ReportizFlow
Filtered by vendor
Subscriptions
Total
853 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-11293 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2024-11-21 | 6.5 Medium |
| Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters. | ||||
| CVE-2019-11292 | 1 Pivotal Software | 1 Operations Manager | 2024-11-21 | 6.5 Medium |
| Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | ||||
| CVE-2019-11290 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2024-11-21 | 7.5 High |
| Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | ||||
| CVE-2019-11283 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Smb Volume | 2024-11-21 | 8.8 High |
| Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume. | ||||
| CVE-2019-11273 | 1 Pivotal Software | 1 Pivotal Container Service | 2024-11-21 | 4.3 Medium |
| Pivotal Container Services (PKS) versions 1.3.x prior to 1.3.7, and versions 1.4.x prior to 1.4.1, contains a vulnerable component which logs the username and password to the billing database. A remote authenticated user with access to those logs may be able to retrieve non-sensitive information. | ||||
| CVE-2019-11271 | 1 Cloud Foundry | 1 Bosh | 2024-11-21 | 7.8 High |
| Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL database. A local authenticated malicious user may read any credentials that are contained in a BOSH manifest. | ||||
| CVE-2019-11250 | 2 Kubernetes, Redhat | 3 Kubernetes, Openshift, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
| The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected. | ||||
| CVE-2019-10695 | 1 Puppet | 1 Continuous Delivery | 2024-11-21 | 6.5 Medium |
| When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. | ||||
| CVE-2019-10370 | 1 Jenkins | 1 Mask Passwords | 2024-11-21 | 6.5 Medium |
| Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | ||||
| CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 5.5 Medium |
| Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | ||||
| CVE-2019-10364 | 1 Jenkins | 1 Ec2 | 2024-11-21 | 5.5 Medium |
| Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | ||||
| CVE-2019-10358 | 1 Jenkins | 1 Maven | 2024-11-21 | 6.5 Medium |
| Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | ||||
| CVE-2019-10345 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 5.5 Medium |
| Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | ||||
| CVE-2019-10343 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 3.3 Low |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | ||||
| CVE-2019-10213 | 1 Redhat | 3 Enterprise Linux, Openshift, Openshift Container Platform | 2024-11-21 | 6.5 Medium |
| OpenShift Container Platform, versions 4.1 and 4.2, does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user. | ||||
| CVE-2019-10212 | 2 Netapp, Redhat | 9 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 6 more | 2024-11-21 | 9.8 Critical |
| A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | ||||
| CVE-2019-10195 | 3 Fedoraproject, Freeipa, Redhat | 4 Fedora, Freeipa, Enterprise Linux and 1 more | 2024-11-21 | 6.5 Medium |
| A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way that FreeIPA's batch processing API logged operations. This included passing user passwords in clear text on FreeIPA masters. Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA but is possible by third-party components. An attacker having access to system logs on FreeIPA masters could use this flaw to produce log file content with passwords exposed. | ||||
| CVE-2019-10194 | 2 Ovirt, Redhat | 3 Ovirt, Rhev Manager, Virtualization Manager | 2024-11-21 | 5.5 Medium |
| Sensitive passwords used in deployment and configuration of oVirt Metrics, all versions. were found to be insufficiently protected. Passwords could be disclosed in log files (if playbooks are run with -v) or in playbooks stored on Metrics or Bastion hosts. | ||||
| CVE-2019-10165 | 1 Redhat | 2 Openshift, Openshift Container Platform | 2024-11-21 | 2.3 Low |
| OpenShift Container Platform before version 4.1.3 writes OAuth tokens in plaintext to the audit logs for the Kubernetes API server and OpenShift API server. A user with sufficient privileges could recover OAuth tokens from these audit logs and use them to access other resources. | ||||
| CVE-2019-10084 | 1 Apache | 1 Impala | 2024-11-21 | 7.5 High |
| In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to the IDs of active Impala queries or sessions can interact with those sessions or queries via a specially-constructed request and thereby potentially bypass authorization and audit mechanisms. Session and query IDs are unique and random, but have not been documented or consistently treated as sensitive secrets. Therefore they may be exposed in logs or interfaces. They were also not generated with a cryptographically secure random number generator, so are vulnerable to random number generator attacks that predict future IDs based on past IDs. Impala deployments with Apache Sentry or Apache Ranger authorization enabled may be vulnerable to privilege escalation if an authenticated attacker is able to hijack a session or query from another authenticated user with privileges not assigned to the attacker. Impala deployments with audit logging enabled may be vulnerable to incorrect audit logging as a user could undertake actions that were logged under the name of a different authenticated user. Constructing an attack requires a high degree of technical sophistication and access to the Impala system as an authenticated user. | ||||