Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-42451

Summary
Assigner-HCL
Assigner Org ID-1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At-11 Oct, 2023 | 05:01
Updated At-29 Oct, 2024 | 13:41
Rejected At-
Credits

HCL BigFix Patch Management is vulnerable to insecurely stored credentials

Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:HCL
Assigner Org ID:1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At:11 Oct, 2023 | 05:01
Updated At:29 Oct, 2024 | 13:41
Rejected At:
▼CVE Numbering Authority (CNA)
HCL BigFix Patch Management is vulnerable to insecurely stored credentials

Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user.

Affected Products
Vendor
HCL Technologies Ltd.HCL Software
Product
BigFix Patch Management
Default Status
unaffected
Versions
Affected
  • site version 1054 and below
Metrics
VersionBase scoreBase severityVector
3.14.6MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007
N/A
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007
x_transferred
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.14.6MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@hcl.com
Published At:11 Oct, 2023 | 06:15
Updated At:29 Oct, 2024 | 14:35

Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.4MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Secondary3.14.6MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Secondary3.14.6MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CPE Matches
HCL Technologies Ltd.
hcltech
>>bigfix_patch_management>>Versions before 1055(exclusive)
cpe:2.3:a:hcltech:bigfix_patch_management:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-522Primarynvd@nist.gov
CWE ID: CWE-522
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007psirt@hcl.com
Vendor Advisory
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108007
Source: psirt@hcl.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

30Records found
CVE-2024-23551
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.04% / 8.63%
||
7 Day CHG~0.00%
Published-07 May, 2024 | 21:46
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint

Database scanning using username and password stores the credentials in plaintext or encoded format within files at the endpoint. This has been identified as a significant security risk. This will lead to exposure of sensitive information for unauthorized access, potentially leading to severe consequences such as data breaches, unauthorized data manipulation, and compromised system integrity.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-BigFix Compliancebigfix_compliance
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-23583
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.7||MEDIUM
EPSS-0.03% / 5.38%
||
7 Day CHG~0.00%
Published-17 May, 2024 | 23:06
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Platform is susceptible to insufficiently protected credentials

An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-BigFix Platformbigfix_platform
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-44758
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.33%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 06:00
Updated-18 Sep, 2024 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Insights for Vulnerability Remediation (IVR) is vulnerable to improper credential handling

BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly authorized.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix Insights for Vulnerability Remediation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-27785
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.9||LOW
EPSS-0.06% / 19.39%
||
7 Day CHG~0.00%
Published-29 Jul, 2022 | 23:55
Updated-16 Sep, 2024 | 19:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Commerce could allow a local attacker to obtain sensitive personal information (CVE-2021-27785)

HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_commerceHCL Commerce
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-44757
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.75%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 06:13
Updated-18 Sep, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Insights for Vulnerability Remediation (IVR) is vulnerable to weak cryptography

BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix Insights for Vulnerability Remediation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-42445
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.9||MEDIUM
EPSS-0.09% / 27.03%
||
7 Day CHG+0.02%
Published-28 Nov, 2022 | 14:54
Updated-25 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Launch is vulnerable to Insufficiently Protected LDAP Search Credentials (CVE-2022-42445)

HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchHCL Launch
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27544
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5||MEDIUM
EPSS-0.19% / 41.09%
||
7 Day CHG~0.00%
Published-19 Jul, 2022 | 15:40
Updated-16 Sep, 2024 | 23:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Web Reports authorized users may see sensitive information in clear text

BigFix Web Reports authorized users may see SMTP credentials in clear text.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformHCL BigFix
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27548
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.9||MEDIUM
EPSS-0.10% / 27.75%
||
7 Day CHG~0.00%
Published-06 Jul, 2022 | 20:25
Updated-16 Sep, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Launch is vulnerable to information disclosure which can be read by a local user.

HCL Launch stores user credentials in plain clear text which can be read by a local user.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchHCL Launch
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-27560
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6||MEDIUM
EPSS-0.14% / 34.51%
||
7 Day CHG~0.00%
Published-30 Aug, 2022 | 21:25
Updated-16 Sep, 2024 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An insufficiently protected credential vulnerability affects HCL VersionVault Express

HCL VersionVault Express exposes administrator credentials.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-versionvault_expressHCL VersionVault Express
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-30119
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.03% / 5.31%
||
7 Day CHG~0.00%
Published-14 Jun, 2024 | 21:34
Updated-02 Aug, 2024 | 01:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header

HCL DRYiCE Optibot Reset Station is impacted by a missing Strict Transport Security Header.  This could allow an attacker to intercept or manipulate data during redirection.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-DRYiCE Optibot Reset Stationdryice_optibot_reset_station
CWE ID-CWE-326
Inadequate Encryption Strength
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-4095
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6||MEDIUM
EPSS-0.03% / 5.38%
||
7 Day CHG~0.00%
Published-16 Jul, 2020 | 18:27
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access."

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-bigfix_platform"HCL BigFix Platform"
CWE ID-CWE-312
Cleartext Storage of Sensitive Information
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-42172
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.19%
||
7 Day CHG~0.00%
Published-11 Jan, 2025 | 06:44
Updated-16 May, 2025 | 13:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL MyXalytics is affected by broken authentication

HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsDRYiCE MyXalytics
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-25052
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 5.28%
||
7 Day CHG~0.00%
Published-13 Jun, 2024 | 13:45
Updated-07 Aug, 2024 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Jazz Reporting Service information disclosure

IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user. IBM X-Force ID: 283363.

Action-Not Available
Vendor-IBM Corporation
Product-jazz_reporting_serviceJazz Reporting Service
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-22312
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 2.50%
||
7 Day CHG~0.00%
Published-10 Feb, 2024 | 15:41
Updated-10 Jun, 2025 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Storage Defender - Resiliency Service information disclosure

IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.

Action-Not Available
Vendor-IBM Corporation
Product-storage_defender_resiliency_serviceStorage Defender - Resiliency Service
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-45859
Matching Score-4
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-4
Assigner-Fortinet, Inc.
CVSS Score-3.9||LOW
EPSS-0.03% / 5.36%
||
7 Day CHG~0.00%
Published-03 May, 2023 | 21:26
Updated-22 Oct, 2024 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An insufficiently protected credentials vulnerability [CWE-522] in FortiNAC-F 7.2.0, FortiNAC 9.4.1 and below, 9.2.6 and below, 9.1.8 and below, 8.8.0 all versions, 8.7.0 all versions may allow a local attacker with system access to retrieve users' passwords.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacfortinac-fFortiNAC
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-20434
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.1||MEDIUM
EPSS-0.03% / 8.15%
||
7 Day CHG~0.00%
Published-23 Sep, 2021 | 17:10
Updated-17 Sep, 2024 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Verify Bridge 1.0.5.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 196346.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_bridgeSecurity Verify Bridge
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-21102
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.5||HIGH
EPSS-0.02% / 2.83%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 11:25
Updated-24 Jan, 2025 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell VxRail, versions 7.0.000 through 7.0.532, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

Action-Not Available
Vendor-Dell Inc.
Product-vxrail_s670vxrail_e665_firmwarevxrail_p670n_firmwarevxrail_e665fvxrail_p675nvxrail_p570_vcfvxrail_p580nvxrail_g560_vcfvxrail_v570_firmwarevxrail_e560f_vcfvxrail_p580n_vcfvxrail_v570_vcf_firmwarevxrail_vd-4520c_firmwarevxrail_vd-4000zvxrail_e665f_firmwarevxrail_p570vxrail_p670nvxrail_e560fvxrail_v670fvxrail_d560f_firmwarevxrail_vd-4520cvxrail_e665vxrail_e660nvxrail_e560_vcf_firmwarevxrail_e660f_firmwarevxrail_p570f_firmwarevxrail_p580n_firmwarevxrail_e560nvxrail_v570_vcfvxrail_e660n_firmwarevxrail_p570_firmwarevxrail_e560f_firmwarevxrail_vd-4510cvxrail_g560vxrail_e560n_firmwarevxrail_e665nvxrail_p570_vcf_firmwarevxrail_p675f_firmwarevxrail_e560n_vcfvxrail_e660_firmwarevxrail_e560f_vcf_firmwarevxrail_vd-4000wvxrail_g560_vcf_firmwarevxrail_g560fvxrail_v470vxrail_e460_firmwarevxrail_s570_vcfvxrail_p570f_vcf_firmwarevxrail_p670f_firmwarevxrail_e460vxrail_e660vxrail_e560_vcfvxrail_s670_firmwarevxrail_p670fvxrail_p470_firmwarevxrail_d560vxrail_d560fvxrail_v570vxrail_vd-4510c_firmwarevxrail_e560_firmwarevxrail_s570_vcf_firmwarevxrail_g560_firmwarevxrail_s470vxrail_v470_firmwarevxrail_p570fvxrail_e665n_firmwarevxrail_g560f_firmwarevxrail_v670f_firmwarevxrail_p675n_firmwarevxrail_vd-4000rvxrail_d560_firmwarevxrail_s570vxrail_s470_firmwarevxrail_s570_firmwarevxrail_e660fvxrail_vd-4000r_firmwarevxrail_e560vxrail_vd-4000z_firmwarevxrail_e560n_vcf_firmwarevxrail_p570f_vcfvxrail_vd-4000w_firmwarevxrail_p675fvxrail_p580n_vcf_firmwarevxrail_p470Dell VxRail HCI
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2025-21111
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.5||HIGH
EPSS-0.02% / 2.38%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 17:38
Updated-24 Jan, 2025 | 19:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell VxRail, versions 8.0.000 through 8.0.311, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

Action-Not Available
Vendor-Dell Inc.
Product-vxrail_s670vxrail_e665_firmwarevxrail_p670n_firmwarevxrail_e665fvxrail_p675nvxrail_p570_vcfvxrail_p580nvxrail_g560_vcfvxrail_v570_firmwarevxrail_e560f_vcfvxrail_p580n_vcfvxrail_v570_vcf_firmwarevxrail_vd-4520c_firmwarevxrail_vd-4000zvxrail_e665f_firmwarevxrail_p570vxrail_p670nvxrail_e560fvxrail_v670fvxrail_d560f_firmwarevxrail_vd-4520cvxrail_e665vxrail_e660nvxrail_e560_vcf_firmwarevxrail_e660f_firmwarevxrail_p570f_firmwarevxrail_p580n_firmwarevxrail_e560nvxrail_v570_vcfvxrail_e660n_firmwarevxrail_p570_firmwarevxrail_e560f_firmwarevxrail_vd-4510cvxrail_g560vxrail_e560n_firmwarevxrail_e665nvxrail_p570_vcf_firmwarevxrail_p675f_firmwarevxrail_e560n_vcfvxrail_e660_firmwarevxrail_e560f_vcf_firmwarevxrail_vd-4000wvxrail_g560_vcf_firmwarevxrail_g560fvxrail_v470vxrail_e460_firmwarevxrail_s570_vcfvxrail_p570f_vcf_firmwarevxrail_p670f_firmwarevxrail_e460vxrail_e660vxrail_e560_vcfvxrail_s670_firmwarevxrail_p670fvxrail_p470_firmwarevxrail_d560vxrail_d560fvxrail_v570vxrail_vd-4510c_firmwarevxrail_e560_firmwarevxrail_s570_vcf_firmwarevxrail_g560_firmwarevxrail_s470vxrail_v470_firmwarevxrail_p570fvxrail_e665n_firmwarevxrail_g560f_firmwarevxrail_v670f_firmwarevxrail_p675n_firmwarevxrail_vd-4000rvxrail_d560_firmwarevxrail_s570vxrail_s470_firmwarevxrail_s570_firmwarevxrail_e660fvxrail_vd-4000r_firmwarevxrail_e560vxrail_vd-4000z_firmwarevxrail_e560n_vcf_firmwarevxrail_p570f_vcfvxrail_vd-4000w_firmwarevxrail_p675fvxrail_p580n_vcf_firmwarevxrail_p470Dell VxRail HCI
CWE ID-CWE-256
Plaintext Storage of a Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-34445
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6||MEDIUM
EPSS-0.03% / 5.12%
||
7 Day CHG~0.00%
Published-10 Feb, 2023 | 20:41
Updated-26 Mar, 2025 | 15:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

Action-Not Available
Vendor-Dell Inc.
Product-powerscale_onefsPowerScale OneFS
CWE ID-CWE-261
Weak Encoding for Password
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-4913
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.04% / 12.11%
||
7 Day CHG~0.00%
Published-04 Jan, 2021 | 14:00
Updated-16 Sep, 2024 | 23:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Cloud Pak System 2.3 could reveal credential information in the HTTP response to a local privileged user. IBM X-Force ID: 191288.

Action-Not Available
Vendor-IBM Corporation
Product-cloud_pak_systemCloud Pak System
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-1978
Matching Score-4
Assigner-Palo Alto Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Palo Alto Networks, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.09% / 27.12%
||
7 Day CHG~0.00%
Published-08 Apr, 2020 | 18:41
Updated-16 Sep, 2024 | 22:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
VM-Series on Microsoft Azure: Inadvertent collection of credentials in Tech support files on HA configured VMs

TechSupport files generated on Palo Alto Networks VM Series firewalls for Microsoft Azure platform configured with high availability (HA) inadvertently collect Azure dashboard service account credentials. These credentials are equivalent to the credentials associated with the Contributor role in Azure. A user with the credentials will be able to manage all the Azure resources in the subscription except for granting access to other resources. These credentials do not allow login access to the VMs themselves. This issue affects VM Series Plugin versions before 1.0.9 for PAN-OS 9.0. This issue does not affect VM Series in non-HA configurations or on other cloud platforms. It does not affect hardware firewall appliances. Since becoming aware of the issue, Palo Alto Networks has safely deleted all the tech support files with the credentials. We now filter and remove these credentials from all TechSupport files sent to us. The TechSupport files uploaded to Palo Alto Networks systems were only accessible by authorized personnel with valid Palo Alto Networks credentials. We do not have any evidence of malicious access or use of these credentials.

Action-Not Available
Vendor-Palo Alto Networks, Inc.
Product-pan-osvm-seriesVM-Series Plugin
CWE ID-CWE-255
Not Available
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-13344
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.07% / 20.73%
||
7 Day CHG~0.00%
Published-08 Oct, 2020 | 13:43
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue has been discovered in GitLab affecting all versions prior to 13.2.10, 13.3.7 and 13.4.2. Sessions keys are stored in plain-text in Redis which allows attacker with Redis access to authenticate as any user that has a session stored in Redis

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-10710
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.11% / 30.50%
||
7 Day CHG~0.00%
Published-16 Aug, 2022 | 00:00
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found where the Plaintext Candlepin password is disclosed while updating Red Hat Satellite through the satellite-installer. This flaw allows an attacker with sufficiently high privileges, such as root, to retrieve the Candlepin plaintext password.

Action-Not Available
Vendor-n/aThe Foreman
Product-foremanforeman-installer
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2019-4693
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6||MEDIUM
EPSS-0.02% / 3.30%
||
7 Day CHG~0.00%
Published-26 Aug, 2020 | 19:00
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores user credentials in plain in clear text which can be read by a local privileged user. IBM X-Force ID: 171831.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_data_encryptionguardium_for_cloud_key_managementSecurity Guardium Data Encryption
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2017-12127
Matching Score-4
Assigner-Talos
ShareView Details
Matching Score-4
Assigner-Talos
CVSS Score-4.4||MEDIUM
EPSS-0.13% / 32.74%
||
7 Day CHG~0.00%
Published-14 May, 2018 | 20:00
Updated-17 Sep, 2024 | 02:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A password storage vulnerability exists in the operating system functionality of Moxa EDR-810 V4.1 build 17030317. An attacker with shell access could extract passwords in clear text from the device.

Action-Not Available
Vendor-Moxa Inc.Talos (Cisco Systems, Inc.)
Product-edr-810_firmwareedr-810Moxa
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2023-23370
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 4.57%
||
7 Day CHG~0.00%
Published-06 Oct, 2023 | 16:35
Updated-19 Sep, 2024 | 14:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QVPN Device Client

An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client. If exploited, the vulnerability could allow local authenticated administrators to gain access to user accounts and access sensitive data used by the user account via unspecified vectors. We have already fixed the vulnerability in the following version: QVPN Windows 2.1.0.0518 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qvpnQVPN Windows
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-4593
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 8.15%
||
7 Day CHG~0.00%
Published-24 Aug, 2020 | 15:30
Updated-16 Sep, 2024 | 22:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Insights 2.0.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184747.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-security_guardium_insightslinux_kernelSecurity Guardium Insights
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-4602
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.04% / 9.90%
||
7 Day CHG~0.00%
Published-13 Jan, 2021 | 18:10
Updated-17 Sep, 2024 | 03:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 184836.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, Inc
Product-security_guardium_insightslinux_kernelSecurity Guardium Insights
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-6239
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.4||MEDIUM
EPSS-0.03% / 7.99%
||
7 Day CHG~0.00%
Published-10 Jun, 2020 | 12:33
Updated-04 Aug, 2024 | 08:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Under certain conditions SAP Business One (Backup service), versions 9.3, 10.0, allows an attacker with admin permissions to view SYSTEM user password in clear text, leading to Information Disclosure.

Action-Not Available
Vendor-SAP SE
Product-business_oneSAP Business One (Backup service)
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2024-49817
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 2.46%
||
7 Day CHG~0.00%
Published-17 Dec, 2024 | 17:34
Updated-07 Jan, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium Key Lifecycle Manager information disclosure

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.

Action-Not Available
Vendor-IBM Corporation
Product-security_guardium_key_lifecycle_managerSecurity Guardium Key Lifecycle Manager
CWE ID-CWE-260
Password in Configuration File
CWE ID-CWE-522
Insufficiently Protected Credentials
Details not found