CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-34C4-3WV9-23CH
Vulnerability from github – Published: 2024-05-08 18:30 – Updated: 2024-05-08 18:30Dell Update Manager Plugin, versions 1.4.0 through 1.5.0, contains a Plain-text Password Storage Vulnerability in Log file. A remote high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2024-28971"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-08T16:15:08Z",
"severity": "LOW"
},
"details": "Dell Update Manager Plugin, versions 1.4.0 through 1.5.0, contains a Plain-text Password Storage Vulnerability in Log file. A remote high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
"id": "GHSA-34c4-3wv9-23ch",
"modified": "2024-05-08T18:30:49Z",
"published": "2024-05-08T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28971"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000224849/dsa-2024-209-security-update-for-dell-update-manager-plugin-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-352V-HHMH-2W8H
Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:39Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.
Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:codedx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2633"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-17T03:39:07Z",
"nvd_published_at": "2023-05-16T18:15:17Z",
"severity": "MODERATE"
},
"details": "Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nCode Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.",
"id": "GHSA-352v-hhmh-2w8h",
"modified": "2023-05-17T03:39:07Z",
"published": "2023-05-16T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2633"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/codedx-plugin/commit/a971a75da3eaf0ab5344c2b60942e7c8809ec913"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Code Dx Plugin displays API keys in plain text"
}
GHSA-35RX-7PC8-6963
Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2023-10-02 19:41Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Katalon Plugin 1.0.33 no longer stores the API keys directly, instead accessing them through its Credentials Plugin integration, once affected job configurations are saved again.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:katalon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-43419"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-19T20:27:38Z",
"nvd_published_at": "2022-10-19T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nKatalon Plugin 1.0.33 no longer stores the API keys directly, instead accessing them through its [Credentials Plugin](https://plugins.jenkins.io/credentials) integration, once affected job configurations are saved again.",
"id": "GHSA-35rx-7pc8-6963",
"modified": "2023-10-02T19:41:02Z",
"published": "2022-10-19T19:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43419"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/katalon-plugin/pull/28"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/katalon-plugin/commit/64f819387f3f14d54f3a1542578a5c7aa9feb85c"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/katalon-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2846"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "API keys stored in plain text by Jenkins Katalon Plugin"
}
GHSA-36J4-JJHR-3M5R
Vulnerability from github – Published: 2024-09-10 06:30 – Updated: 2024-09-10 06:30SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.
{
"affected": [],
"aliases": [
"CVE-2024-45283"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T05:15:12Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver AS for Java allows an authorized attacker to obtain sensitive information. The attacker could obtain the username and password when creating an RFC destination. After successful exploitation, an attacker can read the sensitive information but cannot modify or delete the data.",
"id": "GHSA-36j4-jjhr-3m5r",
"modified": "2024-09-10T06:30:48Z",
"published": "2024-09-10T06:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45283"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3477359"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-36J8-F33J-VJWQ
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 16:45hpe-network-virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:hpe-network-virtualization"
},
"versions": [
"1.0"
]
}
],
"aliases": [
"CVE-2022-34816"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-09T16:45:25Z",
"nvd_published_at": "2022-06-30T18:15:00Z",
"severity": "LOW"
},
"details": "hpe-network-virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file `org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml` on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-36j8-f33j-vjwq",
"modified": "2022-12-09T16:45:25Z",
"published": "2022-07-01T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34816"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/hpe-network-virtualization-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2080"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Passwords stored in plain text by Jenkins hpe-network-virtualization plugin"
}
GHSA-37X4-RHQ4-F92V
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.
{
"affected": [],
"aliases": [
"CVE-2018-8851"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-24T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.",
"id": "GHSA-37x4-rhq4-f92v",
"modified": "2022-05-13T01:31:47Z",
"published": "2022-05-13T01:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8851"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-200-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-39F6-9C52-27P8
Vulnerability from github – Published: 2024-02-07 18:30 – Updated: 2025-11-04 00:30IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.
{
"affected": [],
"aliases": [
"CVE-2023-31002"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-07T17:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.",
"id": "GHSA-39f6-9c52-27p8",
"modified": "2025-11-04T00:30:45Z",
"published": "2024-02-07T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31002"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7106586"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3C82-PV2C-M48J
Vulnerability from github – Published: 2025-05-30 15:30 – Updated: 2025-05-30 15:30A vulnerability exists in the SOAP Web services of the Asset Suite versions listed below. If successfully exploited, an attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded.
{
"affected": [],
"aliases": [
"CVE-2025-2500"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-30T13:15:22Z",
"severity": "CRITICAL"
},
"details": "A vulnerability exists in the SOAP Web services of the Asset \nSuite versions listed below. If successfully exploited, an attacker \ncould gain unauthorized access to the product and the time window of a possible password attack could be expanded.",
"id": "GHSA-3c82-pv2c-m48j",
"modified": "2025-05-30T15:30:30Z",
"published": "2025-05-30T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2500"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000212\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3CG6-XV3H-2WJ2
Vulnerability from github – Published: 2024-05-31 18:31 – Updated: 2024-07-03 18:43An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function.
{
"affected": [],
"aliases": [
"CVE-2024-28736"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-31T16:15:09Z",
"severity": "HIGH"
},
"details": "An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function.",
"id": "GHSA-3cg6-xv3h-2wj2",
"modified": "2024-07-03T18:43:56Z",
"published": "2024-05-31T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28736"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/178794/Debezium-UI-2.5-Credential-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3M8H-GCJC-3M58
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2024-04-04 03:05A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.
{
"affected": [],
"aliases": [
"CVE-2021-25358"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-276"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-09T18:15:00Z",
"severity": "LOW"
},
"details": "A vulnerability that stores IMSI values in an improper path prior to SMR APR-2021 Release 1 allows local attackers to access IMSI values without any permission via untrusted applications.",
"id": "GHSA-3m8h-gcjc-3m58",
"modified": "2024-04-04T03:05:58Z",
"published": "2022-05-24T17:46:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25358"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.