Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-22115

Summary
Assigner-vmware
Assigner Org ID-dcf2e128-44bd-42ed-91e8-88f912c1401d
Published At-08 Apr, 2021 | 17:28
Updated At-03 Aug, 2024 | 18:30
Rejected At-
Credits

Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:vmware
Assigner Org ID:dcf2e128-44bd-42ed-91e8-88f912c1401d
Published At:08 Apr, 2021 | 17:28
Updated At:03 Aug, 2024 | 18:30
Rejected At:
▼CVE Numbering Authority (CNA)

Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.

Affected Products
Vendor
n/a
Product
Cloud Control API
Versions
Affected
  • CAPI versions prior to 1.106.0
Problem Types
TypeCWE IDDescription
textN/AClear text logging of credentials
Type: text
CWE ID: N/A
Description: Clear text logging of credentials
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/
x_refsource_MISC
Hyperlink: https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/
x_refsource_MISC
x_transferred
Hyperlink: https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@vmware.com
Published At:08 Apr, 2021 | 18:15
Updated At:14 Apr, 2021 | 19:52

Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches

Cloud Foundry
cloudfoundry
>>capi-release>>Versions before 1.106.0(exclusive)
cpe:2.3:a:cloudfoundry:capi-release:*:*:*:*:*:*:*:*
Cloud Foundry
cloudfoundry
>>cf-deployment>>Versions before 16.2.0(exclusive)
cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-522Primarynvd@nist.gov
CWE ID: CWE-522
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/security@vmware.com
Vendor Advisory
Hyperlink: https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/
Source: security@vmware.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

243Records found

CVE-2022-34807
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 67.10%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-elasticsearch_queryJenkins Elasticsearch Query Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34803
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.99%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-opsgenieJenkins OpsGenie Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34213
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 60.04%
||
7 Day CHG~0.00%
Published-22 Jun, 2022 | 14:41
Updated-03 Aug, 2024 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-squash_tm_publisherJenkins Squash TM Publisher (Squash4Jenkins) Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34799
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.99%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:47
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-deployment_dashboardJenkins Deployment Dashboard Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34800
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.62% / 68.99%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-build_notificationsJenkins Build Notifications Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34809
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 67.10%
||
7 Day CHG~0.00%
Published-30 Jun, 2022 | 17:48
Updated-03 Aug, 2024 | 09:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-rqmJenkins RQM Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-33169
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 35.05%
||
7 Day CHG~0.00%
Published-31 Jul, 2022 | 17:30
Updated-16 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.

Action-Not Available
Vendor-IBM Corporation
Product-robotic_process_automationRobotic Process Automation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-30231
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 36.03%
||
7 Day CHG~0.00%
Published-14 Jun, 2022 | 09:21
Updated-03 Aug, 2024 | 06:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SICAM GridEdge Essential ARM (All versions < V2.6.6), SICAM GridEdge Essential Intel (All versions < V2.6.6), SICAM GridEdge Essential with GDS ARM (All versions < V2.6.6), SICAM GridEdge Essential with GDS Intel (All versions < V2.6.6). The affected software discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another users password hash.

Action-Not Available
Vendor-Siemens AG
Product-sicam_gridedge_essentialSICAM GridEdge Essential with GDS ARMSICAM GridEdge Essential with GDS IntelSICAM GridEdge Essential ARMSICAM GridEdge Essential Intel
CWE ID-CWE-402
Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-30952
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.38% / 58.68%
||
7 Day CHG~0.00%
Published-17 May, 2022 | 00:00
Updated-03 Aug, 2024 | 07:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-blue_oceanJenkins Pipeline SCM API for Blue Ocean Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27216
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.64% / 69.65%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:46
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-dbchartsJenkins dbCharts Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-29052
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.84% / 73.72%
||
7 Day CHG~0.00%
Published-12 Apr, 2022 | 19:50
Updated-15 Oct, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-google_compute_engineJenkins Google Compute Engine Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-29833
Matching Score-4
Assigner-Mitsubishi Electric Corporation
ShareView Details
Matching Score-4
Assigner-Mitsubishi Electric Corporation
CVSS Score-6.8||MEDIUM
EPSS-0.44% / 62.21%
||
7 Day CHG~0.00%
Published-24 Nov, 2022 | 23:38
Updated-25 Apr, 2025 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficiently Protected Credentials vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could access to MELSEC safety CPU modules illgally.

Action-Not Available
Vendor-Mitsubishi Electric Corporation
Product-gx_works3GX Works3
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-28135
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.64% / 69.65%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:30
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-instant-messagingJenkins instant-messaging Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27544
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-5||MEDIUM
EPSS-0.19% / 41.08%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 15:40
Updated-16 Sep, 2024 | 23:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Web Reports authorized users may see sensitive information in clear text

BigFix Web Reports authorized users may see SMTP credentials in clear text.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformHCL BigFix
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-28167
Matching Score-4
Assigner-Brocade Communications Systems, LLC
ShareView Details
Matching Score-4
Assigner-Brocade Communications Systems, LLC
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 42.17%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 17:51
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log

Action-Not Available
Vendor-n/aBroadcom Inc.
Product-sannavBrocade SANnav
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27560
Matching Score-4
Assigner-HCL Software
ShareView Details
Matching Score-4
Assigner-HCL Software
CVSS Score-6||MEDIUM
EPSS-0.14% / 34.54%
||
7 Day CHG~0.00%
Published-30 Aug, 2022 | 21:25
Updated-16 Sep, 2024 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An insufficiently protected credential vulnerability affects HCL VersionVault Express

HCL VersionVault Express exposes administrator credentials.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-versionvault_expressHCL VersionVault Express
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-28141
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.55% / 66.86%
||
7 Day CHG~0.00%
Published-29 Mar, 2022 | 12:30
Updated-03 Aug, 2024 | 05:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-proxmoxJenkins Proxmox Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-28291
Matching Score-4
Assigner-Cyber Security Works Pvt. Ltd.
ShareView Details
Matching Score-4
Assigner-Cyber Security Works Pvt. Ltd.
CVSS Score-6.5||MEDIUM
EPSS-0.09% / 26.99%
||
7 Day CHG~0.00%
Published-17 Oct, 2022 | 00:00
Updated-13 May, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

Action-Not Available
Vendor-n/aTenable, Inc.
Product-nessusNessus Professional
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27179
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-4.6||MEDIUM
EPSS-0.16% / 37.65%
||
7 Day CHG~0.00%
Published-20 Apr, 2022 | 15:30
Updated-16 Apr, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ICSA-22-104-03 Red Lion DA50N

A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource. If the same passwords were used for other resources, further such assets may be compromised.

Action-Not Available
Vendor-redlionRed Lion
Product-da50nda50n_firmwareDA50N
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27206
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 67.27%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:45
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-gitlab_authenticationJenkins GitLab Authentication Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27217
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.55% / 66.86%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:46
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-vmware_vrealize_codestreamJenkins Vmware vRealize CodeStream Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27218
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 63.23%
||
7 Day CHG~0.00%
Published-15 Mar, 2022 | 16:46
Updated-03 Aug, 2024 | 05:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Action-Not Available
Vendor-Jenkins
Product-incapptic_connect_uploaderJenkins incapptic connect uploader Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-24982
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 48.90%
||
7 Day CHG~0.00%
Published-16 Feb, 2022 | 21:04
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users. admin.php contains a hidden base64-encoded string with these credentials.

Action-Not Available
Vendor-jqueryformn/a
Product-jqueryformn/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-25184
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.87% / 74.32%
||
7 Day CHG~0.00%
Published-15 Feb, 2022 | 16:11
Updated-03 Aug, 2024 | 04:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.

Action-Not Available
Vendor-Jenkins
Product-pipeline\Jenkins Pipeline: Build Step Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-23109
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.55% / 66.86%
||
7 Day CHG~0.00%
Published-12 Jan, 2022 | 19:06
Updated-03 Aug, 2024 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

Action-Not Available
Vendor-Jenkins
Product-hashicorp_vaultJenkins HashiCorp Vault Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-22458
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 7.09%
||
7 Day CHG~0.00%
Published-22 Dec, 2022 | 21:14
Updated-15 Apr, 2025 | 13:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Verify Governance, Identity Manager information disclosure

IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.

Action-Not Available
Vendor-Linux Kernel Organization, IncIBM Corporation
Product-security_verify_governancelinux_kernelSecurity Verify Governance, Identity Manager
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2017-14111
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-2.18% / 83.68%
||
7 Day CHG~0.00%
Published-17 Nov, 2017 | 20:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The workstation logging function in Philips IntelliSpace Cardiovascular (ISCV) 2.3.0 and earlier and Xcelera R4.1L1 and earlier records domain authentication credentials, which if accessed allows an attacker to use credentials to access the application, or other user entitlements.

Action-Not Available
Vendor-n/aPhilips
Product-xceleraintellispace_cardiovascularn/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-2221
Matching Score-4
Assigner-Devolutions Inc.
ShareView Details
Matching Score-4
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 44.11%
||
7 Day CHG~0.00%
Published-27 Jun, 2022 | 18:38
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Information Exposure vulnerability in My Account Settings of Devolutions Remote Desktop Manager before 2022.1.8 allows authenticated users to access credentials of other users. This issue affects: Devolutions Remote Desktop Manager versions prior to 2022.1.8.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-22266
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.19% / 40.84%
||
7 Day CHG~0.00%
Published-08 May, 2024 | 03:59
Updated-15 Nov, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VMware Avi Load Balancer updates address multiple vulnerabilities

 VMware Avi Load Balancer contains an information disclosure vulnerability. A malicious actor with access to the system logs can view cloud connection credentials in plaintext.

Action-Not Available
Vendor-VMware (Broadcom Inc.)
Product-VMware Avi Load Balancer
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-1666
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.5||MEDIUM
EPSS-0.15% / 35.71%
||
7 Day CHG~0.00%
Published-24 Jun, 2022 | 15:00
Updated-16 Apr, 2025 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Secheron SEPCOS Control and Protection Relay

The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.

Action-Not Available
Vendor-secheronSecheron
Product-sepcos_control_and_protection_relaysepcos_control_and_protection_relay_firmwareSEPCOS Control and Protection Relay firmware package
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-49280
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.92% / 75.07%
||
7 Day CHG~0.00%
Published-04 Dec, 2023 | 22:33
Updated-27 Nov, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Data leak of password hash through xwiki change request

XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default.

Action-Not Available
Vendor-XWiki SAS
Product-change_requestapplication-changerequest
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-13349
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.9||MEDIUM
EPSS-1.10% / 77.16%
||
7 Day CHG~0.00%
Published-05 Sep, 2019 | 17:19
Updated-04 Aug, 2024 | 23:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Knowage through 6.1.1, an authenticated user that accesses the users page will obtain all user password hashes.

Action-Not Available
Vendor-knowage-suiten/a
Product-knowagen/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-33079
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 11.00%
||
7 Day CHG~0.00%
Published-27 May, 2025 | 01:05
Updated-26 Aug, 2025 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Controller information disclosure

IBM Controller 11.0.0, 11.0.1, and 11.1.0 application could allow an authenticated user to obtain sensitive credentials that may be inadvertently included within the source code.

Action-Not Available
Vendor-IBM Corporation
Product-controllercognos_controllerCognos ControllerController
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-46651
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 13.66%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 13:45
Updated-17 Sep, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.

Action-Not Available
Vendor-Jenkins
Product-warningsJenkins Warnings Plugin
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-4538
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-6.2||MEDIUM
EPSS-0.05% / 14.36%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 08:32
Updated-23 Jan, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Shared Key in Comarch ERP XL

The database access credentials configured during installation are stored in a special table, and are encrypted with a shared key, same among all Comarch ERP XL client installations. This could allow an attacker with access to that table to retrieve plain text passwords. This issue affects ERP XL: from 2020.2.2 through 2023.2.

Action-Not Available
Vendor-comarchComarch
Product-erp_xlERP XL
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-43332
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.19%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 20:45
Updated-04 Aug, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.

Action-Not Available
Vendor-n/aDebian GNU/LinuxGNU
Product-mailmandebian_linuxn/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-42306
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-8.1||HIGH
EPSS-13.48% / 93.95%
||
7 Day CHG~0.00%
Published-24 Nov, 2021 | 01:05
Updated-04 Aug, 2024 | 03:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Azure Active Directory Information Disclosure Vulnerability

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.

Action-Not Available
Vendor-Microsoft Corporation
Product-azure_active_directoryazure_active_site_recoveryazure_automationazure_migrateAzure MigrateAzure AutomationAzure Site RecoveryAzure Active Directory
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-41297
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-8.8||HIGH
EPSS-0.17% / 38.34%
||
7 Day CHG~0.00%
Published-30 Sep, 2021 | 10:41
Updated-16 Sep, 2024 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ECOA BAS controller - Insufficiently Protected Credentials-1

ECOA BAS controller is vulnerable to weak access control mechanism allowing authenticated user to remotely escalate privileges by disclosing credentials of administrative accounts in plain-text.

Action-Not Available
Vendor-ecoaECOA
Product-ecs_router_controller-ecs_firmwareecs_router_controller-ecsriskbusterriskterminatorriskbuster_firmwareECS Router Controller ECS (FLASH)RiskBuster System RB 3.0.0RiskBuster System TRANE 1.0Graphic Control SoftwareRiskBuster Terminator E6L45SmartHome II E9246RiskTerminator
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-41972
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 47.95%
||
7 Day CHG~0.00%
Published-12 Nov, 2021 | 18:55
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Credentials leak

Apache Superset up to and including 1.3.1 allowed for database connections password leak for authenticated users. This information could be accessed in a non-trivial way.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-44451
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.5||MEDIUM
EPSS-68.13% / 98.53%
||
7 Day CHG~0.00%
Published-01 Feb, 2022 | 13:16
Updated-04 Aug, 2024 | 04:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
API sensitive information leak

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-42023
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.01%
||
7 Day CHG~0.00%
Published-14 Dec, 2021 | 00:00
Updated-04 Aug, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in ModelSim Simulation (All versions), Questa Simulation (All versions). The RSA white-box implementation in affected applications insufficiently protects the built-in private keys that are required to decrypt electronic intellectual property (IP) data in accordance with the IEEE 1735 recommended practice. This could allow a sophisticated attacker to discover the keys, bypassing the protection intended by the IEEE 1735 recommended practice.

Action-Not Available
Vendor-Siemens AG
Product-questamodelsimQuesta SimulationModelSim Simulation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2017-0925
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.2||HIGH
EPSS-0.10% / 28.82%
||
7 Day CHG~0.00%
Published-21 Mar, 2018 | 20:00
Updated-05 Aug, 2024 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insufficiently protected credential issue in the project service integration API endpoint resulting in an information disclosure of plaintext password.

Action-Not Available
Vendor-Debian GNU/LinuxGitLab Inc.
Product-debian_linuxgitlabGitLab Community and Enterprise Editions
CWE ID-CWE-522
Insufficiently Protected Credentials
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2021-40360
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-8.8||HIGH
EPSS-0.31% / 53.93%
||
7 Day CHG~0.00%
Published-09 Feb, 2022 | 15:17
Updated-04 Aug, 2024 | 02:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The password hash of a local user account in the remote server could be granted via public API to a user on the affected system. An authenticated attacker could brute force the password hash and use it to login to the server.

Action-Not Available
Vendor-Siemens AG
Product-simatic_winccsimatic_pcs_7SIMATIC WinCC V15 and earlierSIMATIC WinCC V17SIMATIC PCS 7 V9.1SIMATIC PCS 7 V9.0SIMATIC WinCC V7.4SIMATIC WinCC V7.5SIMATIC WinCC V16SIMATIC PCS 7 V8.2
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-41125
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.49% / 64.68%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 17:15
Updated-04 Aug, 2024 | 02:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP authentication credential leak to target websites in scrapy

Scrapy is a high-level web crawling and scraping framework for Python. If you use `HttpAuthMiddleware` (i.e. the `http_user` and `http_pass` spider attributes) for HTTP authentication, all requests will expose your credentials to the request target. This includes requests generated by Scrapy components, such as `robots.txt` requests sent by Scrapy when the `ROBOTSTXT_OBEY` setting is set to `True`, or as requests reached through redirects. Upgrade to Scrapy 2.5.1 and use the new `http_auth_domain` spider attribute to control which domains are allowed to receive the configured HTTP authentication credentials. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.5.1 is not an option, you may upgrade to Scrapy 1.8.1 instead. If you cannot upgrade, set your HTTP authentication credentials on a per-request basis, using for example the `w3lib.http.basic_auth_header` function to convert your credentials into a value that you can assign to the `Authorization` header of your request, instead of defining your credentials globally using `HttpAuthMiddleware`.

Action-Not Available
Vendor-scrapyscrapyDebian GNU/Linux
Product-scrapydebian_linuxscrapy
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-39046
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.9||MEDIUM
EPSS-0.14% / 35.53%
||
7 Day CHG~0.00%
Published-18 Mar, 2022 | 15:40
Updated-16 Sep, 2024 | 22:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.

Action-Not Available
Vendor-IBM Corporation
Product-business_automation_workflowbusiness_process_managerBusiness Process ManagerBusiness Automation Workflow
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-36178
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 42.73%
||
7 Day CHG~0.00%
Published-06 Oct, 2021 | 09:18
Updated-25 Oct, 2024 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A insufficiently protected credentials in Fortinet FortiSDNConnector version 1.1.7 and below allows attacker to disclose third-party devices credential information via configuration page lookup.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisdnconnectorFortinet FortiSDNConnector
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-37187
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.31% / 53.26%
||
7 Day CHG~0.00%
Published-10 Dec, 2021 | 12:24
Updated-04 Aug, 2024 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Digi TransPort devices through 2021-07-21. An authenticated attacker may read a password file (with reversible passwords) from the device, which allows decoding of other users' passwords.

Action-Not Available
Vendor-digin/a
Product-transport_vc74transport_dr64transport_wr11_firmwaretransport_wr21transport_sr44transport_wr21_firmwaretransport_wr31transport_wr41transport_wr44transport_vc74_firmwaretransport_wr31_firmwaretransport_wr11_xttransport_wr11transport_dr64_firmwaretransport_wr41_firmwaretransport_wr11_xt_firmwaretransport_wr44_firmwaren/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-10755
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 52.39%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 15:55
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the ``connection_info`` element in all Block Storage v3 Attachments API calls containing that element. This flaw enables an end-user to create a volume, make an API call to show the attachment detail information, and retrieve a username and password that may be used to connect to another user's volume. Additionally, these credentials are valid for the ScaleIO or VxFlex OS Management API, should an attacker discover the Management API endpoint. Source: OpenStack project

Action-Not Available
Vendor-Canonical Ltd.Red Hat, Inc.
Product-ubuntu_linuxopenstack-cinderopenstack-cinder
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-9868
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.30% / 52.97%
||
7 Day CHG~0.00%
Published-19 Mar, 2019 | 15:54
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The SMTP password is displayed to an administrator.

Action-Not Available
Vendor-n/aVeritas Technologies LLC
Product-netbackup_appliancen/a
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-9867
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-0.25% / 48.41%
||
7 Day CHG~0.00%
Published-19 Mar, 2019 | 15:53
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator.

Action-Not Available
Vendor-n/aVeritas Technologies LLC
Product-netbackup_appliancen/a
CWE ID-CWE-522
Insufficiently Protected Credentials
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next
Details not found