CWE-922
Allowed-with-ReviewInsecure Storage of Sensitive Information
Abstraction: Class · Status: Incomplete
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
437 vulnerabilities reference this CWE, most recent first.
GHSA-Q93Q-V844-JRQP
Vulnerability from github – Published: 2026-04-14 20:09 – Updated: 2026-04-24 21:10kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy).
namespaced policies are blocked from servicecall usage by the namespaced urlPath gate in pkg/engine/apicall/apiCall.go, so this report is scoped to ClusterPolicy and global context usage.
attacker model
the attacker can create or update a ClusterPolicy (or create a GlobalContextEntry) which uses context.apiCall.service.url and can choose the request URL and headers. a cross-boundary framing for real deployments is gitops: if the policy repo/controller is compromised, the ClusterPolicy/global context entry becomes untrusted input to kyverno.
relevant links
- repository: https://github.com/kyverno/kyverno
- commit: 17aeb52337fd66adb0c8126213ba076612a287a7
- callsite (token injection): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/executor.go#L150-L173
- namespaced policy gate (servicecall blocked): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/apiCall.go#L67-L83
root cause
in (*executor).addHTTPHeaders, kyverno reads the serviceaccount token from /var/run/secrets/kubernetes.io/serviceaccount/token and injects it when the outgoing request has no Authorization header:
if req.Header.Get("Authorization") == "" {
token := a.getToken()
if token != "" {
req.Header.Add("Authorization", "Bearer "+token)
}
}
proof of concept
the attached poc.zip is a reproducible cluster PoC. it uses an in-cluster HTTP receiver which logs the Authorization header it receives. the PoC does not print token bytes; it only checks that the received header is non-empty and not equal to the negative control.
run (one command):
unzip poc.zip -d poc
cd poc
make test
canonical (expected: implicit token injection):
unzip poc.zip -d poc
cd poc
make canonical
expected output includes:
[CALLSITE_HIT]: executor.addHTTPHeaders Authorization=="" -> read_serviceaccount_token=true
[PROOF_MARKER]: authorization_header_injected=true token_nonempty=true
control (expected: explicit Authorization header disables auto-injection):
unzip poc.zip -d poc
cd poc
make control
expected output includes:
[CALLSITE_HIT]: executor.addHTTPHeaders Authorization!="" -> autoinject_skipped=true
[NC_MARKER]: authorization_header_injected=false
optional: the canonical run may also print an [RBAC]: ... line using kubectl auth can-i with the exfiltrated token, to show concrete privileges without exposing the token.
impact
token exfiltration: the kyverno controller serviceaccount token is sent to a policy-controlled endpoint. impact depends on the rbac bound to that serviceaccount in the target deployment.
recommended fix
do not auto-inject the kyverno serviceaccount token into policy-controlled servicecall requests. require explicit Authorization configuration, or enforce a strict allowlist of destinations where credentials may be attached and document the behavior.
workarounds
- avoid using servicecall to arbitrary urls in policies.
- set an explicit Authorization header in servicecall policies to prevent implicit token injection.
oleh
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/kyverno/kyverno"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40868"
],
"database_specific": {
"cwe_ids": [
"CWE-441",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T20:09:00Z",
"nvd_published_at": "2026-04-21T19:16:18Z",
"severity": "HIGH"
},
"details": "kyverno\u2019s apiCall servicecall helper implicitly injects `Authorization: Bearer ...` using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because `context.apiCall.service.url` is policy-controlled, this can send the kyverno serviceaccount token to an attacker-controlled endpoint (confused deputy).\n\nnamespaced policies are blocked from servicecall usage by the namespaced `urlPath` gate in `pkg/engine/apicall/apiCall.go`, so this report is scoped to ClusterPolicy and global context usage.\n\n## attacker model\n\nthe attacker can create or update a ClusterPolicy (or create a GlobalContextEntry) which uses `context.apiCall.service.url` and can choose the request URL and headers. a cross-boundary framing for real deployments is gitops: if the policy repo/controller is compromised, the ClusterPolicy/global context entry becomes untrusted input to kyverno.\n\n## relevant links\n\n- repository: https://github.com/kyverno/kyverno\n- commit: 17aeb52337fd66adb0c8126213ba076612a287a7\n- callsite (token injection): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/executor.go#L150-L173\n- namespaced policy gate (servicecall blocked): https://github.com/kyverno/kyverno/blob/17aeb52337fd66adb0c8126213ba076612a287a7/pkg/engine/apicall/apiCall.go#L67-L83\n\n## root cause\n\nin `(*executor).addHTTPHeaders`, kyverno reads the serviceaccount token from `/var/run/secrets/kubernetes.io/serviceaccount/token` and injects it when the outgoing request has no Authorization header:\n\n```go\nif req.Header.Get(\"Authorization\") == \"\" {\n token := a.getToken()\n if token != \"\" {\n req.Header.Add(\"Authorization\", \"Bearer \"+token)\n }\n}\n```\n\n## proof of concept\n\nthe attached `poc.zip` is a reproducible cluster PoC. it uses an in-cluster HTTP receiver which logs the Authorization header it receives. the PoC does not print token bytes; it only checks that the received header is non-empty and not equal to the negative control.\n\nrun (one command):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake test\n```\n\ncanonical (expected: implicit token injection):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake canonical\n```\n\nexpected output includes:\n\n```\n[CALLSITE_HIT]: executor.addHTTPHeaders Authorization==\"\" -\u003e read_serviceaccount_token=true\n[PROOF_MARKER]: authorization_header_injected=true token_nonempty=true\n```\n\ncontrol (expected: explicit Authorization header disables auto-injection):\n\n```bash\nunzip poc.zip -d poc\ncd poc\nmake control\n```\n\nexpected output includes:\n\n```\n[CALLSITE_HIT]: executor.addHTTPHeaders Authorization!=\"\" -\u003e autoinject_skipped=true\n[NC_MARKER]: authorization_header_injected=false\n```\n\noptional: the canonical run may also print an `[RBAC]: ...` line using `kubectl auth can-i` with the exfiltrated token, to show concrete privileges without exposing the token.\n\n## impact\n\ntoken exfiltration: the kyverno controller serviceaccount token is sent to a policy-controlled endpoint. impact depends on the rbac bound to that serviceaccount in the target deployment.\n\n## recommended fix\n\ndo not auto-inject the kyverno serviceaccount token into policy-controlled servicecall requests. require explicit Authorization configuration, or enforce a strict allowlist of destinations where credentials may be attached and document the behavior.\n\n## workarounds\n\n- avoid using servicecall to arbitrary urls in policies.\n- set an explicit Authorization header in servicecall policies to prevent implicit token injection.\n\n\n[poc.zip](https://github.com/user-attachments/files/25352288/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25352289/PR_DESCRIPTION.md)\n\noleh",
"id": "GHSA-q93q-v844-jrqp",
"modified": "2026-04-24T21:10:06Z",
"published": "2026-04-14T20:09:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-q93q-v844-jrqp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40868"
},
{
"type": "PACKAGE",
"url": "https://github.com/kyverno/kyverno"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token"
}
GHSA-QC9V-R7RW-WVM2
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
{
"affected": [],
"aliases": [
"CVE-2021-25524"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T15:15:00Z",
"severity": "LOW"
},
"details": "Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.",
"id": "GHSA-qc9v-r7rw-wvm2",
"modified": "2021-12-14T00:01:35Z",
"published": "2021-12-09T00:00:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25524"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=12"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QG5P-R35G-XQFM
Vulnerability from github – Published: 2022-12-15 21:30 – Updated: 2022-12-20 15:30An issue existed with the file paths used to store website data. The issue was resolved by improving how website data is stored. This issue is fixed in iOS 16. An unauthorized user may be able to access browsing history.
{
"affected": [],
"aliases": [
"CVE-2022-32833"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue existed with the file paths used to store website data. The issue was resolved by improving how website data is stored. This issue is fixed in iOS 16. An unauthorized user may be able to access browsing history.",
"id": "GHSA-qg5p-r35g-xqfm",
"modified": "2022-12-20T15:30:37Z",
"published": "2022-12-15T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32833"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213446"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213442"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP84-727M-58QV
Vulnerability from github – Published: 2025-01-14 18:31 – Updated: 2025-01-23 18:31An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2025-22984"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T16:15:35Z",
"severity": "HIGH"
},
"details": "An access control issue in the component /api/squareComment/DelectSquareById of iceCMS v2.2.0 allows unauthenticated attackers to access sensitive information.",
"id": "GHSA-qp84-727m-58qv",
"modified": "2025-01-23T18:31:16Z",
"published": "2025-01-14T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22984"
},
{
"type": "WEB",
"url": "https://github.com/H3rmesk1t/vulnerability-paper/blob/main/iceCMS-2.2.0-Incorrect%20Access%20Control2.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QPJ5-F88Q-X7PX
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2025-05-30 14:02In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via the manage_proj_edit_page.php project_id parameter, without having access to them.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mantisbt/mantisbt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-29603"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-30T14:02:21Z",
"nvd_published_at": "2021-01-29T07:15:00Z",
"severity": "MODERATE"
},
"details": "In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects\u0027 names via the manage_proj_edit_page.php project_id parameter, without having access to them.",
"id": "GHSA-qpj5-f88q-x7px",
"modified": "2025-05-30T14:02:21Z",
"published": "2022-05-24T17:40:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29603"
},
{
"type": "WEB",
"url": "https://github.com/mantisbt/mantisbt/commit/cff10f266f67e2da3060ea4d0b9ecbb29c21b869"
},
{
"type": "PACKAGE",
"url": "https://github.com/mantisbt/mantisbt"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=27357"
},
{
"type": "WEB",
"url": "https://mantisbt.org/bugs/view.php?id=27726"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "MantisBT Insecure Storage in manage_proj_edit_page.php"
}
GHSA-QPXM-689R-3849
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2024-10-31 16:57Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel. This issue affects Apache Camel: from 3.0.0 through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.
Users are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.21.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.22.0"
},
{
"fixed": "3.22.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.22.0"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-core"
},
"ranges": [
{
"events": [
{
"introduced": "4.1.0"
},
{
"fixed": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22371"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-922"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-26T21:30:37Z",
"nvd_published_at": "2024-02-26T16:27:56Z",
"severity": "LOW"
},
"details": "Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel. This issue affects Apache Camel: from 3.0.0 through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0.\n\nUsers are recommended to upgrade to version 3.21.4, 3.22.1, 4.0.4 or 4.4.0, which fixes the issue.\n\n",
"id": "GHSA-qpxm-689r-3849",
"modified": "2024-10-31T16:57:20Z",
"published": "2024-02-26T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22371"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2024-22371.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/camel"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/CAMEL-20305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Camel data exposure vulnerability"
}
GHSA-QQ2Q-77MX-9G8P
Vulnerability from github – Published: 2025-02-04 09:31 – Updated: 2025-02-04 09:31Inclusion of sensitive information in test code in softsim TA prior to SMR Jan-2025 Release 1 allows local privileged attackers to get test key.
{
"affected": [],
"aliases": [
"CVE-2025-20886"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-04T08:15:29Z",
"severity": "MODERATE"
},
"details": "Inclusion of sensitive information in test code in softsim TA prior to SMR Jan-2025 Release 1 allows local privileged attackers to get test key.",
"id": "GHSA-qq2q-77mx-9g8p",
"modified": "2025-02-04T09:31:08Z",
"published": "2025-02-04T09:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20886"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQJ9-5C87-9CX7
Vulnerability from github – Published: 2024-10-01 12:30 – Updated: 2024-10-01 12:30HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2024-30132"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-01T12:15:03Z",
"severity": "LOW"
},
"details": "HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.",
"id": "GHSA-qqj9-5c87-9cx7",
"modified": "2024-10-01T12:30:30Z",
"published": "2024-10-01T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30132"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0116298"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQR5-9J5G-M238
Vulnerability from github – Published: 2024-02-23 09:30 – Updated: 2024-02-23 09:30Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data.
{
"affected": [],
"aliases": [
"CVE-2023-37540"
],
"database_specific": {
"cwe_ids": [
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-23T07:15:47Z",
"severity": "LOW"
},
"details": "Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data.\n",
"id": "GHSA-qqr5-9j5g-m238",
"modified": "2024-02-23T09:30:38Z",
"published": "2024-02-23T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37540"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRCV-JF73-5VRQ
Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2024-05-02 18:30The WP Meta SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.12 via the meta description. This makes it possible for unauthenticated attackers to disclose potentially sensitive information via the meta description of password-protected posts.
{
"affected": [],
"aliases": [
"CVE-2023-6962"
],
"database_specific": {
"cwe_ids": [
"CWE-1230",
"CWE-922"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T17:15:08Z",
"severity": "MODERATE"
},
"details": "The WP Meta SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.12 via the meta description. This makes it possible for unauthenticated attackers to disclose potentially sensitive information via the meta description of password-protected posts.",
"id": "GHSA-qrcv-jf73-5vrq",
"modified": "2024-05-02T18:30:51Z",
"published": "2024-05-02T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6962"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3071453%40wp-meta-seo%2Ftrunk\u0026old=3068145%40wp-meta-seo%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0323b54b-c15b-4d2d-9e8f-3df87c84dd49?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.