{"containers": {"cna": {"affected": [{"product": "Valinor", "vendor": "CuyZ", "versions": [{"status": "affected", "version": "< 0.12.0"}]}], "descriptions": [{"lang": "en", "value": "Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-11T19:55:09.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0"}], "source": {"advisory": "GHSA-5pgm-3j3g-2rc7", "discovery": "UNKNOWN"}, "title": "Valinor error messages leading to potential data exfiltration", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31140", "STATE": "PUBLIC", "TITLE": "Valinor error messages leading to potential data exfiltration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Valinor", "version": {"version_data": [{"version_value": "< 0.12.0"}]}}]}, "vendor_name": "CuyZ"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7", "refsource": "CONFIRM", "url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7"}, {"name": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0", "refsource": "MISC", "url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0"}]}, "source": {"advisory": "GHSA-5pgm-3j3g-2rc7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.202Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:40:23.748293Z", "id": "CVE-2022-31140", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T17:49:30.998Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31140", "datePublished": "2022-07-11T19:55:09.000Z", "dateReserved": "2022-05-18T00:00:00.000Z", "dateUpdated": "2025-04-22T17:49:30.998Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.202Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-31140", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:40:23.748293Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:40:25.560Z"}}], "cna": {"title": "Valinor error messages leading to potential data exfiltration", "source": {"advisory": "GHSA-5pgm-3j3g-2rc7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "CuyZ", "product": "Valinor", "versions": [{"status": "affected", "version": "< 0.12.0"}]}], "references": [{"url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-07-11T19:55:09.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-5pgm-3j3g-2rc7", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 0.12.0"}]}, "product_name": "Valinor"}]}, "vendor_name": "CuyZ"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7", "name": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7", "refsource": "CONFIRM"}, {"url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0", "name": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-31140", "STATE": "PUBLIC", "TITLE": "Valinor error messages leading to potential data exfiltration", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-31140", "state": "PUBLISHED", "dateUpdated": "2025-04-22T17:49:30.998Z", "dateReserved": "2022-05-18T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-07-11T19:55:09.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cuyz:valinor:*:*:*:*:*:*:*:*", "matchCriteriaId": "336B8945-62B0-4D76-A833-33F74C1DD0AF", "versionEndExcluding": "0.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability."}, {"lang": "es", "value": "Valinor es una biblioteca de PHP que ayuda a mapear cualquier entrada en una estructura de objetos de valor fuertemente tipados. En versiones anteriores a 0.12.0, Valinor puede usar \"Throwable#getMessage()\" cuando no deber\u00eda tener permiso para hacerlo. Esto es un problema en casos como una excepci\u00f3n SQL que muestra un fragmento de SQL, una excepci\u00f3n de conexi\u00f3n a la base de datos que muestra la direcci\u00f3n IP/nombre de usuario/contrase\u00f1a de la base de datos, o un detalle de tiempo de espera / detalle de memoria agotada. Los atacantes podr\u00edan usar esta informaci\u00f3n para una potencial exfiltraci\u00f3n de datos, ataques de denegaci\u00f3n de servicio, ataques de enumeraci\u00f3n, etc. La versi\u00f3n 0.12.0 contiene un parche para esta vulnerabilidad"}], "id": "CVE-2022-31140", "lastModified": "2024-11-21T07:03:58.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-11T20:15:08.747", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/CuyZ/Valinor/releases/tag/0.12.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/CuyZ/Valinor/security/advisories/GHSA-5pgm-3j3g-2rc7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}