CWE-522
Allowed-with-ReviewInsufficiently Protected Credentials
Abstraction: Class · Status: Incomplete
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
1820 vulnerabilities reference this CWE, most recent first.
GHSA-3C9F-C64M-H4WC
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:59Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration.
This key can be viewed by users with access to the Jenkins controller file system.
Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins.plugins.statistics.gatherer:statistics-gatherer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53654"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:01:13Z",
"nvd_published_at": "2025-07-09T16:15:24Z",
"severity": "MODERATE"
},
"details": "Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on the Jenkins controller as part of its configuration.\n\nThis key can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-3c9f-c64m-h4wc",
"modified": "2025-11-05T19:59:15Z",
"published": "2025-07-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53654"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/statistics-gatherer-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Statistics Gatherer Plugin vulnerability exposes AWS Secret Key"
}
GHSA-3C9M-GQ32-G4JX
Vulnerability from github – Published: 2026-02-12 22:14 – Updated: 2026-02-27 20:42Impact
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.
Important: - For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services. - It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.
Please consult the associated MITRE ATT&CK – Technique – Credential Access and Unsecured Credentials for further information about this category of attack.
Patches
Patched versions include release v4.072 and above.
Starting from version v4.072, the scanner monitor process does not pass credentials to the scanner anymore. Instead, scanner process gets credentials information from environment variables, preventing them from being exposed through /proc/*/cmdline.
Workarounds
There is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector scanner that contains the fix.
References
If you have any questions or comments about this advisory: - Reach out to the SUSE Rancher Security team for security related inquiries. - Open an issue in the NeuVector repository. - Verify with our support matrix and product support lifecycle.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/neuvector/scanner"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.072"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67860"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-12T22:14:02Z",
"nvd_published_at": "2026-02-25T11:16:02Z",
"severity": "LOW"
},
"details": "### Impact\nA vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. This may allow unauthorized access to registries or the NeuVector controller, potentially enabling image manipulation, information disclosure, or further lateral movement within the environment.\n\n**Important:**\n- For the exposure of credentials not related to Rancher NeuVector, the final impact severity for confidentiality, integrity and availability is dependent on the permissions the leaked credentials have on their services.\n- It is recommended to review for potentially leaked credentials in this scenario and to change them if deemed necessary.\n\nPlease consult the associated [MITRE ATT\u0026CK \u2013 Technique \u2013 Credential Access and Unsecured Credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.\n\n### Patches\nPatched versions include release `v4.072` and above.\n\nStarting from version `v4.072`, the scanner monitor process does not pass credentials to the scanner anymore. Instead, scanner process gets credentials information from environment variables, preventing them from being exposed through `/proc/*/cmdline`.\n\n### Workarounds\nThere is no workaround for this issue. Users are recommended to upgrade, as soon as possible, to a version of NeuVector scanner that contains the fix.\n\n### References\nIf you have any questions or comments about this advisory:\n- Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).",
"id": "GHSA-3c9m-gq32-g4jx",
"modified": "2026-02-27T20:42:22Z",
"published": "2026-02-12T22:14:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/security/advisories/GHSA-3c9m-gq32-g4jx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67860"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/commit/c2f0f9268468e49eb3addea923156123c4465794"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-67860"
},
{
"type": "PACKAGE",
"url": "https://github.com/neuvector/scanner"
},
{
"type": "WEB",
"url": "https://github.com/neuvector/scanner/releases/tag/v4.072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NeuVector scanner insecurely handles passwords as command arguments"
}
GHSA-3CCQ-GCCX-PM7J
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2024-01-30 21:54An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:sonar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-1000425"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T21:54:16Z",
"nvd_published_at": "2019-01-09T23:29:00Z",
"severity": "HIGH"
},
"details": "An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to SonarQube.",
"id": "GHSA-3ccq-gccx-pm7j",
"modified": "2024-01-30T21:54:16Z",
"published": "2022-05-13T01:18:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000425"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1163"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106532"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Jenkins SonarQube Scanner Plugin stored server authentication token in plain text"
}
GHSA-3F6M-7JQ2-3X7M
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-04-05 00:01Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-25184"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x stores the password in plaintext in a file that is in the same directory as the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords, resulting in information disclosure.",
"id": "GHSA-3f6m-7jq2-3x7m",
"modified": "2022-04-05T00:01:09Z",
"published": "2022-03-19T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25184"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-159-04"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-280-01"
},
{
"type": "WEB",
"url": "https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xylem-multismart-rockwell-isagraf.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FRC-JF93-6V8P
Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
{
"affected": [],
"aliases": [
"CVE-2026-27773"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T00:16:58Z",
"severity": "MODERATE"
},
"details": "Charging station authentication identifiers are publicly accessible via web-based mapping platforms.",
"id": "GHSA-3frc-jf93-6v8p",
"modified": "2026-03-05T21:30:27Z",
"published": "2026-02-27T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27773"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-06.json"
},
{
"type": "WEB",
"url": "https://swtchenergy.com/contact"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3FWP-Q3Q8-Q56G
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). Affected SIMATIC RTLS Locating Manager Track Viewer Client do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role.
{
"affected": [],
"aliases": [
"CVE-2024-33497"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T16:17:19Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions \u003c V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions \u003c V3.0.1.1). Affected SIMATIC RTLS Locating Manager Track Viewer Client do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role.",
"id": "GHSA-3fwp-q3q8-q56g",
"modified": "2024-05-14T18:31:01Z",
"published": "2024-05-14T18:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33497"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-093430.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3G66-9X43-7V6M
Vulnerability from github – Published: 2022-03-29 00:01 – Updated: 2022-04-08 00:00An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2022-0738"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-28T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions.",
"id": "GHSA-3g66-9x43-7v6m",
"modified": "2022-04-08T00:00:33Z",
"published": "2022-03-29T00:01:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0738"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0738.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/27395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3GW5-G9JG-7W5W
Vulnerability from github – Published: 2025-12-04 21:31 – Updated: 2025-12-05 21:30Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext.
{
"affected": [],
"aliases": [
"CVE-2025-63361"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T19:16:04Z",
"severity": "MODERATE"
},
"details": "Waveshare RS232/485 TO WIFI ETH (B) Serial to Ethernet/Wi-Fi Gateway Firmware V3.1.1.0: HW 4.3.2.1: Webpage V7.04T.07.002880.0301 was discovered to render the Administrator password in plaintext.",
"id": "GHSA-3gw5-g9jg-7w5w",
"modified": "2025-12-05T21:30:23Z",
"published": "2025-12-04T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63361"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/1AGv9KWMTB71NJfIOncuNO6FyK0UAqxmL/view?usp=sharing"
},
{
"type": "WEB",
"url": "https://otsecverse.github.io/OTSecVerse/posts/Post-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3H7W-W4QF-F3PR
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:10In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
{
"affected": [],
"aliases": [
"CVE-2019-12847"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-03T19:15:00Z",
"severity": "HIGH"
},
"details": "In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.",
"id": "GHSA-3h7w-w4qf-f3pr",
"modified": "2024-04-04T01:10:08Z",
"published": "2022-05-24T16:49:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12847"
},
{
"type": "WEB",
"url": "https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3HWC-RQWP-V36Q
Vulnerability from github – Published: 2024-02-09 18:31 – Updated: 2025-02-13 19:15Insufficiently Protected Credentials vulnerability in Apache Solr.
This issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.
This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, both of which fix the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password".
Users who cannot upgrade can also use the following Java system property to fix the issue:
-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "8.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.solr:solr-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50291"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-09T21:43:19Z",
"nvd_published_at": "2024-02-09T18:15:08Z",
"severity": "HIGH"
},
"details": "Insufficiently Protected Credentials vulnerability in Apache Solr.\n\nThis issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0.\nOne of the two endpoints that publishes the Solr process\u0027 Java system properties, /admin/info/properties, was only setup to hide system properties that had \"password\" contained in the name.\nThere are a number of sensitive system properties, such as \"basicauth\" and \"aws.secretKey\" do not contain \"password\", thus their values were published via the \"/admin/info/properties\" endpoint.\nThis endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI.\n\nThis /admin/info/properties endpoint is protected under the \"config-read\" permission.\nTherefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the \"config-read\" permission.\nUsers are recommended to upgrade to version 9.3.0 or 8.11.3, both of which fix the issue.\nA single option now controls hiding Java system property for all endpoints, \"-Dsolr.hiddenSysProps\".\nBy default all known sensitive properties are hidden (including \"-Dbasicauth\"), as well as any property with a name containing \"secret\" or \"password\".\n\nUsers who cannot upgrade can also use the following Java system property to fix the issue:\n\u00a0 `-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*`",
"id": "GHSA-3hwc-rqwp-v36q",
"modified": "2025-02-13T19:15:10Z",
"published": "2024-02-09T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50291"
},
{
"type": "WEB",
"url": "https://github.com/apache/solr/commit/659021c7d50164a3166887f24875228431b02102"
},
{
"type": "WEB",
"url": "https://github.com/apache/solr/commit/98c198810f2cd934d23d0d80aadb570a2bbb3b8e"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/solr"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/SOLR-16809"
},
{
"type": "WEB",
"url": "https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/02/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Solr can leak certain passwords due to System Property redaction logic inconsistencies"
}
Mitigation
Use an appropriate security mechanism to protect the credentials.
Mitigation
Make appropriate use of cryptography to protect the credentials.
Mitigation
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-474: Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.