GHSA-WG5X-3G47-V38R fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain...

AVideo has Unauthenticated PGP Message Decryption via Public Endpoint

Summary The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON respons...

Azure Linux 3.0 Security Update: samba (CVE-2022-2031)

The version of samba installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-2031 advisory. - A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single...

MiracleLinux 3 : dovecot-1.0.7-7.1AXS3 (AXSA:2009-18:01)

The remote MiracleLinux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2009-18:01 advisory. Dovecot is an IMAP server for Linux/UNIX-like systems, written with security primarily in mind. It also contains a small POP3 server. It supports mail...

EUVD-2008-4849

Malware in sbrugna...

EUVD-2022-5656

Malicious code in bioql PyPI...

EUVD-2023-2620

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2008-4870

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - dovecot 1.0.7 in Red Hat Enterprise Linux RHEL 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the...

CVE-2025-52374

Use of hardcoded cryptographic key in Encryption.cs in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords to other servers from hMailAdmin.exe.config file to access other hMailServer admin consoles with configured connections...

CVE-2018-1999036

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log...

CVE-2024-47126

The goTenna Pro App does not use SecureRandom when generating passwords for sharing cryptographic keys. The random function in use makes it easier for attackers to brute force this password if the broadcasted encryption key is captured over RF. This only applies to the optional broadcast of an...

Information Disclosure

@tauri-apps/cli is vulnerable to Information Disclosure. This vulnerability is due to a commonly used misconfiguration which leads to the leakage of the private key and updater key password. If envPrefix: 'VITE', 'TAURI', was pasted from the documentation into vite.config.ts, the TAURIPRIVATEKEY...

CVE-2023-0342

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12...

CVE-2023-0342

MongoDB Ops Manager Diagnostics Archive may not redact sensitive PEM key file password app settings. Archives do not include the PEM files themselves. This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and MongoDB Ops Manager v6.0 prior to 6.0.12...

SUSE CVE-2008-4870

dovecot 1.0.7 in Red Hat Enterprise Linux RHEL 5, and possibly Fedora, uses world-readable permissions for dovecot.conf, which allows local users to obtain the sslkeypassword parameter value...

SUSE CVE-2012-0425

LanItems.ycp in savey2logs in yast2-network before 2.24.4 in SUSE YaST writes cleartext Wi-Fi credentials to the y2log log file, which allows context-dependent attackers to obtain sensitive information by reading the 1 WIRELESSWPAPASSWORD or 2 WIRELESSCLIENTKEYPASSWORD field...

Default credentials

On Verizon 5G Home LVSKIHP InDoorUnit IDU 3.4.66.162 and OutDoorUnit ODU 3.33.101.0 devices, the CRTC and ODU RPC endpoints rely on a static account username/password for access control. This password can be generated via a binary included in the firmware, after ascertaining the MAC address of th...

Sifchain: Found key_adress and key_password in GitHub history

Summary: I found in your GitHub history keyadress and keypasswords Steps To Reproduce: 1. Open url https://github.com/Sifchain/sifnode/commit/f21dcf05c7953693b82bba119bba5ca48982b6d0diff-3b3ced8ca40f67dd52fd8031d9c2b5147c249a8c66b3aa066e355c0ee12fa14c 2. search for "keypassword" and you will find...

Code injection

Mailvelope prior to 3.3.0 allows private key operations without user interaction via its client-API. By modifying an URL parameter in Mailvelope, an attacker is able to sign and encrypt arbitrary messages with Mailvelope, assuming the private key password is cached. A second vulnerability allows ...

Jenkins Coverity Plugin Information Disclosure Vulnerability

Jenkins is an open source software project , is based on Java development of a continuous integration tool . A security vulnerability exists in the CIMInstance.java file in Jenkins Coverity Plugin 1.10.0 and earlier versions, which stems from the program storing passwords in plaintext. An attacke...