CWE-209
AllowedGeneration of Error Message Containing Sensitive Information
Abstraction: Base · Status: Draft
The product generates an error message that includes sensitive information about its environment, users, or associated data.
838 vulnerabilities reference this CWE, most recent first.
GHSA-4MW2-5G8M-W232
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 18:30IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2021-20455"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:27Z",
"severity": "LOW"
},
"details": "IBM Cognos Controller 11.0.0 through 11.0.1 and IBM Controller 11.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.",
"id": "GHSA-4mw2-5g8m-w232",
"modified": "2025-01-07T18:30:49Z",
"published": "2025-01-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20455"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7179163"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4R2X-XPJR-7CVV
Vulnerability from github – Published: 2026-02-02 17:43 – Updated: 2026-07-17 16:17Summary
A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):
- Info Leak - PIL error messages expose memory addresses, bypassing ASLR
- Heap Overflow - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution
Result: Send a malicious video URL to vLLM Completions or Invocations for a video model -> Execute arbitrary commands on the server
Completely default vLLM instance directly from pip, or docker, does not have authentication so "None" privileges are required, but even with non-default api-key enabled configuration this exploit is feasible through invocations route that allows payload to execute pre-auth.
Example heap target is provided, other heap targets can be exploited as well to achieve rce. Leak allows for simple ASLR bypass. Leak + heap overflow achieves RCE on versions prior to 0.14.1.
Deployments not serving a video model are not affected.
1. Vulnerability Overview
1.1 The Bug: JPEG2000 cdef Box Heap Overflow
The JPEG2000 decoder used by OpenCV (cv2) honors a cdef box that can remap color channels. When Y (luma) is mapped into the U (chroma) plane buffer, the decoder writes a large Y plane into the smaller U buffer, causing a heap overflow.
Root Cause
- cdef allows channel remapping (e.g., Y→U, U→Y).
- Y plane size: W×H; U plane size: (W/2)×(H/2).
- Overflow size = W×H - (W/2×H/2) = 0.75 × W × H bytes.
Example (150×64)
- Y plane: 150×64 = 9,600 bytes
- U plane: 75×32 = 2,400 bytes
- Overflow: 7,200 bytes past the U buffer
1.2 Malicious cdef Box
Offset Size Field Value
0 4 Box Length 0x00000016 (22 bytes)
4 4 Box Type 'cdef'
8 2 N (channels) 0x0003
10 2 Channel 0 Cn 0x0000 (Y channel)
12 2 Channel 0 Typ 0x0000 (color)
14 2 Channel 0 Asoc 0x0002 (→ maps Y into U plane)
16 2 Channel 1 Cn 0x0001 (U channel)
18 2 Channel 1 Typ 0x0000 (color)
20 2 Channel 1 Asoc 0x0001 (→ maps U into Y plane)
22 2 Channel 2 Cn 0x0002 (V channel)
24 2 Channel 2 Typ 0x0000 (color)
26 2 Channel 2 Asoc 0x0003 (→ maps V plane)
Key control: Asoc=2 for channel 0 forces Y data into the U buffer, triggering the overflow.
Vulnerable Code Chain
1) Entry: vLLM accepts a remote video_url and downloads raw bytes
vLLM’s OpenAI-compatible API supports a video_url content part:
class VideoURL(TypedDict, total=False):
url: Required[str]
class ChatCompletionContentPartVideoParam(TypedDict, total=False):
video_url: Required[VideoURL]
type: Required[Literal["video_url"]]
Source: src/vllm/entrypoints/chat_utils.py.
When the URL is HTTP(S), vLLM downloads it as raw bytes and passes the bytes into the modality loader:
if url_spec.scheme.startswith("http"):
data = connection.get_bytes(url, timeout=fetch_timeout, allow_redirects=...)
return media_io.load_bytes(data)
Source: src/vllm/multimodal/utils.py (MediaConnector.load_from_url).
2) Decode: vLLM uses OpenCV (cv2) VideoCapture on an in-memory byte stream
The default video backend is OpenCV, and it constructs cv2.VideoCapture over a BytesIO buffer containing the downloaded bytes:
backend = cls().get_cv2_video_api()
cap = cv2.VideoCapture(BytesIO(data), backend, [])
if not cap.isOpened():
raise ValueError("Could not open video stream")
Source: src/vllm/multimodal/video.py (OpenCVVideoBackend.load_bytes).
The backend is selected from OpenCV’s stream-buffered backends registry:
import cv2.videoio_registry as vr
for backend in vr.getStreamBufferedBackends():
if vr.hasBackend(backend) and ...:
api_pref = backend
break
return api_pref
Source: src/vllm/multimodal/video.py (OpenCVVideoBackend.get_cv2_video_api).
Implication: vLLM is delegating container parsing + codec decode to OpenCV’s Video I/O stack (which, in typical builds, is backed by FFmpeg for MOV/MP4 and codecs like JPEG2000).
3) The actual overflow: Y (full-res) written into U (quarter-res)
When the decoder honors the remap and writes Y into the U-plane buffer, it writes too many bytes:
- Y plane bytes: (W \times H)
- U plane bytes: ((W/2) \times (H/2))
- Overflow bytes: (W \times H - (W/2 \times H/2) = 0.75 \times W \times H)
Concrete example tried (150×64):
- Y: (150 \times 64 = 9600) bytes
- U: (75 \times 32 = 2400) bytes
- Overflow: (9600 - 2400 = 7200) bytes past the end of the U allocation
This is a heap buffer overflow into whatever allocations follow the U-plane buffer in the decoder’s heap layout (structures, metadata, other buffers, etc.). The exact victims depend on build + runtime allocator layout.
The Exploit Chain
Vuln 1: PIL BytesIO Address Leak (ASLR Bypass)
When you send an invalid image to vLLM's multimodal endpoint, PIL throws an error like:
cannot identify image file <_io.BytesIO object at 0x7a95e299e750>
^^^^^^^^^^^^^^^^
LEAKED ADDRESS!
vLLM returns this error to the client, leaking a heap address. This address is ~10.33 GB before libc in memory. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses.
Vuln 2: JPEG2000 cdef Heap Overflow (RCE)
vLLM uses OpenCV (cv2) to decode videos. OpenCV bundles FFmpeg 5.1.x which has a heap overflow in the JPEG2000 decoder. The OpenCV is used for video decoding so if we build a video from JPEG2000 frames it will reach the vuln:
vLLM API Request to Completions/Invocation
↓
OpenCV cv2.VideoCapture()
↓
FFmpeg 5.1 (bundled in OpenCV)
↓
JPEG2000 decoder (libopenjp2)
↓
HEAP OVERFLOW via malicious "cdef" box
↓
Overwrite function pointer → RCE!
How the overflow works:
- JPEG2000 has a cdef box that remaps color channels
- We remap Y (luma) into the U (chroma) buffer
- Y plane = 9,600 bytes, U plane = 2,400 bytes
- On small geometry like 150x64 pixel image we get 7,200 bytes overflow past the U buffer. We can grow that exponentially by making bigger images.
- This overwrites an AVBuffer structure containing a free() function pointer. This could be any function pointer or other targets.
- We set free = system() and opaque = "command string"
- When the buffer is freed → system("our command") executes
vLLM Attack Surface
Affected Endpoints
Both multimodal endpoints are vulnerable:
POST /v1/chat/completions (with video_url in content)
POST /v1/invocations (with video_url in content)
Request Flow
1. Attacker sends request with video_url pointing to malicious .mov file
2. vLLM fetches the video from the URL
3. vLLM passes video bytes to cv2.VideoCapture()
4. OpenCV's bundled FFmpeg decodes JPEG2000 frames
5. Malicious cdef box triggers heap overflow
6. AVBuffer.free pointer overwritten with system()
7. When buffer is released → system("attacker command") executes
Versions Affected
| Component | Version | Notes |
|---|---|---|
| vLLM | >= 0.8.3, < 0.14.1 | Default config vulnerable when serving a video model |
| OpenCV (cv2) | 4.x with FFmpeg bundle | Bundled FFmpeg is vulnerable |
| FFmpeg | 5.1.x (bundled) | JPEG2000 cdef overflow |
| libopenjp2 | 2.x | Honors malicious cdef box |
Fixes
- https://github.com/vllm-project/vllm/pull/31987
- https://github.com/vllm-project/vllm/pull/32319
- https://github.com/vllm-project/vllm/pull/32668
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.3"
},
{
"fixed": "0.14.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22778"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-209",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-02T17:43:45Z",
"nvd_published_at": "2026-02-02T23:16:06Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\n**A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):**\n\n1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR\n2. **Heap Overflow** - JPEG2000 decoder in OpenCV/FFmpeg has a heap overflow that lets us hijack code execution\n\n**Result:** Send a malicious video URL to vLLM Completions or Invocations **for a video model** -\u003e Execute arbitrary commands on the server\n\nCompletely default vLLM instance directly from pip, or docker, does not have authentication so \"None\" privileges are required, but even with non-default api-key enabled configuration this exploit is feasible through invocations route that allows payload to execute pre-auth. \n\nExample heap target is provided, other heap targets can be exploited as well to achieve rce. Leak allows for simple ASLR bypass. Leak + heap overflow achieves RCE on versions prior to 0.14.1. \n\nDeployments not serving a video model are not affected.\n\n---\n\n\n## 1. Vulnerability Overview\n\n### 1.1 The Bug: JPEG2000 cdef Box Heap Overflow\nThe JPEG2000 decoder used by OpenCV (cv2) honors a `cdef` box that can remap color channels. When Y (luma) is mapped into the U (chroma) plane buffer, the decoder writes a large Y plane into the smaller U buffer, causing a heap overflow.\n\n**Root Cause**\n- `cdef` allows channel remapping (e.g., Y\u2192U, U\u2192Y).\n- Y plane size: `W\u00d7H`; U plane size: `(W/2)\u00d7(H/2)`.\n- Overflow size = `W\u00d7H - (W/2\u00d7H/2)` = `0.75 \u00d7 W \u00d7 H` bytes.\n\n**Example (150\u00d764)**\n- Y plane: 150\u00d764 = 9,600 bytes \n- U plane: 75\u00d732 = 2,400 bytes \n- Overflow: 7,200 bytes past the U buffer\n\n### 1.2 Malicious cdef Box\n```\nOffset Size Field Value\n0 4 Box Length 0x00000016 (22 bytes)\n4 4 Box Type \u0027cdef\u0027\n8 2 N (channels) 0x0003\n10 2 Channel 0 Cn 0x0000 (Y channel)\n12 2 Channel 0 Typ 0x0000 (color)\n14 2 Channel 0 Asoc 0x0002 (\u2192 maps Y into U plane)\n16 2 Channel 1 Cn 0x0001 (U channel)\n18 2 Channel 1 Typ 0x0000 (color)\n20 2 Channel 1 Asoc 0x0001 (\u2192 maps U into Y plane)\n22 2 Channel 2 Cn 0x0002 (V channel)\n24 2 Channel 2 Typ 0x0000 (color)\n26 2 Channel 2 Asoc 0x0003 (\u2192 maps V plane)\n```\nKey control: `Asoc=2` for channel 0 forces Y data into the U buffer, triggering the overflow.\n\n---\n\n## Vulnerable Code Chain\n\n### 1) Entry: vLLM accepts a remote `video_url` and downloads raw bytes\n\nvLLM\u2019s OpenAI-compatible API supports a `video_url` content part:\n\n```python\nclass VideoURL(TypedDict, total=False):\n url: Required[str]\n\nclass ChatCompletionContentPartVideoParam(TypedDict, total=False):\n video_url: Required[VideoURL]\n type: Required[Literal[\"video_url\"]]\n```\n\nSource: `src/vllm/entrypoints/chat_utils.py`.\n\nWhen the URL is HTTP(S), vLLM downloads it as **raw bytes** and passes the bytes into the modality loader:\n\n```python\nif url_spec.scheme.startswith(\"http\"):\n data = connection.get_bytes(url, timeout=fetch_timeout, allow_redirects=...)\n return media_io.load_bytes(data)\n```\n\nSource: `src/vllm/multimodal/utils.py` (`MediaConnector.load_from_url`).\n\n---\n\n### 2) Decode: vLLM uses OpenCV (cv2) VideoCapture on an in-memory byte stream\n\nThe default video backend is OpenCV, and it constructs `cv2.VideoCapture` over a `BytesIO` buffer containing the downloaded bytes:\n\n```python\nbackend = cls().get_cv2_video_api()\ncap = cv2.VideoCapture(BytesIO(data), backend, [])\nif not cap.isOpened():\n raise ValueError(\"Could not open video stream\")\n```\n\nSource: `src/vllm/multimodal/video.py` (`OpenCVVideoBackend.load_bytes`).\n\nThe backend is selected from OpenCV\u2019s stream-buffered backends registry:\n\n```python\nimport cv2.videoio_registry as vr\nfor backend in vr.getStreamBufferedBackends():\n if vr.hasBackend(backend) and ...:\n api_pref = backend\n break\nreturn api_pref\n```\n\nSource: `src/vllm/multimodal/video.py` (`OpenCVVideoBackend.get_cv2_video_api`).\n\n**Implication**: vLLM is delegating container parsing + codec decode to OpenCV\u2019s Video I/O stack (which, in typical builds, is backed by FFmpeg for MOV/MP4 and codecs like JPEG2000).\n\n---\n\n### 3) The actual overflow: Y (full-res) written into U (quarter-res)\n\nWhen the decoder honors the remap and writes Y into the U-plane buffer, it writes **too many bytes**:\n\n- Y plane bytes: \\(W \\times H\\)\n- U plane bytes: \\((W/2) \\times (H/2)\\)\n- Overflow bytes: \\(W \\times H - (W/2 \\times H/2) = 0.75 \\times W \\times H\\)\n\nConcrete example tried (150\u00d764):\n\n- **Y**: \\(150 \\times 64 = 9600\\) bytes \n- **U**: \\(75 \\times 32 = 2400\\) bytes \n- **Overflow**: \\(9600 - 2400 = 7200\\) bytes past the end of the U allocation\n\nThis is a **heap buffer overflow** into whatever allocations follow the U-plane buffer in the decoder\u2019s heap layout (structures, metadata, other buffers, etc.). The exact victims depend on build + runtime allocator layout.\n\n---\n\n## The Exploit Chain \n\n### Vuln 1: PIL BytesIO Address Leak (ASLR Bypass)\n\nWhen you send an **invalid image** to vLLM\u0027s multimodal endpoint, PIL throws an error like:\n\n```\ncannot identify image file \u003c_io.BytesIO object at 0x7a95e299e750\u003e\n ^^^^^^^^^^^^^^^^\n LEAKED ADDRESS!\n```\n\nvLLM returns this error to the client, **leaking a heap address**. This address is ~10.33 GB before `libc` in memory. With this leak, we reduce ASLR from **4 billion guesses to ~8 guesses**.\n\n### Vuln 2: JPEG2000 cdef Heap Overflow (RCE)\n\nvLLM uses **OpenCV (cv2)** to decode videos. OpenCV bundles **FFmpeg 5.1.x** which has a heap overflow in the JPEG2000 decoder. The OpenCV is used for video decoding so if we build a video from JPEG2000 frames it will reach the vuln:\n\n```\nvLLM API Request to Completions/Invocation\n \u2193\nOpenCV cv2.VideoCapture()\n \u2193\nFFmpeg 5.1 (bundled in OpenCV)\n \u2193\nJPEG2000 decoder (libopenjp2)\n \u2193\nHEAP OVERFLOW via malicious \"cdef\" box\n \u2193\nOverwrite function pointer \u2192 RCE!\n```\n\n**How the overflow works:**\n- JPEG2000 has a `cdef` box that remaps color channels\n- We remap Y (luma) into the U (chroma) buffer\n- Y plane = 9,600 bytes, U plane = 2,400 bytes\n- On small geometry like 150x64 pixel image we get **7,200 bytes overflow** past the U buffer. We can grow that exponentially by making bigger images. \n- This overwrites an `AVBuffer` structure containing a `free()` function pointer. This could be any function pointer or other targets. \n- We set `free = system()` and `opaque = \"command string\"`\n- When the buffer is freed \u2192 `system(\"our command\")` executes\n\n---\n\n## vLLM Attack Surface\n\n### Affected Endpoints\n\nBoth multimodal endpoints are vulnerable:\n\n```\nPOST /v1/chat/completions (with video_url in content)\nPOST /v1/invocations (with video_url in content)\n```\n\n### Request Flow\n\n```\n1. Attacker sends request with video_url pointing to malicious .mov file\n2. vLLM fetches the video from the URL\n3. vLLM passes video bytes to cv2.VideoCapture()\n4. OpenCV\u0027s bundled FFmpeg decodes JPEG2000 frames\n5. Malicious cdef box triggers heap overflow\n6. AVBuffer.free pointer overwritten with system()\n7. When buffer is released \u2192 system(\"attacker command\") executes\n```\n\n---\n\n## Versions Affected\n\n| Component | Version | Notes |\n|-----------|---------|-------|\n| vLLM | \u003e= 0.8.3, \u003c 0.14.1 | Default config vulnerable when serving a video model |\n| OpenCV (cv2) | 4.x with FFmpeg bundle | Bundled FFmpeg is vulnerable |\n| FFmpeg | 5.1.x (bundled) | JPEG2000 cdef overflow |\n| libopenjp2 | 2.x | Honors malicious cdef box |\n\n---\n\n## Fixes\n\n* https://github.com/vllm-project/vllm/pull/31987\n* https://github.com/vllm-project/vllm/pull/32319\n* https://github.com/vllm-project/vllm/pull/32668",
"id": "GHSA-4r2x-xpjr-7cvv",
"modified": "2026-07-17T16:17:12Z",
"published": "2026-02-02T17:43:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22778"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/32319"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/31987"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22778.json"
},
{
"type": "WEB",
"url": "https://pypi.org/project/vllm"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/releases/tag/v0.14.1"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2026-565.yaml"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4r2x-xpjr-7cvv"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436113"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-22778"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3713"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30087"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19712"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM has RCE In Video Processing"
}
GHSA-4R65-35QQ-CH8J
Vulnerability from github – Published: 2022-03-04 00:00 – Updated: 2024-09-09 21:00Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine's ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from set_options. The highest threat from this vulnerability is confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.27"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3620"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-24T21:40:53Z",
"nvd_published_at": "2022-03-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine\u0027s ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from `set_options`. The highest threat from this vulnerability is confidentiality.",
"id": "GHSA-4r65-35qq-ch8j",
"modified": "2024-09-09T21:00:59Z",
"published": "2022-03-04T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3620"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:3871"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:3872"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:3874"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:4703"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2021:4750"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2021-3620"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1975767"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4r65-35qq-ch8j"
},
{
"type": "PACKAGE",
"url": "https://github.com/ansible/ansible"
},
{
"type": "WEB",
"url": "https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2022-164.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ansible discloses sensitive information in traceback error message"
}
GHSA-4V73-G3HV-W298
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02IBM OpenPages GRC Platform 8.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 182907.
{
"affected": [],
"aliases": [
"CVE-2020-4536"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM OpenPages GRC Platform 8.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 182907.",
"id": "GHSA-4v73-g3hv-w298",
"modified": "2022-05-24T19:02:04Z",
"published": "2022-05-24T19:02:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4536"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/182907"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6451239"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4WP5-FM78-39WQ
Vulnerability from github – Published: 2025-01-25 15:30 – Updated: 2025-01-25 15:30IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2024-35111"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-25T14:15:28Z",
"severity": "MODERATE"
},
"details": "IBM Control Center 6.2.1 and 6.3.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.",
"id": "GHSA-4wp5-fm78-39wq",
"modified": "2025-01-25T15:30:31Z",
"published": "2025-01-25T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35111"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7174806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XJX-QW73-2V8V
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.
{
"affected": [],
"aliases": [
"CVE-2021-25958"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T14:15:00Z",
"severity": "HIGH"
},
"details": "In Apache Ofbiz, versions v17.12.01 to v17.12.07 implement a try catch exception to handle errors at multiple locations but leaks out sensitive table info which may aid the attacker for further recon. A user can register with a very long password, but when he tries to login with it an exception occurs.",
"id": "GHSA-4xjx-qw73-2v8v",
"modified": "2022-05-24T19:12:32Z",
"published": "2022-05-24T19:12:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25958"
},
{
"type": "WEB",
"url": "https://github.com/apache/ofbiz-framework/commit/2f5b8d33e32c4d9a48243cf9e503236acd5aec5c"
},
{
"type": "WEB",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25958"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4XWW-6H7V-29JG
Vulnerability from github – Published: 2022-01-21 23:37 – Updated: 2022-01-12 19:34livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information. There is an observable discrepancy between errors generated for users that exist and those that do not.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "remdex/livehelperchat"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.91"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0083"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-12T19:34:13Z",
"nvd_published_at": "2022-01-04T07:15:00Z",
"severity": "MODERATE"
},
"details": "livehelperchat is vulnerable to Generation of Error Message Containing Sensitive Information. There is an observable discrepancy between errors generated for users that exist and those that do not.",
"id": "GHSA-4xww-6h7v-29jg",
"modified": "2022-01-12T19:34:13Z",
"published": "2022-01-21T23:37:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0083"
},
{
"type": "WEB",
"url": "https://github.com/livehelperchat/livehelperchat/commit/fbed8728be59040a7218610e72f6eceb5f8bc152"
},
{
"type": "PACKAGE",
"url": "https://github.com/livehelperchat/livehelperchat"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/4c477440-3b03-42eb-a6e2-a31b55090736"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "User enumeration in livehelperchat"
}
GHSA-52M8-92P5-VW35
Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 00:00IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 213963.
{
"affected": [],
"aliases": [
"CVE-2021-39033"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 213963.",
"id": "GHSA-52m8-92p5-vw35",
"modified": "2022-04-28T00:00:42Z",
"published": "2022-04-20T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39033"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/213963"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6573049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-53CH-Q6Q5-VJM5
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code
{
"affected": [],
"aliases": [
"CVE-2025-59872"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-434"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:19:15Z",
"severity": "MODERATE"
},
"details": "HCL ZIE for Web is affetced by an Unrestricted File Upload vulnerability, If the server is configured to execute code, then it may be possible to obtain command execution on the server by uploading a file known as a web shell, which allows you to execute arbitrary code or operating system commands. For this attack to be successful, the file needs to be uploaded inside the Webroot, and the server must be configured to execute the code",
"id": "GHSA-53ch-q6q5-vjm5",
"modified": "2026-06-17T18:35:42Z",
"published": "2026-06-17T18:35:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59872"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0131549"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-549C-HV52-VXVM
Vulnerability from github – Published: 2025-05-28 03:30 – Updated: 2025-05-28 03:30IBM Security Guardium 12.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
{
"affected": [],
"aliases": [
"CVE-2025-25025"
],
"database_specific": {
"cwe_ids": [
"CWE-209"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-28T02:15:20Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium 12.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.",
"id": "GHSA-549c-hv52-vxvm",
"modified": "2025-05-28T03:30:33Z",
"published": "2025-05-28T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25025"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7234827"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Mitigation
Handle exceptions internally and do not display errors containing potentially sensitive information to a user.
Mitigation MIT-33
Strategy: Attack Surface Reduction
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
Mitigation MIT-40
Strategy: Compilation or Build Hardening
Debugging information should not make its way into a production release.
Mitigation MIT-40
Strategy: Environment Hardening
Debugging information should not make its way into a production release.
Mitigation
Where available, configure the environment to use less verbose error messages. For example, in PHP, disable the display_errors setting during configuration, or at runtime using the error_reporting() function.
Mitigation
Create default error pages or messages that do not leak any information.
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.