Total
800 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-14782 | 1 Control-webpanel | 1 Webpanel | 2024-08-05 | 6.5 Medium |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.856 through 0.9.8.864 allows an attacker to get a victim's session file name from the /tmp directory, and the victim's token value from /usr/local/cwpsrv/logs/access_log, then use them to make a request to extract the victim's password (for the OS and phpMyAdmin) via an attacker account. | ||||
| CVE-2019-14268 | 1 Octopus | 1 Octopus Deploy | 2024-08-05 | N/A |
| In Octopus Deploy versions 3.0.19 to 2019.7.2, when a web request proxy is configured, an authenticated user (in certain limited circumstances) could trigger a deployment that writes the web request proxy password to the deployment log in cleartext. This is fixed in 2019.7.3. The fix was back-ported to LTS 2019.6.5 as well as LTS 2019.3.7. | ||||
| CVE-2019-13515 | 1 Osisoft | 1 Pi Web Api | 2024-08-04 | N/A |
| OSIsoft PI Web API 2018 and prior may allow disclosure of sensitive information. | ||||
| CVE-2019-13509 | 1 Docker | 1 Docker | 2024-08-04 | N/A |
| In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. | ||||
| CVE-2019-13098 | 2 Google, Tronlink | 2 Android, Wallet | 2024-08-04 | N/A |
| The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | ||||
| CVE-2019-11549 | 1 Gitlab | 1 Gitlab | 2024-08-04 | 6.5 Medium |
| An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors. | ||||
| CVE-2019-11492 | 1 Projectsend | 1 Projectsend | 2024-08-04 | N/A |
| ProjectSend before r1070 writes user passwords to the server logs. | ||||
| CVE-2019-11465 | 1 Couchbase | 1 Couchbase Server | 2024-08-04 | 5.3 Medium |
| An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted. | ||||
| CVE-2019-11336 | 1 Sony | 89 Kdl-50w800c, Kdl-50w805c, Kdl-50w807c and 86 more | 2024-08-04 | N/A |
| Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886. | ||||
| CVE-2019-10695 | 1 Puppet | 1 Continuous Delivery | 2024-08-04 | 6.5 Medium |
| When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. | ||||
| CVE-2019-10370 | 1 Jenkins | 1 Mask Passwords | 2024-08-04 | 6.5 Medium |
| Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | ||||
| CVE-2019-10343 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 3.3 Low |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | ||||
| CVE-2019-10364 | 1 Jenkins | 1 Ec2 | 2024-08-04 | 5.5 Medium |
| Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | ||||
| CVE-2019-10345 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.5 Medium |
| Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | ||||
| CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2024-08-04 | 5.5 Medium |
| Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | ||||
| CVE-2019-10358 | 1 Jenkins | 1 Maven | 2024-08-04 | 6.5 Medium |
| Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | ||||
| CVE-2019-10194 | 2 Ovirt, Redhat | 3 Ovirt, Rhev Manager, Virtualization Manager | 2024-08-04 | 5.5 Medium |
| Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts. | ||||
| CVE-2019-10212 | 2 Netapp, Redhat | 9 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 6 more | 2024-08-04 | 9.8 Critical |
| A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | ||||
| CVE-2019-10213 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2024-08-04 | 6.5 Medium |
| OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | ||||
| CVE-2019-10195 | 3 Fedoraproject, Freeipa, Redhat | 4 Fedora, Freeipa, Enterprise Linux and 1 more | 2024-08-04 | 6.5 Medium |
| A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. | ||||