Total
1069 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-26341 | 1 Intel | 3 Active Management Technology Software Development Kit, Endpoint Management Assistant, Manageability Commander | 2024-08-03 | 8.2 High |
Insufficiently protected credentials in software in Intel(R) AMT SDK before version 16.0.4.1, Intel(R) EMA before version 1.7.1 and Intel(R) MC before version 2.3.2 may allow an authenticated user to potentially enable escalation of privilege via network access. | ||||
CVE-2022-25180 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-08-03 | 4.3 Medium |
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. | ||||
CVE-2022-25184 | 2 Jenkins, Redhat | 2 Pipeline\, Openshift | 2024-08-03 | 6.5 Medium |
Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs. | ||||
CVE-2022-24982 | 1 Jqueryform | 1 Jqueryform | 2024-08-03 | 6.5 Medium |
Forms generated by JQueryForm.com before 2022-02-05 allows a remote authenticated attacker to access the cleartext credentials of all other form users. admin.php contains a hidden base64-encoded string with these credentials. | ||||
CVE-2022-24978 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-03 | 8.8 High |
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response. | ||||
CVE-2022-24867 | 1 Glpi-project | 1 Glpi | 2024-08-03 | 7.5 High |
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue. | ||||
CVE-2022-24610 | 1 Alecto | 2 Dvc-215ip, Dvc-215ip Firmware | 2024-08-03 | 8.6 High |
Settings/network settings/wireless settings on the Alecto DVC-215IP camera version 63.1.1.173 and below shows the Wi-Fi passphrase hidden, but by editing/removing the style of the password field the password becomes visible which grants access to an internal network connected to the camera. | ||||
CVE-2022-23725 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-08-03 | 7.7 High |
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | ||||
CVE-2022-23538 | 1 Sylabs | 1 Singularity Container Services Library | 2024-08-03 | 5.2 Medium |
github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time. | ||||
CVE-2022-23223 | 1 Apache | 1 Shenyu | 2024-08-03 | 7.5 High |
On Apache ShenYu versions 2.4.0 and 2.4.1, and endpoint existed that disclosed the passwords of all users. Users are recommended to upgrade to version 2.4.2 or later. | ||||
CVE-2022-23117 | 1 Jenkins | 1 Conjur Secrets | 2024-08-03 | 7.5 High |
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller. | ||||
CVE-2022-23114 | 1 Jenkins | 1 Publish Over Ssh | 2024-08-03 | 3.3 Low |
Jenkins Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2022-23109 | 1 Jenkins | 1 Hashicorp Vault | 2024-08-03 | 6.5 Medium |
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed. | ||||
CVE-2022-22983 | 1 Vmware | 1 Workstation | 2024-08-03 | 5.9 Medium |
VMware Workstation (16.x prior to 16.2.4) contains an unprotected storage of credentials vulnerability. A malicious actor with local user privileges to the victim machine may exploit this vulnerability leading to the disclosure of user passwords of the remote server connected through VMware Workstation. | ||||
CVE-2022-22998 | 2 Linux, Westerndigital | 5 Linux Kernel, My Cloud Home, My Cloud Home Duo and 2 more | 2024-08-03 | 8 High |
Implemented protections on AWS credentials that were not properly protected. | ||||
CVE-2022-22908 | 1 Sangfor | 1 Vdi Client | 2024-08-03 | 5.5 Medium |
SangforCSClient.exe in Sangfor VDI Client 5.4.2.1006 allows attackers, when they are able to read process memory, to discover the contents of the Username and Password fields. | ||||
CVE-2022-22458 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2024-08-03 | 6.3 Medium |
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009. | ||||
CVE-2022-20621 | 1 Jenkins | 1 Metrics | 2024-08-03 | 5.5 Medium |
Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||||
CVE-2022-4693 | 1 Pickplugins | 1 User Verification | 2024-08-03 | 9.8 Critical |
The User Verification WordPress plugin before 1.0.94 was affected by an Auth Bypass security vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrative role on the website. | ||||
CVE-2022-4612 | 1 Clickstudios | 1 Passwordstate | 2024-08-03 | 4.3 Medium |
A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as problematic. This vulnerability affects unknown code. The manipulation leads to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216274 is the identifier assigned to this vulnerability. |