Generation of Error Message Containing Sensitive Information

CVE-2022-31140

High

9.1/10

Summary

Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use `Throwable#getMessage()` when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc. Version 0.12.0 contains a patch for this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-209 - Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

References

Advisory Timeline

Published Jul 11, 2022

Generation of Error Message Containing Sensitive Information

CVE-2022-31140

Summary

CWE-209 - Generation of Error Message Containing Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS