Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for cve-services by CVEProject
CVE-2022-31004 (GCVE-0-2022-31004)
Vulnerability from cvelistv5 – Published: 2022-05-25 21:55 – Updated: 2025-04-22 17:56
VLAI
Title
Potential secrets being logged to disk in CVE Services
Summary
CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-779 - Logging of Excessive Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CVEProject/cve-services/securi… | x_refsource_CONFIRM |
| https://github.com/CVEProject/cve-services/blob/6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CVEProject | cve-services |
Affected:
<= 1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31004",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:15.360212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:56:17.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cve-services",
"vendor": "CVEProject",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in \u0027data.js\u0027 has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a \"hot fix\" for version 1.1.1 and for the 2.x branch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-779",
"description": "CWE-779: Logging of Excessive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-31T13:01:05.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
],
"source": {
"advisory": "GHSA-mpwm-rmqp-7629",
"discovery": "UNKNOWN"
},
"title": "Potential secrets being logged to disk in CVE Services",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31004",
"STATE": "PUBLIC",
"TITLE": "Potential secrets being logged to disk in CVE Services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cve-services",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.1.1"
}
]
}
}
]
},
"vendor_name": "CVEProject"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in \u0027data.js\u0027 has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a \"hot fix\" for version 1.1.1 and for the 2.x branch."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-779: Logging of Excessive Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629",
"refsource": "CONFIRM",
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"name": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83",
"refsource": "MISC",
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
]
},
"source": {
"advisory": "GHSA-mpwm-rmqp-7629",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31004",
"datePublished": "2022-05-25T21:55:09.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:56:17.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24875 (GCVE-0-2022-24875)
Vulnerability from cvelistv5 – Published: 2022-04-21 17:20 – Updated: 2025-04-23 18:32
VLAI
Title
Potential Secrets being logged to disk in CVEProject/cve-services
Summary
The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CVEProject/cve-services/securi… | x_refsource_CONFIRM |
| https://github.com/CVEProject/cve-services/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CVEProject | cve-services |
Affected:
<= 1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:22.404514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:32:43.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cve-services",
"vendor": "CVEProject",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T17:20:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
],
"source": {
"advisory": "GHSA-rhj9-qx37-7m2m",
"discovery": "UNKNOWN"
},
"title": "Potential Secrets being logged to disk in CVEProject/cve-services",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24875",
"STATE": "PUBLIC",
"TITLE": "Potential Secrets being logged to disk in CVEProject/cve-services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cve-services",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.1.1"
}
]
}
}
]
},
"vendor_name": "CVEProject"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532: Insertion of Sensitive Information into Log File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m",
"refsource": "CONFIRM",
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"name": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4",
"refsource": "MISC",
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
]
},
"source": {
"advisory": "GHSA-rhj9-qx37-7m2m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24875",
"datePublished": "2022-04-21T17:20:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:32:43.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31004 (GCVE-0-2022-31004)
Vulnerability from nvd – Published: 2022-05-25 21:55 – Updated: 2025-04-22 17:56
VLAI
Title
Potential secrets being logged to disk in CVE Services
Summary
CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in 'data.js' has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a "hot fix" for version 1.1.1 and for the 2.x branch.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-779 - Logging of Excessive Data
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CVEProject/cve-services/securi… | x_refsource_CONFIRM |
| https://github.com/CVEProject/cve-services/blob/6… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CVEProject | cve-services |
Affected:
<= 1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.181Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31004",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:15.360212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:56:17.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cve-services",
"vendor": "CVEProject",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in \u0027data.js\u0027 has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a \"hot fix\" for version 1.1.1 and for the 2.x branch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-779",
"description": "CWE-779: Logging of Excessive Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-31T13:01:05.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
],
"source": {
"advisory": "GHSA-mpwm-rmqp-7629",
"discovery": "UNKNOWN"
},
"title": "Potential secrets being logged to disk in CVE Services",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31004",
"STATE": "PUBLIC",
"TITLE": "Potential secrets being logged to disk in CVE Services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cve-services",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.1.1"
}
]
}
}
]
},
"vendor_name": "CVEProject"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CVEProject/cve-services is an open source project used to operate the CVE services API. A conditional in \u0027data.js\u0027 has potential for production secrets to be written to disk. The affected method writes the generated randomKey to disk if the environment is not development. If this method were called in production, it is possible that it would write the plaintext key to disk. A patch is not available as of time of publication but is anticipated as a \"hot fix\" for version 1.1.1 and for the 2.x branch."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-779: Logging of Excessive Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629",
"refsource": "CONFIRM",
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-mpwm-rmqp-7629"
},
{
"name": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83",
"refsource": "MISC",
"url": "https://github.com/CVEProject/cve-services/blob/6b085e481fd3b084a8828ef7489c6b82fa415c92/src/utils/data.js#L68-L83"
}
]
},
"source": {
"advisory": "GHSA-mpwm-rmqp-7629",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31004",
"datePublished": "2022-05-25T21:55:09.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:56:17.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24875 (GCVE-0-2022-24875)
Vulnerability from nvd – Published: 2022-04-21 17:20 – Updated: 2025-04-23 18:32
VLAI
Title
Potential Secrets being logged to disk in CVEProject/cve-services
Summary
The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CVEProject/cve-services/securi… | x_refsource_CONFIRM |
| https://github.com/CVEProject/cve-services/commit… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CVEProject | cve-services |
Affected:
<= 1.1.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:22.404514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:32:43.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cve-services",
"vendor": "CVEProject",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-21T17:20:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
],
"source": {
"advisory": "GHSA-rhj9-qx37-7m2m",
"discovery": "UNKNOWN"
},
"title": "Potential Secrets being logged to disk in CVEProject/cve-services",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24875",
"STATE": "PUBLIC",
"TITLE": "Potential Secrets being logged to disk in CVEProject/cve-services"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "cve-services",
"version": {
"version_data": [
{
"version_value": "\u003c= 1.1.1"
}
]
}
}
]
},
"vendor_name": "CVEProject"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CVEProject/cve-services is an open source project used to operate the CVE services api. In versions up to and including 1.1.1 the `org.conroller.js` code would erroneously log user secrets. This has been resolved in commit `46d98f2b` and should be available in subsequent versions of the software. Users of the software are advised to manually apply the `46d98f2b` commit or to update when a new version becomes available. As a workaround users should inspect their logs and remove logged secrets as appropriate."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-532: Insertion of Sensitive Information into Log File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m",
"refsource": "CONFIRM",
"url": "https://github.com/CVEProject/cve-services/security/advisories/GHSA-rhj9-qx37-7m2m"
},
{
"name": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4",
"refsource": "MISC",
"url": "https://github.com/CVEProject/cve-services/commit/46d98f2b1427fc6ba1c2bc443dc6688fd400f1f4"
}
]
},
"source": {
"advisory": "GHSA-rhj9-qx37-7m2m",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24875",
"datePublished": "2022-04-21T17:20:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:32:43.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}