CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
The product stores sensitive information in a file system or device that does not have built-in access control.
CVE-2021-27456 (GCVE-0-2021-27456)
Vulnerability from cvelistv5
Published
2022-03-23 19:46
Modified
2025-04-16 16:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Philips | Gemini 16 Slice |
Version: 882300 |
|||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:17.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.philips.com/productsecurity"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-27456",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:55:29.540028Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:41:17.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Gemini 16 Slice",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882300"
}
]
},
{
"product": "Gemini Dual",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882160"
}
]
},
{
"product": "Gemini GXL 10 Slice",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882400"
}
]
},
{
"product": "Gemini GXL 6 Slice",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882390"
}
]
},
{
"product": "Gemini GXL 16 Slice",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882410"
}
]
},
{
"product": "GEMINI LXL",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882412"
}
]
},
{
"product": "Gemini TF Ready",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882473"
}
]
},
{
"product": "Gemini TF 16 w/ TOF Performance",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882470"
}
]
},
{
"product": "Gemini TF 64 w/ TOF Performance",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882471"
}
]
},
{
"product": "Gemini TF Big Bore",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882476"
}
]
},
{
"product": "TruFlight Select PET/CT",
"vendor": "Philips",
"versions": [
{
"status": "affected",
"version": "882438"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jean GEORGE \u2013 CHU UCL Namur \u2013 Nuclear medicine department reported this vulnerability to Philips."
}
],
"descriptions": [
{
"lang": "en",
"value": "Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-23T19:46:21.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.philips.com/productsecurity"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Philips Gemini PET/CT Storage of Sensitive Data in a Mechanism Without Access Control",
"workarounds": [
{
"lang": "en",
"value": "Philips has identified the following guidance and mitigations:\n Users should operate all Philips deployed and supported Gemini PET/CT systems within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.\n Philips also recommends users implement a comprehensive, multi-layered strategy to protect systems from internal and external security threats, including restricting physical access of the scanner and removable media to only authorized personnel to reduce the risk of physical access by an unauthorized user.\n Patient health related information recorded on removable media may become accessible to unauthorized individuals despite the application of the anonymize function, which could create a security risk.\n\nUsers with questions regarding their specific installations of the Gemini PET/CT Family should contact a Philips service support team. Philips contact information is available at https://www.usa.philips.com/healthcare/solutions/customer-service-solutions or 1-800-722-9377\n\nThe Philips advisory is available. Please see the Philips product security website for the latest security information for Philips products. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-27456",
"STATE": "PUBLIC",
"TITLE": "Philips Gemini PET/CT Storage of Sensitive Data in a Mechanism Without Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Gemini 16 Slice",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882300"
}
]
}
},
{
"product_name": "Gemini Dual",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882160"
}
]
}
},
{
"product_name": "Gemini GXL 10 Slice",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882400"
}
]
}
},
{
"product_name": "Gemini GXL 6 Slice",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882390"
}
]
}
},
{
"product_name": "Gemini GXL 16 Slice",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882410"
}
]
}
},
{
"product_name": "GEMINI LXL",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882412"
}
]
}
},
{
"product_name": "Gemini TF Ready",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882473"
}
]
}
},
{
"product_name": "Gemini TF 16 w/ TOF Performance",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882470"
}
]
}
},
{
"product_name": "Gemini TF 64 w/ TOF Performance",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882471"
}
]
}
},
{
"product_name": "Gemini TF Big Bore",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882476"
}
]
}
},
{
"product_name": "TruFlight Select PET/CT",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "882438"
}
]
}
}
]
},
"vendor_name": "Philips"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jean GEORGE \u2013 CHU UCL Namur \u2013 Nuclear medicine department reported this vulnerability to Philips."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsma-21-084-01"
},
{
"name": "https://www.philips.com/productsecurity",
"refsource": "CONFIRM",
"url": "https://www.philips.com/productsecurity"
}
]
},
"source": {
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Philips has identified the following guidance and mitigations:\n Users should operate all Philips deployed and supported Gemini PET/CT systems within Philips authorized specifications, including Philips approved software, software configuration, system services, and security configuration.\n Philips also recommends users implement a comprehensive, multi-layered strategy to protect systems from internal and external security threats, including restricting physical access of the scanner and removable media to only authorized personnel to reduce the risk of physical access by an unauthorized user.\n Patient health related information recorded on removable media may become accessible to unauthorized individuals despite the application of the anonymize function, which could create a security risk.\n\nUsers with questions regarding their specific installations of the Gemini PET/CT Family should contact a Philips service support team. Philips contact information is available at https://www.usa.philips.com/healthcare/solutions/customer-service-solutions or 1-800-722-9377\n\nThe Philips advisory is available. Please see the Philips product security website for the latest security information for Philips products. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-27456",
"datePublished": "2022-03-23T19:46:21.000Z",
"dateReserved": "2021-02-19T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:41:17.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2665 (GCVE-0-2023-2665)
Vulnerability from cvelistv5
Published
2023-05-12 00:00
Modified
2025-01-24 15:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| francoisjacquet | francoisjacquet/rosariosis |
Version: unspecified < 11.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.757Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T15:58:00.495107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T15:58:05.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "francoisjacquet/rosariosis",
"vendor": "francoisjacquet",
"versions": [
{
"lessThan": "11.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/42f38a84-8954-484d-b5ff-706ca0918194"
},
{
"url": "https://github.com/francoisjacquet/rosariosis/commit/09d5afaa6be07688ca1a7ac3b755b5438109e986"
}
],
"source": {
"advisory": "42f38a84-8954-484d-b5ff-706ca0918194",
"discovery": "EXTERNAL"
},
"title": "Storage of Sensitive Data in a Mechanism without Access Control in francoisjacquet/rosariosis"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2665",
"datePublished": "2023-05-12T00:00:00.000Z",
"dateReserved": "2023-05-12T00:00:00.000Z",
"dateUpdated": "2025-01-24T15:58:05.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41818 (GCVE-0-2023-41818)
Vulnerability from cvelistv5
Published
2024-05-03 14:03
Modified
2024-08-02 19:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
An improper use of the SD card for sensitive data vulnerability was reported in the Motorola Device Help application that could allow a local attacker to read system logs.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:55:03.679957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:21:56.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:48.543Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178876"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Phones",
"vendor": "Motorola",
"versions": [
{
"lessThan": "2023-12-01",
"status": "affected",
"version": " ",
"versionType": "SPL"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sergey Toshin and Illia Khorolskyi of\u202fOversecured\u202f(ovesecured.com) "
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn improper use of the SD card for sensitive data vulnerability was reported in the Motorola Device Help application that could allow a local attacker to read system logs.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nAn improper use of the SD card for sensitive data vulnerability was reported in the Motorola Device Help application that could allow a local attacker to read system logs.\u00a0\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921: Storage of Sensitive Data in a Mechanism without Access Control ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T14:03:55.892Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178876"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpdate your Motorola phone to the latest software version. Software versions with a Security Patch Level of 2023-12-01 or later include a fix for this vulnerability.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nUpdate your Motorola phone to the latest software version. Software versions with a Security Patch Level of 2023-12-01 or later include a fix for this vulnerability.\u00a0\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2023-41818",
"datePublished": "2024-05-03T14:03:55.892Z",
"dateReserved": "2023-09-01T14:25:26.474Z",
"dateUpdated": "2024-08-02T19:09:48.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41965 (GCVE-0-2023-41965)
Vulnerability from cvelistv5
Published
2023-09-18 19:29
Modified
2025-04-15 18:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Socomec | MODULYS GP (MOD3GP-SY-120K) |
Version: v01.12.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:09:49.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "modulys_gp_firmware",
"vendor": "socomec",
"versions": [
{
"status": "affected",
"version": "01.12.10"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41965",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:26:35.867556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T13:31:28.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MODULYS GP (MOD3GP-SY-120K)",
"vendor": "Socomec",
"versions": [
{
"status": "affected",
"version": "v01.12.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aar\u00f3n Flecha Men\u00e9ndez reported these vulnerabilities to CISA."
}
],
"datePublic": "2023-09-07T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T18:26:43.433Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSocomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities."
}
],
"source": {
"advisory": "ICSA-23-250-03",
"discovery": "EXTERNAL"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Socomec MOD3GP-SY-120K Insecure Storage of Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-41965",
"datePublished": "2023-09-18T19:29:58.603Z",
"dateReserved": "2023-09-06T15:41:16.517Z",
"dateUpdated": "2025-04-15T18:26:43.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5206 (GCVE-0-2024-5206)
Vulnerability from cvelistv5
Published
2024-06-06 18:28
Modified
2024-08-01 21:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| scikit-learn | scikit-learn/scikit-learn |
Version: unspecified < 1.5.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:scikit-learn:scikit-learn:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "scikit-learn",
"vendor": "scikit-learn",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5206",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T15:11:02.549686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T15:12:13.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:11.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "scikit-learn/scikit-learn",
"vendor": "scikit-learn",
"versions": [
{
"lessThan": "1.5.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A sensitive data leakage vulnerability was identified in scikit-learn\u0027s TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T18:56:36.616Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c"
},
{
"url": "https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8"
}
],
"source": {
"advisory": "14bc0917-a85b-4106-a170-d09d5191517c",
"discovery": "EXTERNAL"
},
"title": "Sensitive Data Leakage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn/scikit-learn"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-5206",
"datePublished": "2024-06-06T18:28:14.267Z",
"dateReserved": "2024-05-22T15:52:49.284Z",
"dateUpdated": "2024-08-01T21:03:11.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9334 (GCVE-0-2024-9334)
Vulnerability from cvelistv5
Published
2025-02-27 13:54
Modified
2025-02-27 14:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.This issue affects Pallium Vehicle Tracking: before 17.10.2024.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| E-Kent | Pallium Vehicle Tracking |
Version: 0 < 17.10.2024 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:12:18.397204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:12:25.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pallium Vehicle Tracking",
"vendor": "E-Kent",
"versions": [
{
"lessThan": "17.10.2024",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mustafa Anil YILDIRIM"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.\u003cp\u003eThis issue affects Pallium Vehicle Tracking: before 17.10.2024.\u003c/p\u003e"
}
],
"value": "Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass.This issue affects Pallium Vehicle Tracking: before 17.10.2024."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921 Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T13:54:44.319Z",
"orgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"shortName": "TR-CERT"
},
"references": [
{
"url": "https://www.usom.gov.tr/bildirim/tr-25-0044"
}
],
"source": {
"advisory": "TR-25-0044",
"defect": [
"TR-25-0044"
],
"discovery": "UNKNOWN"
},
"title": "Information Disclosure in E-Kent\u0027s Pallium Vehicle Tracking",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca940d4e-fea4-4aa2-9a58-591a58b1ce21",
"assignerShortName": "TR-CERT",
"cveId": "CVE-2024-9334",
"datePublished": "2025-02-27T13:54:44.319Z",
"dateReserved": "2024-09-30T11:49:52.781Z",
"dateUpdated": "2025-02-27T14:12:25.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24843 (GCVE-0-2025-24843)
Vulnerability from cvelistv5
Published
2025-02-28 16:56
Modified
2025-02-28 21:50
Severity ?
5.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
5.1 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
5.1 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
VLAI Severity ?
EPSS score ?
CWE
Summary
Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Dario Health | USB-C Blood Glucose Monitoring System Starter Kit Android Applications |
Version: 0 < 5.8.7.0.36 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-28T21:50:31.032336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T21:50:42.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "USB-C Blood Glucose Monitoring System Starter Kit Android Applications",
"vendor": "Dario Health",
"versions": [
{
"lessThan": "5.8.7.0.36",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Dario Application Database and Internet-based Server Infrastructure",
"vendor": "Dario Health",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Noah Cutler and Manuel Del Rio of Accenture reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInsecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data.\u003c/span\u003e"
}
],
"value": "Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T16:56:11.789Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-058-01"
},
{
"url": "https://www.dariohealth.com/contact/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users.\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "Dario Health recommends users update their Dario Health Android mobile application to the latest version. No other actions are required by users."
}
],
"source": {
"advisory": "ICSMA-25-058-01",
"discovery": "EXTERNAL"
},
"title": "Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Storage of Sensitive Data in a Mechanism without Access Control",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDario Health recommends users perform the following mitigations:\u0026nbsp; \u003cbr\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate the application from trusted sources.\u0026nbsp; \u003cbr\u003e\u003c/li\u003e\u003cli\u003eDon\u0027t use rooted/jailbroken devices.\u0026nbsp; \u003cbr\u003e\u003c/li\u003e\u003cli\u003eAvoid public untrusted network.\u0026nbsp; \u003cbr\u003e\u003c/li\u003e\u003cli\u003eFor more information \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.dariohealth.com/contact/\"\u003econtact Dario Health\u003c/a\u003e\u0026nbsp;directly.\u0026nbsp; \u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\n\n\u003cbr\u003e"
}
],
"value": "Dario Health recommends users perform the following mitigations:\u00a0 \n\n\n * Update the application from trusted sources.\u00a0 \n\n * Don\u0027t use rooted/jailbroken devices.\u00a0 \n\n * Avoid public untrusted network.\u00a0 \n\n * For more information contact Dario Health https://www.dariohealth.com/contact/ \u00a0directly."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-24843",
"datePublished": "2025-02-28T16:56:11.789Z",
"dateReserved": "2025-01-27T21:33:08.406Z",
"dateUpdated": "2025-02-28T21:50:42.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24870 (GCVE-0-2025-24870)
Vulnerability from cvelistv5
Published
2025-02-11 00:37
Modified
2025-02-18 18:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP GUI for Windows |
Version: BC-FES-GUI 8.00 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24870",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T05:51:12.545465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:06:30.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP GUI for Windows",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "BC-FES-GUI 8.00"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP GUI for Windows \u0026amp; RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.\u003c/p\u003e"
}
],
"value": "SAP GUI for Windows \u0026 RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921: Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T00:37:05.969Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3562336"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Key \u0026 Secret Management vulnerability in SAP GUI for Windows",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-24870",
"datePublished": "2025-02-11T00:37:05.969Z",
"dateReserved": "2025-01-27T08:57:48.544Z",
"dateUpdated": "2025-02-18T18:06:30.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30016 (GCVE-0-2025-30016)
Vulnerability from cvelistv5
Published
2025-04-08 07:14
Modified
2025-04-10 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control
Summary
SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Financial Consolidation |
Version: FINANCE 1010 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T03:55:34.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Financial Consolidation",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "FINANCE 1010"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity \u0026amp; Availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity \u0026 Availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-921",
"description": "CWE-921: Storage of Sensitive Data in a Mechanism without Access Control",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T07:14:51.578Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3572688"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Bypass Vulnerability in SAP Financial Consolidation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30016",
"datePublished": "2025-04-08T07:14:51.578Z",
"dateReserved": "2025-03-13T18:03:35.489Z",
"dateUpdated": "2025-04-10T03:55:34.053Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.