CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
398 vulnerabilities reference this CWE, most recent first.
GHSA-2379-HJPR-9MP3
Vulnerability from github – Published: 2025-11-04 00:32 – Updated: 2025-11-04 00:32A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.
{
"affected": [],
"aliases": [
"CVE-2025-11193"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-03T22:18:34Z",
"severity": "MODERATE"
},
"details": "A potential vulnerability was reported in some Lenovo Tablets that could allow a local authenticated user or application to gain access to sensitive device specific information.",
"id": "GHSA-2379-hjpr-9mp3",
"modified": "2025-11-04T00:32:29Z",
"published": "2025-11-04T00:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11193"
},
{
"type": "WEB",
"url": "https://support.lenovo.com/us/en/product_security/LEN-202383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-23J7-PX3W-JWP2
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:xooa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53677"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T22:35:18Z",
"nvd_published_at": "2025-07-09T16:15:27Z",
"severity": "MODERATE"
},
"details": "Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it.",
"id": "GHSA-23j7-px3w-jwp2",
"modified": "2025-11-05T20:13:52Z",
"published": "2025-07-09T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53677"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/xooa-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3522"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Xooa Plugin vulnerability does not mask its Xooa Deployment Token"
}
GHSA-26X3-7JW5-7MG4
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:59Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration.
This key can be viewed by users with access to the Jenkins controller file system.
Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins.plugins.statistics.gatherer:statistics-gatherer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53655"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:06:45Z",
"nvd_published_at": "2025-07-09T16:15:24Z",
"severity": "MODERATE"
},
"details": "Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on the Jenkins controller as part of its configuration.\n\nThis key can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-26x3-7jw5-7mg4",
"modified": "2025-11-05T19:59:23Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53655"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/statistics-gatherer-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3554"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Statistics Gatherer Plugin does not mask AWS Secret Key"
}
GHSA-273C-FJW8-V2W8
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2023-10-27 20:00Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in job config.xml files on the Jenkins controller as part of its configuration.
Additionally, they are transmitted in plain text as part of the respective configuration forms.
These API keys can be viewed by users with Item/Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:opsgenie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34803"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-12T21:24:32Z",
"nvd_published_at": "2022-06-30T18:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file `com.opsgenie.integration.jenkins.OpsGenieNotifier.xml` and in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nAdditionally, they are transmitted in plain text as part of the respective configuration forms.\n\nThese API keys can be viewed by users with Item/Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-273c-fjw8-v2w8",
"modified": "2023-10-27T20:00:04Z",
"published": "2022-07-01T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34803"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/opsgenie-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-1877"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins OpsGenie Plugin Plaintext Storage of a Password vulnerability"
}
GHSA-28J3-HPHH-CJR8
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:00Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.apica:ApicaLoadtest"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53665"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:28:21Z",
"nvd_published_at": "2025-07-09T16:15:25Z",
"severity": "MODERATE"
},
"details": "Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.\n\nThese tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-28j3-hphh-cjr8",
"modified": "2025-11-05T20:00:29Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53665"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/apica-loadtest-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3540"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens"
}
GHSA-2F5G-M75X-XPHF
Vulnerability from github – Published: 2026-02-27 12:31 – Updated: 2026-03-02 18:31Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise This issue affects Frick Controls Quantum HD version 10.22 and prior.
{
"affected": [],
"aliases": [
"CVE-2026-21660"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T10:16:22Z",
"severity": "MODERATE"
},
"details": "Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and prior\u00a0lead to unauthorized access, exposure of sensitive information, and potential misuse or system compromise\nThis issue affects Frick Controls Quantum HD version 10.22 and prior.",
"id": "GHSA-2f5g-m75x-xphf",
"modified": "2026-03-02T18:31:41Z",
"published": "2026-02-27T12:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21660"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2G8W-9933-36VR
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:warrior"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53675"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T22:32:35Z",
"nvd_published_at": "2025-07-09T16:15:27Z",
"severity": "MODERATE"
},
"details": "Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.",
"id": "GHSA-2g8w-9933-36vr",
"modified": "2025-11-05T20:13:33Z",
"published": "2025-07-09T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53675"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/warrior-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3516"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users"
}
GHSA-2G9F-V599-7RV2
Vulnerability from github – Published: 2025-10-02 18:31 – Updated: 2025-10-09 21:31Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product "follows a shared responsibility model, where administrators are expected to configure persistent storage encryption."
{
"affected": [],
"aliases": [
"CVE-2025-34210"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-02T17:16:05Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store a large number of sensitive credentials (database passwords, MySQL root password, SaaS keys, Portainer admin password, etc.) in cleartext files that are world-readable. Any local user - or any process that can read the host filesystem - can retrieve all of these secrets in plain text, leading to credential theft and full compromise of the appliance. The vendor does not consider this to be a security vulnerability as this product \"follows a shared responsibility model, where administrators are expected to configure persistent storage encryption.\"",
"id": "GHSA-2g9f-v599-7rv2",
"modified": "2025-10-09T21:31:10Z",
"published": "2025-10-02T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34210"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/va/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html#va-readable-passwords"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/vasion-print-printerlogic-readble-cleartext-passwords"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2J3R-X6XC-QQQJ
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-09 19:46Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "RPD:bmc-rpd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2127"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T19:46:20Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "LOW"
},
"details": "Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix.",
"id": "GHSA-2j3r-x6xc-qqqj",
"modified": "2023-01-09T19:46:20Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2127"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/bmc-rpd-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1547"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credential stored in plain text by BMC Release Package and Deployment Plugin"
}
GHSA-2JCX-2M59-6CV8
Vulnerability from github – Published: 2026-04-10 12:31 – Updated: 2026-04-10 12:31A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.
{
"affected": [],
"aliases": [
"CVE-2021-47961"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T10:16:03Z",
"severity": "HIGH"
},
"details": "A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user\u0027s PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.",
"id": "GHSA-2jcx-2m59-6cv8",
"modified": "2026-04-10T12:31:44Z",
"published": "2026-04-10T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47961"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.