CWE-202
Exposure of Sensitive Information Through Data Queries
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
CVE-2021-32743 (GCVE-0-2021-32743)
Vulnerability from cvelistv5
Published
2021-07-15 16:05
Modified
2025-11-03 21:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-202 - Exposure of Sensitive Information Through Data Queries
Summary
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:44:46.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/"
},
{
"name": "[debian-lts-announce] 20211110 [SECURITY] [DLA 2816-1] icinga2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "icinga2",
"vendor": "Icinga",
"versions": [
{
"status": "affected",
"version": "\u003c 2.11.10"
},
{
"status": "affected",
"version": "\u003e= 2.12.0, \u003c= 2.12.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-10T23:06:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/"
},
{
"name": "[debian-lts-announce] 20211110 [SECURITY] [DLA 2816-1] icinga2 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html"
}
],
"source": {
"advisory": "GHSA-wrpw-pmr8-qgj7",
"discovery": "UNKNOWN"
},
"title": "Passwords used to access external services inadvertently exposed through API",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32743",
"STATE": "PUBLIC",
"TITLE": "Passwords used to access external services inadvertently exposed through API"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "icinga2",
"version": {
"version_data": [
{
"version_value": "\u003c 2.11.10"
},
{
"version_value": "\u003e= 2.12.0, \u003c= 2.12.4"
}
]
}
}
]
},
"vendor_name": "Icinga"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to authenticated API users with read permissions for the corresponding object types. IdoMysqlConnection and IdoPgsqlConnection (every released version) exposes the password of the user used to connect to the database. IcingaDB (added in 2.12.0) exposes the password used to connect to the Redis server. ElasticsearchWriter (added in 2.8.0)exposes the password used to connect to the Elasticsearch server. An attacker who obtains these credentials can impersonate Icinga to these services and add, modify and delete information there. If credentials with more permissions are in use, this increases the impact accordingly. Starting with the 2.11.10 and 2.12.5 releases, these passwords are no longer exposed via the API. As a workaround, API user permissions can be restricted to not allow querying of any affected objects, either by explicitly listing only the required object types for object query permissions, or by applying a filter rule."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-202: Exposure of Sensitive Information Through Data Queries"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7",
"refsource": "CONFIRM",
"url": "https://github.com/Icinga/icinga2/security/advisories/GHSA-wrpw-pmr8-qgj7"
},
{
"name": "https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/",
"refsource": "MISC",
"url": "https://icinga.com/blog/2021/07/15/releasing-icinga-2-12-5-and-2-11-10/"
},
{
"name": "[debian-lts-announce] 20211110 [SECURITY] [DLA 2816-1] icinga2 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00010.html"
}
]
},
"source": {
"advisory": "GHSA-wrpw-pmr8-qgj7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32743",
"datePublished": "2021-07-15T16:05:12.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-11-03T21:44:46.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6400 (GCVE-0-2024-6400)
Vulnerability from cvelistv5
Published
2024-10-04 11:12
Modified
2025-10-14 12:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.
This issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Finrota | Netahsilat |
Patch: 1.23.11 Patch: 1.23.08 Patch: 1.23.01 Patch: 1.21.10 Patch: 1.24.03 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-04T13:59:47.517218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-04T13:59:57.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Netahsilat",
"vendor": "Finrota",
"versions": [
{
"status": "unaffected",
"version": "1.23.11",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.23.08",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.23.01",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.21.10",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "1.24.03",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kaan ATMACA"
},
{
"lang": "en",
"type": "sponsor",
"value": "Secure Future Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.\u003cp\u003e\nThis issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03.\n\n\u003c/p\u003e"
}
],
"value": "Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations.\nThis issue solved in versions 1.21.10, 1.23.01, 1.23.08, 1.23.11 and 1.24.03."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
},
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-183",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-183 IMAP/SMTP Command Injection"
}
]
},
{
"capecId": "CAPEC-150",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-150 Collect Data from Common Resource Locations"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:L/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202 Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T12:55:46.692Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"url": "https://www.usom.gov.tr/bildirim/tr-24-1611"
}
],
"source": {
"advisory": "TR-24-1611",
"defect": [
"TR-24-1611"
],
"discovery": "UNKNOWN"
},
"title": "Cleartext Storage of Username and Password in Finrota\u0027s Netahsilat",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-6400",
"datePublished": "2024-10-04T11:12:30.441Z",
"dateReserved": "2024-06-28T11:59:51.082Z",
"dateUpdated": "2025-10-14T12:55:46.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59352 (GCVE-0-2025-59352)
Vulnerability from cvelistv5
Published
2025-09-17 19:50
Modified
2025-09-18 17:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine.This vulnerability is fixed in 2.1.0.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dragonflyoss | dragonfly |
Version: < 2.1.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-18T17:43:09.569641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-18T17:43:17.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dragonfly",
"vendor": "dragonflyoss",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the gRPC API and HTTP APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers\u2019 secret data and to gain remote code execution (RCE) capabilities on the peer\u2019s machine.This vulnerability is fixed in 2.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T19:50:52.067Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-79hx-3fp8-hj66"
},
{
"name": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf"
}
],
"source": {
"advisory": "GHSA-79hx-3fp8-hj66",
"discovery": "UNKNOWN"
},
"title": "Dragonfly allows arbitrary file read and write on a peer machine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59352",
"datePublished": "2025-09-17T19:50:38.914Z",
"dateReserved": "2025-09-12T12:36:24.637Z",
"dateUpdated": "2025-09-18T17:43:17.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- This is a complex topic. See the book Translucent Databases for a good discussion of best practices.
No CAPEC attack patterns related to this CWE.