config.service",
        "mask": true
      }
    ]
  }
}

Workarounds

Avoid storing secrets in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it's best to store secrets in a dedicated platform such as Hashicorp Vault.

Advice to Linux distributions

Linux distributions that ship Ignition should ensure the new ignition-delete-config.service is installed and enabled by default.

In addition, we recommend shipping a service similar to ignition-delete-config.service that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking ignition-delete-config.service on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.

References

For more information, see #1300 and #1350.

For more information

If you have any questions or comments about this advisory, open an issue in Ignition or email the CoreOS development mailing list.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coreos/ignition/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.35.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coreos/ignition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-863",
      "CWE-921"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:37:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nUnprivileged software in VMware VMs, including software running in unprivileged containers, can retrieve an Ignition config stored in a hypervisor guestinfo variable or OVF environment.  If the Ignition config contains secrets, this can result in the compromise of sensitive information.\n\n### Patches\nIgnition 2.14.0 and later [adds](https://github.com/coreos/ignition/pull/1350) a new systemd service, `ignition-delete-config.service`, that deletes the Ignition config from supported hypervisors (currently VMware and VirtualBox) during the first boot.  This ensures that unprivileged software cannot retrieve the Ignition config from the hypervisor.\n\nIf you have external tooling that requires the Ignition config to remain accessible in VM metadata after provisioning, and your Ignition config does not include sensitive information, you can prevent Ignition 2.14.0 and later from deleting the config by masking `ignition-delete-config.service`.  For example:\n\n```json\n{\n  \"ignition\": {\n    \"version\": \"3.0.0\"\n  },\n  \"systemd\": {\n    \"units\": [\n      {\n        \"name\": \"ignition-delete-config.service\",\n        \"mask\": true\n      }\n    ]\n  }\n}\n```\n\n### Workarounds\n[Avoid storing secrets](https://coreos.github.io/ignition/operator-notes/#secrets) in Ignition configs. In addition to VMware, many cloud platforms allow unprivileged software in a VM to retrieve the Ignition config from a networked cloud metadata service. While platform-specific mitigation is possible, such as firewall rules that prevent access to the metadata service, it\u0027s best to store secrets in a dedicated platform such as [Hashicorp Vault](https://www.vaultproject.io/).\n\n### Advice to Linux distributions\nLinux distributions that ship Ignition should ensure the new `ignition-delete-config.service` is installed and enabled by default.\n\nIn addition, we recommend shipping a service similar to `ignition-delete-config.service` that runs when existing machines are upgraded, similar to the one in https://github.com/coreos/fedora-coreos-config/pull/1738. Consider giving your users advance notice of this change, and providing instructions for masking `ignition-delete-config.service` on existing nodes if users have tooling that requires the Ignition config to remain accessible in VM metadata.\n\n### References\nFor more information, see #1300 and #1350.\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in Ignition](https://github.com/coreos/ignition/issues/new/choose) or email the CoreOS [development mailing list](https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.org/).",
  "id": "GHSA-hj57-j5cw-2mwp",
  "modified": "2026-03-11T19:49:57Z",
  "published": "2022-05-25T19:37:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coreos/ignition/security/advisories/GHSA-hj57-j5cw-2mwp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/ignition/issues/1300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coreos/ignition/pull/1350"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coreos/ignition"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ignition config accessible to unprivileged software on VMware"
}

GHSA-JW8X-6495-233V

Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-10-25 16:47
VLAI
Summary
scikit-learn sensitive data leakage vulnerability
Details

A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stop_words_ attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the stop_words_ attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scikit-learn"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-5206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921",
      "CWE-922"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-17T22:31:08Z",
    "nvd_published_at": "2024-06-06T19:16:06Z",
    "severity": "MODERATE"
  },
  "details": "A sensitive data leakage vulnerability was identified in scikit-learn\u0027s TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.",
  "id": "GHSA-jw8x-6495-233v",
  "modified": "2024-10-25T16:47:32Z",
  "published": "2024-06-06T21:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5206"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scikit-learn/PYSEC-2024-110.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scikit-learn/scikit-learn"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "scikit-learn sensitive data leakage vulnerability"
}

GHSA-QVFQ-26W4-9F8V

Vulnerability from github – Published: 2025-02-11 03:30 – Updated: 2025-02-11 03:30
VLAI
Details

SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-24870"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T01:15:11Z",
    "severity": "MODERATE"
  },
  "details": "SAP GUI for Windows \u0026 RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.",
  "id": "GHSA-qvfq-26w4-9f8v",
  "modified": "2025-02-11T03:30:56Z",
  "published": "2025-02-11T03:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24870"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3562336"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W545-288R-RF3P

Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2025-04-15 21:31
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED **

Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-921",
      "CWE-922"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\nSending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.",
  "id": "GHSA-w545-288r-rf3p",
  "modified": "2025-04-15T21:31:26Z",
  "published": "2023-09-18T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41965"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.