CVE & Exploit Intelligence Database

CVE-2022-34800 4.3 MEDIUM EPSS 0.01

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jun 30, 2022

CVE-2022-34799 4.3 MEDIUM EPSS 0.01

Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jun 30, 2022

CVE-2022-31887 9.8 CRITICAL EPSS 0.00

Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the administrator password.

CWE-522 Jun 28, 2022

CVE-2022-31085 6.1 MEDIUM 1 Writeup EPSS 0.00

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled by configuration. This issue has been fixed in version 8.0. Users unable to upgrade should install the PHP OpenSSL extension and make sure session encryption is enabled in LAM main configuration.

CWE-522 Jun 27, 2022

CVE-2022-2221 6.5 MEDIUM EPSS 0.00

Information Exposure vulnerability in My Account Settings of Devolutions Remote Desktop Manager before 2022.1.8 allows authenticated users to access credentials of other users. This issue affects: Devolutions Remote Desktop Manager versions prior to 2022.1.8.

CWE-522 Jun 27, 2022

CVE-2022-28167 6.5 MEDIUM EPSS 0.00

Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log

CWE-522 Jun 27, 2022

CVE-2022-33953 4.6 MEDIUM EPSS 0.00

IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens. IBM X-Force ID: 229198.

CWE-522 Jun 24, 2022

CVE-2022-2103 9.8 CRITICAL EPSS 0.00

An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories.

CWE-284 Jun 24, 2022

CVE-2022-1666 6.5 MEDIUM EPSS 0.00

The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.

CWE-522 Jun 24, 2022

CVE-2022-34213 6.5 MEDIUM EPSS 0.00

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jun 23, 2022

CVE-2022-34202 6.5 MEDIUM EPSS 0.00

Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CWE-522 Jun 23, 2022

CVE-2022-34199 6.5 MEDIUM EPSS 0.00

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CWE-522 Jun 23, 2022

CVE-2022-21184 5.9 MEDIUM EPSS 0.00

An information disclosure vulnerability exists in the License registration functionality of Bachmann Visutec GmbH Atvise 3.5.4, 3.6 and 3.7. A plaintext HTTP request can lead to a disclosure of login credentials. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.

CWE-319 Jun 17, 2022

CVE-2020-28865 7.5 HIGH EPSS 0.00

An issue was discovered in PowerJob through 3.2.2, allows attackers to change arbitrary user passwords via the id parameter to /appinfo/save.

CWE-522 Jun 16, 2022

CVE-2022-31044 7.5 HIGH EPSS 0.00

Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for Key Storage possibly not working. Any credentials created or overwritten using Rundeck 4.2.0 or 4.2.1 might result in them being written in plaintext to the backend storage. This affects those using any `Storage Converter` plugin. Rundeck 4.3.1 and 4.2.2 have fixed the code and upon upgrade will re-encrypt any plain text values. Version 4.3.0 does not have the vulnerability, but does not include the patch to re-encrypt plain text values if 4.2.0 or 4.2.1 were used. To prevent plaintext credentials from being stored in Rundeck 4.2.0/4.2.1, write access to key storage can be disabled via ACLs. After upgrading to 4.3.1 or later, write access can be restored.

CWE-522 Jun 15, 2022

CVE-2022-1342 4.6 MEDIUM EPSS 0.00

A lack of password masking in Devolutions Remote Desktop Manager allows physically proximate attackers to observe sensitive data. A caching issue can cause sensitive fields to sometimes stay revealed when closing and reopening a panel, which could lead to involuntarily disclosing sensitive information. This issue affects: Devolutions Remote Desktop Manager 2022.1.24 version and prior versions.

CWE-549 Jun 15, 2022

CVE-2022-30231 4.9 MEDIUM EPSS 0.00

A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another user's password hash.

CWE-522 Jun 14, 2022

CVE-2022-30587 7.5 HIGH EPSS 0.00

Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.

CWE-522 Jun 06, 2022

CVE-2022-22396 7.5 HIGH EPSS 0.00

Credentials are printed in clear text in the IBM Spectrum Protect Plus 10.1.0.0 through 10.1.9.3 virgo log file in certain cases. Credentials could be the remote vSnap, offload targets, or VADP credentials depending on the operation performed. Credentials that are using API key or certificate are not printed. IBM X-Force ID: 222231.

CWE-522 Jun 06, 2022

CVE-2022-29085 6.4 MEDIUM EPSS 0.00

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

CWE-522 Jun 02, 2022