CVEbaza.plSłownik CWECWE-212
Common Weakness Enumeration

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

Kategoria: BaseCVE: 133
Opis

Produkt przechowuje, przesyła lub udostępnia zasób zawierający poufne informacje, ale nie usuwa ich prawidłowo przed udostępnieniem zasobu nieupoważnionym użytkownikom. Prowadzi to do potencjalnego ujawnienia wrażliwych danych osobom, które nie powinny mieć dostępu do tych informacji.

Description (EN)

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

Podatności CVE z CWE-212 (133)
9.8
CVSS
CRITICAL
CVE-2022-2818

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository cockpit-hq/cockpit prior to 2.2.2.

pub. 2022-08-15
9.6
CVSS
CRITICAL
CVE-2026-42880

W narzędziu Argo CD wykryto lukę umożliwiającą nieautoryzowany dostęp do poufnych danych. Atakujący posiadający jedynie uprawnienia do odczytu może wyciągnąć niezaszyfrowane dane z obiektów Kubernetes Secret przechowywanych w etcd.

pub. 2026-05-07
9.1
CVSS
CRITICAL
CVE-2020-11684

AT91bootstrap before 3.9.2 does not properly wipe encryption and authentication keys from memory before passing control to a less privileged software component. This can be exploited to disclose these keys and subsequently encrypt and sign the next boot stage (such as the bootloader).

pub. 2020-09-14
9.0
CVSS
CRITICAL
CVE-2026-32891

Anchorr w wersjach 1.4.1 i wcześniejszych zawiera podatność stored XSS w selektorze użytkowników Jellyseerr, która pozwala dowolnemu posiadaczowi konta wykonać złośliwy skrypt JavaScript w sesji przeglądarki administratora. Skutkiem jest pełne przejęcie panelu administracyjnego oraz wszystkich zintegrowanych usług bez znajomości hasła administratora.

pub. 2026-03-20
8.8
CVSS
HIGH
CVE-2026-39937

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

pub. 2026-04-07
8.8
CVSS
HIGH
CVE-2022-30617

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super admin” that has updated one of the author’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other users’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a “super admin” account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.

pub. 2022-05-19
8.8
CVSS
HIGH
CVE-2022-0355

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1.

pub. 2022-01-26
8.8
CVSS
HIGH
CVE-2021-0340

In parseNextBox of IsoInterface.java, there is a possible leak of unredacted location information due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-134155286

pub. 2021-02-10
8.8
CVSS
HIGH
CVE-2019-13402

/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset.

pub. 2019-07-08
8.6
CVSS
HIGH
CVE-2022-39393

Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously to the next instance. This bug has been patched and users should upgrade to Wasmtime 2.0.2 and 1.0.2. Other mitigations include disabling the pooling allocator and disabling the `memory-init-cow`.

pub. 2022-11-10
8.5
CVSS
HIGH
CVE-2026-27640

tfplan2md is software for converting Terraform plan JSON files into human-readable Markdown reports. Prior to version 1.26.1, a bug in tfplan2md affected several distinct rendering paths: AzApi resource body properties, AzureDevOps variable groups, Scriban template context variables, and hierarchical sensitivity detection. This caused reports to render values that should have been masked as "(sensitive)" instead. This issue is fixed in v1.26.1. No known workarounds are available.

pub. 2026-02-25
8.2
CVSS
HIGH
CVE-2025-65965

Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. This issue has been patched in version 0.104.1. Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

pub. 2025-11-25
8.2
CVSS
HIGH
CVE-2022-31112

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.

pub. 2022-06-30
8.1
CVSS
HIGH
CVE-2022-4734

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.

pub. 2022-12-27
8.1
CVSS
HIGH
CVE-2022-1650

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2.

pub. 2022-05-12
8.1
CVSS
HIGH
CVE-2019-11243

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig() method returns a copy of the provided config, with credentials removed (bearer token, username/password, and client certificate/key data). In the affected versions, rest.AnonymousClientConfig() did not effectively clear service account credentials loaded using rest.InClusterConfig()

pub. 2019-04-22
8.0
CVSS
HIGH
CVE-2024-43384

A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer.

pub. 2026-05-07
8.0
CVSS
HIGH
CVE-2020-15094

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

pub. 2020-09-02
7.7
CVSS
HIGH
CVE-2026-43824

In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.

pub. 2026-05-02
7.7
CVSS
HIGH
CVE-2026-34214

Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patched in version 480.

pub. 2026-03-31
Pokazano 20 z 133 podatności
Informacje
ID: CWE-212
Typ: Base
Podatności: 133
MITRE CWE ↗
← Słownik CWE
CWE-212 — Nieprawidłowe usuwanie poufnych informacji przed przechowaniem lub przesłaniem | Słownik CWE | CVEbaza.pl