Search
Total
309 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39820 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-01-03 | N/A | 6.5 MEDIUM |
| In Network Element Manager in NOKIA NFM-T R19.9, an Unprotected Storage of Credentials vulnerability occurs under /root/RestUploadManager.xml.DRC and /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml. A remote user, authenticated to the operating system, with access privileges to the directory /root or /DEPOT, is able to read cleartext credentials to access the web portal NFM-T and control all the PPS Network elements. | |||||
| CVE-2021-1731 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2023-12-29 | 2.1 LOW | 5.5 MEDIUM |
| PFX Encryption Security Feature Bypass Vulnerability | |||||
| CVE-2019-10206 | 3 Debian, Opensuse, Redhat | 4 Debian Linux, Backports Sle, Leap and 1 more | 2023-12-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. | |||||
| CVE-2023-47741 | 1 Ibm | 2 Db2 Mirror For I, I | 2023-12-22 | N/A | 5.3 MEDIUM |
| IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim's PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532. | |||||
| CVE-2022-27216 | 1 Jenkins | 1 Dbcharts | 2023-12-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-29052 | 1 Jenkins | 1 Google Compute Engine | 2023-12-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-27217 | 1 Jenkins | 1 Vmware Vrealize Codestream | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-28135 | 1 Jenkins | 1 Instant-messaging | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-27218 | 1 Jenkins | 1 Incapptic Connect Uploader | 2023-12-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2021-25284 | 3 Debian, Fedoraproject, Saltstack | 3 Debian Linux, Fedora, Salt | 2023-12-21 | 1.9 LOW | 4.4 MEDIUM |
| An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level. | |||||
| CVE-2023-6791 | 1 Paloaltonetworks | 1 Pan-os | 2023-12-18 | N/A | 4.9 MEDIUM |
| A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface. | |||||
| CVE-2023-50770 | 1 Jenkins | 1 Openid | 2023-12-18 | N/A | 6.7 MEDIUM |
| Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins. | |||||
| CVE-2023-44300 | 1 Dell | 2 Powerprotect Data Manager Dm5500, Powerprotect Data Manager Dm5500 Firmware | 2023-12-18 | N/A | 5.5 MEDIUM |
| Dell DM5500 5.14.0.0, contain a Plain-text Password Storage Vulnerability in the appliance. A local attacker with privileges could potentially exploit this vulnerability, leading to the disclosure of certain service credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | |||||
| CVE-2023-47722 | 1 Ibm | 1 Api Connect | 2023-12-12 | N/A | 5.5 MEDIUM |
| IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in browser cache which can be read by a local user. IBM X-Force ID: 271912. | |||||
| CVE-2023-24047 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2023-12-08 | N/A | 6.8 MEDIUM |
| An Insecure Credential Management issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via use of weak hashing algorithm. | |||||
| CVE-2023-49280 | 1 Xwiki | 1 Change Request | 2023-12-08 | N/A | 6.5 MEDIUM |
| XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain password hash of users by performing an edit on the user profiles and then downloading the XML file that has been created. This is also true for any document that might contain password field and that a user can view. This vulnerability impacts all version of Change Request, but the impact depends on the rights that has been set on the wiki since it requires for the user to have the Change request right (allowed by default) and view rights on the page to target. This issue cannot be easily exploited in an automated way. The patch consists in denying to users the right of editing pages that contains a password field with change request. It means that already existing change request for those pages won't be removed by the patch, administrators needs to take care of it. The patch is provided in Change Request 1.10, administrators should upgrade immediately. It's possible to workaround the vulnerability by denying manually the Change request right on some spaces, such as XWiki space which will include any user profile by default. | |||||
| CVE-2023-49653 | 1 Jenkins | 1 Jira | 2023-12-05 | N/A | 6.5 MEDIUM |
| Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | |||||
| CVE-2022-20621 | 1 Jenkins | 1 Metrics | 2023-11-30 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2021-21681 | 1 Jenkins | 1 Nomad | 2023-11-22 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Nomad Plugin 0.7.4 and earlier stores Docker passwords unencrypted in the global config.xml file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34808 | 1 Jenkins | 1 Cisco Spark | 2023-11-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34809 | 1 Jenkins | 1 Rqm | 2023-11-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34816 | 1 Jenkins | 1 Hpe Network Virtualization | 2023-11-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34799 | 1 Jenkins | 1 Deployment Dashboard | 2023-11-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34800 | 1 Jenkins | 1 Build Notifications | 2023-11-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34803 | 1 Jenkins | 1 Opsgenie | 2023-11-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system. | |||||
| CVE-2022-34802 | 1 Jenkins | 1 Rocketchat Notifier | 2023-11-22 | 4.0 MEDIUM | 4.3 MEDIUM |
| Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34805 | 1 Jenkins | 1 Skype Notifier | 2023-11-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-34806 | 1 Jenkins | 1 Jigomerge | 2023-11-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-34807 | 1 Jenkins | 1 Elasticsearch Query | 2023-11-22 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2023-41676 | 1 Fortinet | 1 Fortisiem | 2023-11-21 | N/A | 6.5 MEDIUM |
| An exposure of sensitive information to an unauthorized actor [CWE-200] in FortiSIEM version 7.0.0 and before 6.7.5 may allow an attacker with access to windows agent logs to obtain the windows agent password via searching through the logs. | |||||
| CVE-2022-28141 | 1 Jenkins | 1 Proxmox | 2023-11-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2020-17477 | 1 Univention | 1 Ucs\@school | 2023-11-16 | N/A | 6.5 MEDIUM |
| Incorrect LDAP ACLs in ucs-school-ldap-acls-master in UCS@school before 4.4v5-errata allow remote teachers, staff, and school administrators to read LDAP password hashes (sambaNTPassword, krb5Key, sambaPasswordHistory, and pwhistory) via LDAP search requests. For example, a teacher can gain administrator access via an NTLM hash. | |||||
| CVE-2022-0859 | 1 Mcafee | 1 Epolicy Orchestrator | 2023-11-15 | 4.4 MEDIUM | 6.7 MEDIUM |
| McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password. | |||||
| CVE-2022-27206 | 1 Jenkins | 1 Gitlab Authentication | 2023-11-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-23109 | 1 Jenkins | 1 Hashicorp Vault | 2023-11-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed. | |||||
| CVE-2022-41247 | 1 Jenkins | 1 Bigpanda Notifier | 2023-11-13 | N/A | 4.3 MEDIUM |
| Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||||
| CVE-2022-43419 | 1 Jenkins | 1 Katalon | 2023-11-13 | N/A | 6.5 MEDIUM |
| Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||||
| CVE-2022-45384 | 1 Jenkins | 1 Reverse Proxy Auth | 2023-11-13 | N/A | 6.5 MEDIUM |
| Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | |||||
| CVE-2023-31492 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-08-23 | N/A | 6.5 MEDIUM |
| Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | |||||
| CVE-2023-40345 | 1 Jenkins | 1 Delphix | 2023-08-18 | N/A | 6.5 MEDIUM |
| Jenkins Delphix Plugin 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Overall/Read permission to access and capture credentials they are not entitled to. | |||||
| CVE-2023-40347 | 1 Jenkins | 1 Maven Artifact Choicelistprovider \(nexus\) | 2023-08-18 | N/A | 6.5 MEDIUM |
| Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. | |||||
| CVE-2021-45097 | 1 Knime | 1 Knime Server | 2023-08-08 | 2.1 LOW | 5.5 MEDIUM |
| KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content. | |||||
| CVE-2021-39045 | 2 Ibm, Netapp | 2 Cognos Analytics, Oncommand Insight | 2023-08-08 | N/A | 5.5 MEDIUM |
| IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345. | |||||
| CVE-2022-28167 | 1 Broadcom | 1 Sannav | 2023-08-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log | |||||
| CVE-2022-3206 | 1 Passster Project | 1 Passster | 2023-08-02 | N/A | 5.9 MEDIUM |
| The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked. | |||||
| CVE-2023-36266 | 1 Keepersecurity | 2 Keeper, Keeperfill | 2023-07-31 | N/A | 5.5 MEDIUM |
| ** DISPUTED ** An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information). | |||||
| CVE-2021-28496 | 1 Arista | 1 Eos | 2022-07-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| On systems running Arista EOS and CloudEOS with the affected release version, when using shared secret profiles the password configured for use by BiDirectional Forwarding Detection (BFD) will be leaked when displaying output over eAPI or other JSON outputs to other authenticated users on the device. The affected EOS Versions are: all releases in 4.22.x train, 4.23.9 and below releases in the 4.23.x train, 4.24.7 and below releases in the 4.24.x train, 4.25.4 and below releases in the 4.25.x train, 4.26.1 and below releases in the 4.26.x train | |||||
| CVE-2021-28499 | 1 Arista | 2 7130, Metamako Operating System | 2022-07-29 | 2.1 LOW | 5.5 MEDIUM |
| In Arista's MOS (Metamako Operating System) software which is supported on the 7130 product line, user account passwords set in clear text could leak to users without any password. This issue affects: Arista Metamako Operating System MOS-0.18 and post releases in the MOS-0.1x train All releases in the MOS-0.2x train MOS-0.31.1 and prior releases in the MOS-0.3x train | |||||
| CVE-2021-33107 | 1 Intel | 446 Active Management Technology Software Development Kit, B150, B250 and 443 more | 2022-07-28 | 2.1 LOW | 4.6 MEDIUM |
| Insufficiently protected credentials in USB provisioning for Intel(R) AMT SDK before version 16.0.3, Intel(R) SCS before version 12.2 and Intel(R) MEBx before versions 11.0.0.0012, 12.0.0.0011, 14.0.0.0004 and 15.0.0.0004 may allow an unauthenticated user to potentially enable information disclosure via physical access. | |||||
| CVE-2022-27544 | 1 Hcltech | 1 Bigfix Platform | 2022-07-27 | N/A | 6.5 MEDIUM |
| BigFix Web Reports authorized users may see SMTP credentials in clear text. | |||||