Total
803 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13509 | 1 Docker | 1 Docker | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret. | |||||
| CVE-2019-13098 | 2 Google, Tronlink | 2 Android, Wallet | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications. | |||||
| CVE-2019-11549 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.8.9, 11.9.x before 11.9.10, and 11.10.x before 11.10.2. Gitaly has allows an information disclosure issue where HTTP/GIT credentials are included in logs on connection errors. | |||||
| CVE-2019-11492 | 1 Projectsend | 1 Projectsend | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| ProjectSend before r1070 writes user passwords to the server logs. | |||||
| CVE-2019-11465 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy. This has been fixed (in 5.5.4 and 6.0.1) so that usernames are tagged properly in the logs and are hashed out when the logs are redacted. | |||||
| CVE-2019-11336 | 1 Sony | 89 Kdl-50w800c, Kdl-50w805c, Kdl-50w807c and 86 more | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
| Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886. | |||||
| CVE-2019-11293 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters. | |||||
| CVE-2019-11292 | 1 Pivotal Software | 1 Operations Manager | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | |||||
| CVE-2019-11290 | 1 Cloudfoundry | 2 Cf-deployment, User Account And Authentication | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well. | |||||
| CVE-2019-11283 | 2 Cloudfoundry, Pivotal Software | 2 Cf-deployment, Cloud Foundry Smb Volume | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally outputs sensitive information to the logs. A remote user with access to the SMB Volume logs can discover the username and password for volumes that have been recently created, allowing the user to take control of the SMB Volume. | |||||
| CVE-2019-11273 | 1 Pivotal Software | 1 Pivotal Container Service | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Pivotal Container Services (PKS) versions 1.3.x prior to 1.3.7, and versions 1.4.x prior to 1.4.1, contains a vulnerable component which logs the username and password to the billing database. A remote authenticated user with access to those logs may be able to retrieve non-sensitive information. | |||||
| CVE-2019-11250 | 2 Kubernetes, Redhat | 2 Kubernetes, Openshift Container Platform | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| The Kubernetes client-go library logs request headers at verbosity levels of 7 or higher. This can disclose credentials to unauthorized users via logs or command output. Kubernetes components (such as kube-apiserver) prior to v1.16.0, which make use of basic or bearer token authentication, and run at high verbosity levels, are affected. | |||||
| CVE-2019-10695 | 1 Puppet | 1 Continuous Delivery | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| When using the cd4pe::root_configuration task to configure a Continuous Delivery for PE installation, the root user’s username and password were exposed in the job’s Job Details pane in the PE console. These issues have been resolved in version 1.2.1 of the puppetlabs/cd4pe module. | |||||
| CVE-2019-10370 | 1 Jenkins | 1 Mask Passwords | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure. | |||||
| CVE-2019-10367 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied. | |||||
| CVE-2019-10364 | 1 Jenkins | 1 Ec2 | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Amazon EC2 Plugin 1.43 and earlier wrote the beginning of private keys to the Jenkins system log. | |||||
| CVE-2019-10358 | 1 Jenkins | 1 Maven | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins Maven Integration Plugin 3.3 and earlier did not apply build log decorators to module builds, potentially revealing sensitive build variables in the build log. | |||||
| CVE-2019-10345 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export. | |||||
| CVE-2019-10343 | 1 Jenkins | 1 Configuration As Code | 2024-11-21 | 2.1 LOW | 3.3 LOW |
| Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied. | |||||
| CVE-2019-10212 | 2 Netapp, Redhat | 8 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 5 more | 2024-11-21 | 4.3 MEDIUM | 9.8 CRITICAL |
| A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | |||||