CWE-260
Password in Configuration File
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
CVE-2014-5400 (GCVE-0-2014-5400)
Vulnerability from cvelistv5
Published
2015-04-03 10:00
Modified
2025-11-03 18:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:41:49.202Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MedNet",
"vendor": "Hospira",
"versions": [
{
"lessThanOrEqual": "5.8",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Billy Rios"
}
],
"datePublic": "2015-03-31T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.\u003c/p\u003e"
}
],
"value": "The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file."
}
],
"metrics": [
{
"cvssV2_0": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T18:26:56.284Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-15-090-03"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2015/icsa-15-090-03.json"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHospira has developed a new version of the MedNet software, MedNet \n6.1. Hospira reports that MedNet 6.1 no longer uses hard-coded \npasswords, hard-coded cryptographic keys, and no longer stores passwords\n in clear text. Existing versions of MedNet can be upgraded to MedNet \n6.1.\u003c/p\u003e\n\u003cp\u003eHospira has produced mitigation recommendations that help mitigate \nthe vulnerability in the vulnerable version of JBoss Enterprise \nApplication Platform software, used in the MedNet software. This has \nbeen addressed by Hospira through issuance of the following knowledge \nbased articles: Improving Security in Hospira MedNet 5.5 (August 2014) \nand Improving Security in Hospira MedNet 5.8 (August 2014). For \nadditional information about Hospira\u2019s new releases and mitigation \nrecommendations, contact Hospira\u2019s technical support at 1-800-241-4002.\u003c/p\u003e"
}
],
"value": "Hospira has developed a new version of the MedNet software, MedNet \n6.1. Hospira reports that MedNet 6.1 no longer uses hard-coded \npasswords, hard-coded cryptographic keys, and no longer stores passwords\n in clear text. Existing versions of MedNet can be upgraded to MedNet \n6.1.\n\n\nHospira has produced mitigation recommendations that help mitigate \nthe vulnerability in the vulnerable version of JBoss Enterprise \nApplication Platform software, used in the MedNet software. This has \nbeen addressed by Hospira through issuance of the following knowledge \nbased articles: Improving Security in Hospira MedNet 5.5 (August 2014) \nand Improving Security in Hospira MedNet 5.8 (August 2014). For \nadditional information about Hospira\u2019s new releases and mitigation \nrecommendations, contact Hospira\u2019s technical support at 1-800-241-4002."
}
],
"source": {
"advisory": "ICSA-15-090-03",
"discovery": "EXTERNAL"
},
"title": "Hospira MedNet Password in Configuration File",
"x_generator": {
"engine": "Vulnogram 0.5.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2014-5400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03",
"refsource": "MISC",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2014-5400",
"datePublished": "2015-04-03T10:00:00",
"dateReserved": "2014-08-22T00:00:00",
"dateUpdated": "2025-11-03T18:26:56.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-45673 (GCVE-0-2024-45673)
Vulnerability from cvelistv5
Published
2025-02-21 16:45
Modified
2025-08-27 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration files which can be read by a local user.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Security Verify Bridge Directory Sync |
Version: 1.0.1 ≤ 1.0.12 cpe:2.3:a:ibm:security_verify_bridge:1.0.1:*:*:*:*:*:*:* cpe:2.3:a:ibm:security_verify_bridge:1.0.12:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-21T17:11:29.725426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:33:04.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:security_verify_bridge:1.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:security_verify_bridge:1.0.12:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Security Verify Bridge Directory Sync",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.0.12",
"status": "affected",
"version": "1.0.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration files which can be read by a local user."
}
],
"value": "IBM Security Verify Bridge Directory Sync 1.0.1 through 1.0.12, IBM Security Verify Gateway for Windows Login 1.0.1 through 1.0.10, and IBM Security Verify Gateway for Radius 1.0.1 through 1.0.11 stores user credentials in configuration files which can be read by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260 Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-15T14:25:18.235Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7183801"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Security Verify Bridge information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2024-45673",
"datePublished": "2025-02-21T16:45:51.122Z",
"dateReserved": "2024-09-03T13:50:43.964Z",
"dateUpdated": "2025-08-27T21:33:04.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25022 (GCVE-0-2025-25022)
Vulnerability from cvelistv5
Published
2025-06-03 15:16
Modified
2025-08-26 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | QRadar Suite Software |
Version: 1.10.12.0 ≤ 1.11.2.0 cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:qradar_suite:1.11.2.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-04T03:56:05.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:qradar_suite:1.10.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:qradar_suite:1.11.2.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "QRadar Suite Software",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.11.2.0",
"status": "affected",
"version": "1.10.12.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:cloud_pak_for_security:1.10.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Cloud Pak for Security",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "1.10.11.0",
"status": "affected",
"version": "1.10.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Ben Goodspeed, Dawid Bak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files."
}
],
"value": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260 Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T14:53:06.088Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7235432"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM strongly encourages customers to update their systems promptly.\u003cbr\u003e\u003cbr\u003ePlease upgrade to at least version 1.11.3.0 according to the following instructions:\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing\u003c/a\u003e\u003cbr\u003e\u003cbr\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading\"\u003ehttps://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading\u003c/a\u003e\u003cbr\u003e"
}
],
"value": "IBM strongly encourages customers to update their systems promptly.\n\nPlease upgrade to at least version 1.11.3.0 according to the following instructions:\n\n https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=installing \n\n https://www.ibm.com/docs/en/cloud-paks/cp-security/1.11?topic=upgrading"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM QRadar Suite Software and IBM Cloud Pak for Security information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-25022",
"datePublished": "2025-06-03T15:16:19.691Z",
"dateReserved": "2025-01-31T16:26:45.223Z",
"dateUpdated": "2025-08-26T14:53:06.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-33093 (GCVE-0-2025-33093)
Vulnerability from cvelistv5
Published
2025-05-07 11:04
Modified
2025-08-28 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | Sterling Partner Engagement Manager |
Version: 6.1.0 Version: 6.2.0 Version: 6.2.2 cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.1.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.1.2:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.0:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.0:*:*:*:essentials:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.2:*:*:*:standard:*:*:* cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.2:*:*:*:essentials:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-33093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T13:17:01.976480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T13:20:00.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.1.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.1.2:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.0:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.0:*:*:*:essentials:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.2:*:*:*:standard:*:*:*",
"cpe:2.3:a:ibm:sterling_partner_engagement_manager:6.2.2:*:*:*:essentials:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling Partner Engagement Manager",
"vendor": "IBM",
"versions": [
{
"status": "affected",
"version": "6.1.0"
},
{
"status": "affected",
"version": "6.2.0"
},
{
"status": "affected",
"version": "6.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret."
}
],
"value": "IBM Sterling Partner Engagement Manager 6.1.0, 6.2.0, 6.2.2 JWT secret is stored in public Helm Charts and is not stored as a Kubernetes secret."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260 Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T14:21:26.785Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7232762"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Product Version(s) Remediation/Fix/Instructions\u003cbr\u003eIBM Sterling Partner Engagement Manager Standard Edition / Essentials Edition 6.1.x, 6.2.0,6.2.3, 6.24\u2003\u2003\u20036.2.0,6.2.3,6.2.4"
}
],
"value": "Product Version(s) Remediation/Fix/Instructions\nIBM Sterling Partner Engagement Manager Standard Edition / Essentials Edition 6.1.x, 6.2.0,6.2.3, 6.24\u2003\u2003\u20036.2.0,6.2.3,6.2.4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling Partner Engagement Manager information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-33093",
"datePublished": "2025-05-07T11:04:31.838Z",
"dateReserved": "2025-04-15T17:50:31.398Z",
"dateUpdated": "2025-08-28T14:21:26.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36002 (GCVE-0-2025-36002)
Vulnerability from cvelistv5
Published
2025-10-16 14:54
Modified
2025-10-25 02:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| IBM | Sterling B2B Integrator |
Version: 6.2.0.0 ≤ 6.2.0.5 Version: 6.2.1.0 ≤ cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.5:*:*:*:*:*:*:* cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.1.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T16:06:34.404561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-256",
"description": "CWE-256 Plaintext Storage of a Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T16:06:38.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_b2b_integrator:6.2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling B2B Integrator",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.0.5",
"status": "affected",
"version": "6.2.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "6.2.1.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_file_gateway:6.2.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:sterling_file_gateway:6.2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Sterling File Gateway",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "6.2.0.5",
"status": "affected",
"version": "6.2.0.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "6.2.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.\u003c/p\u003e"
}
],
"value": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260 Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-25T02:02:53.477Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7248129"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003eIBM Sterling B2B Integrator and IBM Sterling File Gateway\u003c/td\u003e\u003ctd\u003e6.2.0.0 - 6.2.0.5\u003c/td\u003e\u003ctd\u003eIT48063\u003c/td\u003e\u003ctd\u003eApply B2Bi 6.2.0.5_1 or 6.2.1.1\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eIBM Sterling B2B Integrator and IBM Sterling File Gateway\u003c/td\u003e\u003ctd\u003e6.2.1.0\u003c/td\u003e\u003ctd\u003eIT48063\u003c/td\u003e\u003ctd\u003eApply B2Bi 6.2.1.1\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\n\n\u003cbr\u003e"
}
],
"value": "IBM Sterling B2B Integrator and IBM Sterling File Gateway6.2.0.0 - 6.2.0.5IT48063Apply B2Bi 6.2.0.5_1 or 6.2.1.1IBM Sterling B2B Integrator and IBM Sterling File Gateway6.2.1.0IT48063Apply B2Bi 6.2.1.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Sterling B2B Integrator information disclosure",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36002",
"datePublished": "2025-10-16T14:54:53.914Z",
"dateReserved": "2025-04-15T21:16:05.532Z",
"dateUpdated": "2025-10-25T02:02:53.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36100 (GCVE-0-2025-36100)
Vulnerability from cvelistv5
Published
2025-09-07 00:37
Modified
2025-10-09 16:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0 Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| IBM | MQ |
Version: 9.1.0.0 ≤ 9.1.0.29 Version: 9.2.0.0 ≤ 9.2.0.36 Version: 9.3.0.0 ≤ 9.3.0.30 Version: 9.4.0.0 ≤ 9.4.0.12 cpe:2.3:a:ibm:mq:9.1.0.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.1.0.29:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.2.0.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.2.0.36:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.3.0.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.3.0.30:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.4.0.0:*:*:*:lts:*:*:* cpe:2.3:a:ibm:mq:9.4.0.12:*:*:*:lts:*:*:* |
||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T17:50:17.330773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T17:50:31.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.1.0.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.1.0.29:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.2.0.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.2.0.36:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.3.0.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.3.0.30:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0.0:*:*:*:lts:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0.12:*:*:*:lts:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "9.1.0.29",
"status": "affected",
"version": "9.1.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.2.0.36",
"status": "affected",
"version": "9.2.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.3.0.30",
"status": "affected",
"version": "9.3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.0.12",
"status": "affected",
"version": "9.4.0.0",
"versionType": "semver"
}
],
"x_edition": "LTS"
},
{
"cpes": [
"cpe:2.3:a:ibm:mq:9.3.0.0:*:*:*:continuous_delivery:*:*:*",
"cpe:2.3:a:ibm:mq:9.3.5.1:*:*:*:continuous_delivery:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.0.0:*:*:*:continuous_delivery:*:*:*",
"cpe:2.3:a:ibm:mq:9.4.3.0:*:*:*:continuous_delivery:*:*:*"
],
"defaultStatus": "unaffected",
"product": "MQ",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "9.3.5.1",
"status": "affected",
"version": "9.3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.3.0",
"status": "affected",
"version": "9.4.0.0",
"versionType": "semver"
}
],
"x_edition": "CD"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0\u0026nbsp; Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user."
}
],
"value": "IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0\u00a0 Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260 Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T16:22:51.045Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7243544"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eThis issue was addressed under known issue DT444585\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eIBM MQ version 9.1 LTS\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/downloading-ibm-mq-91-lts\"\u003eApply cumulative security update 9.1.0.31\u003c/a\u003e\u003c/div\u003e\u003cbr\u003e\u003cp\u003eIBM MQ version 9.2 LTS\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/downloading-ibm-mq-92-lts\"\u003eApply cumulative security update 9.2.0.37\u003c/a\u003e\u0026nbsp; \u003c/p\u003e\u003cp\u003eIBM MQ version 9.3 LTS\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/downloading-ibm-mq-93-lts\"\u003eApply cumulative security update 9.3.0.31\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIBM MQ version 9.4 LTS\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/downloading-ibm-mq-94-lts\"\u003eApply fix pack 9.4.0.15\u003c/a\u003e\u003c/p\u003e\u003cp\u003eIBM MQ version 9.3 CD and 9.4 CD\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.ibm.com/support/pages/downloading-ibm-mq-94-cd\"\u003eUpgrade to IBM MQ version 9.4.3.1\u003c/a\u003e\u003c/p\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
}
],
"value": "This issue was addressed under known issue DT444585\n\n\nIBM MQ version 9.1 LTS\n\n Apply cumulative security update 9.1.0.31 https://www.ibm.com/support/pages/downloading-ibm-mq-91-lts \n\n\nIBM MQ version 9.2 LTS\n\n Apply cumulative security update 9.2.0.37 https://www.ibm.com/support/pages/downloading-ibm-mq-92-lts \u00a0 \n\nIBM MQ version 9.3 LTS\n\n Apply cumulative security update 9.3.0.31 https://www.ibm.com/support/pages/downloading-ibm-mq-93-lts \n\nIBM MQ version 9.4 LTS\n\n Apply fix pack 9.4.0.15 https://www.ibm.com/support/pages/downloading-ibm-mq-94-lts \n\nIBM MQ version 9.3 CD and 9.4 CD\n\n Upgrade to IBM MQ version 9.4.3.1 https://www.ibm.com/support/pages/downloading-ibm-mq-94-cd"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM MQ information disclosure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2025-36100",
"datePublished": "2025-09-07T00:37:00.421Z",
"dateReserved": "2025-04-15T21:16:16.297Z",
"dateUpdated": "2025-10-09T16:22:51.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57754 (GCVE-0-2025-57754)
Vulnerability from cvelistv5
Published
2025-08-21 16:14
Modified
2025-08-21 17:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-260 - Password in Configuration File
Summary
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kristoferfannar | eslint-ban-moment |
Version: <= 3.0.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T17:23:51.959161Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T17:31:58.060Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "eslint-ban-moment",
"vendor": "kristoferfannar",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-260",
"description": "CWE-260: Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T16:14:29.391Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/kristoferfannar/eslint-ban-moment/security/advisories/GHSA-2486-4cjg-pw98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kristoferfannar/eslint-ban-moment/security/advisories/GHSA-2486-4cjg-pw98"
},
{
"name": "https://github.com/kristoferfannar/eslint-ban-moment/commit/bc2d2f9d23e6ae961a23e0d769e0722870b11108",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kristoferfannar/eslint-ban-moment/commit/bc2d2f9d23e6ae961a23e0d769e0722870b11108"
}
],
"source": {
"advisory": "GHSA-2486-4cjg-pw98",
"discovery": "UNKNOWN"
},
"title": "eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57754",
"datePublished": "2025-08-21T16:14:29.391Z",
"dateReserved": "2025-08-19T15:16:22.916Z",
"dateUpdated": "2025-08-21T17:31:58.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Avoid storing passwords in easily accessible locations.
Mitigation
Phase: Architecture and Design
Description:
- Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
No CAPEC attack patterns related to this CWE.