CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-7H49-6H73-GRW2
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2022-10-01 00:00An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. Unrestricted access to a high-level system-usage summary allows an attacker to obtain project names and usage metrics.
{
"affected": [],
"aliases": [
"CVE-2020-15775"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-18T14:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. Unrestricted access to a high-level system-usage summary allows an attacker to obtain project names and usage metrics.",
"id": "GHSA-7h49-6h73-grw2",
"modified": "2022-10-01T00:00:25Z",
"published": "2022-05-24T17:28:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15775"
},
{
"type": "WEB",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"type": "WEB",
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7P4C-4HVH-3RQ2
Vulnerability from github – Published: 2024-05-17 09:30 – Updated: 2024-05-17 09:30Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2.
{
"affected": [],
"aliases": [
"CVE-2022-44581"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T07:15:46Z",
"severity": "MODERATE"
},
"details": "Insecure Storage of Sensitive Information vulnerability in WPMU DEV Defender Security allows : Screen Temporary Files for Sensitive Information.This issue affects Defender Security: from n/a through 3.3.2.",
"id": "GHSA-7p4c-4hvh-3rq2",
"modified": "2024-05-17T09:30:58Z",
"published": "2024-05-17T09:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44581"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/defender-security/wordpress-defender-security-plugin-3-3-2-broken-authentication-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7R8R-45G3-PMF8
Vulnerability from github – Published: 2025-05-22 21:30 – Updated: 2025-05-22 21:30Serialized configuration information may be disclosed during device commissioning while using ASPECT's configuration toolsetThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*.
{
"affected": [],
"aliases": [
"CVE-2024-13954"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-22T19:15:39Z",
"severity": "MODERATE"
},
"details": "Serialized configuration information may be disclosed during device commissioning while using ASPECT\u0027s configuration toolsetThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.",
"id": "GHSA-7r8r-45g3-pmf8",
"modified": "2025-05-22T21:30:47Z",
"published": "2025-05-22T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13954"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021\u0026LanguageCode=en\u0026DocumentPartId=pdf\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7RQ6-HG5Q-VCX9
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-10-14 19:00Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2019-13719"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-25T15:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect security UI in full screen mode in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to hide security UI via a crafted HTML page.",
"id": "GHSA-7rq6-hg5q-vcx9",
"modified": "2022-10-14T19:00:35Z",
"published": "2022-05-24T17:01:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13719"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html"
},
{
"type": "WEB",
"url": "https://crbug.com/927150"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7W8X-FX6M-5H6X
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:06The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.
{
"affected": [],
"aliases": [
"CVE-2019-14957"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-01T16:15:00Z",
"severity": "MODERATE"
},
"details": "The JetBrains Vim plugin before version 0.52 was storing individual project data in the global vim_settings.xml file. This xml file could be synchronized to a publicly accessible GitHub repository.",
"id": "GHSA-7w8x-fx6m-5h6x",
"modified": "2024-04-04T02:06:20Z",
"published": "2022-05-24T16:57:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14957"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2019/09/26/jetbrains-security-bulletin-q2-2019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WJ2-558X-H38C
Vulnerability from github – Published: 2023-07-17 21:31 – Updated: 2024-04-04 06:11Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
{
"affected": [],
"aliases": [
"CVE-2023-28864"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-17T20:15:13Z",
"severity": "MODERATE"
},
"details": "Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the \"chef-server-ctl reconfigure\" command.",
"id": "GHSA-7wj2-558x-h38c",
"modified": "2024-04-04T06:11:48Z",
"published": "2023-07-17T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28864"
},
{
"type": "WEB",
"url": "https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation"
},
{
"type": "WEB",
"url": "https://docs.chef.io/release_notes_server"
},
{
"type": "WEB",
"url": "https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7WVC-54WP-PV8X
Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2025-11-04 00:32The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.
{
"affected": [],
"aliases": [
"CVE-2024-54477"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T02:15:29Z",
"severity": "MODERATE"
},
"details": "The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.",
"id": "GHSA-7wvc-54wp-pv8x",
"modified": "2025-11-04T00:32:12Z",
"published": "2024-12-12T03:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54477"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121839"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121840"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121842"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/7"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Dec/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-84PQ-42VW-9J2M
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.
{
"affected": [],
"aliases": [
"CVE-2019-19561"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T00:15:00Z",
"severity": "LOW"
},
"details": "A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.",
"id": "GHSA-84pq-42vw-9j2m",
"modified": "2022-05-24T17:34:15Z",
"published": "2022-05-24T17:34:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19561"
},
{
"type": "WEB",
"url": "https://media.daimler.com/marsMediaSite/en/instance/ko/Mercedes-Benz-and-360-Group-to-join-forces-Mercedes-Benz-and-360-Group-with-its-Cyber-Security-Brain-work-together-to-strengthen-car-IT-security-for-industry.xhtml?oid=45208829"
},
{
"type": "WEB",
"url": "https://skygo.360.cn/archive/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-85VG-GRR5-PW42
Vulnerability from github – Published: 2022-05-04 00:00 – Updated: 2022-05-18 19:29Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request. From this, the attacker can get the victim's cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "strapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@strapi/strapi"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-46440"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-18T19:29:59Z",
"nvd_published_at": "2022-05-03T18:15:00Z",
"severity": "HIGH"
},
"details": "Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim\u0027s HTTP request. From this, the attacker can get the victim\u0027s cookie, base64 decode it, and obtain a cleartext password, leading to getting API documentation for further API attacks.",
"id": "GHSA-85vg-grr5-pw42",
"modified": "2022-05-18T19:29:59Z",
"published": "2022-05-04T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46440"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/pull/12246"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
},
{
"type": "WEB",
"url": "https://hub.docker.com/r/strapi/strapi"
},
{
"type": "WEB",
"url": "https://strapi.io"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insecure password handling vulnerability in Strapi"
}
GHSA-879X-4CWP-MQV7
Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2025-04-20 03:48SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes.
{
"affected": [],
"aliases": [
"CVE-2017-16560"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-16T15:29:00Z",
"severity": "MODERATE"
},
"details": "SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes.",
"id": "GHSA-879x-4cwp-mqv7",
"modified": "2025-04-20T03:48:33Z",
"published": "2022-05-13T01:44:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16560"
},
{
"type": "WEB",
"url": "https://medium.com/%40esterling_/cve-2017-16560-sandisk-secure-access-leaves-plain-text-copies-of-files-on-disk-4eabeca6bdbc"
},
{
"type": "WEB",
"url": "https://medium.com/@esterling_/cve-2017-16560-sandisk-secure-access-leaves-plain-text-copies-of-files-on-disk-4eabeca6bdbc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.