CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-656G-HF8V-X2RW
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 00:33Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:slack-uploader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2208"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T00:33:11Z",
"nvd_published_at": "2020-07-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job `config.xml` files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
"id": "GHSA-656g-hf8v-x2rw",
"modified": "2022-12-29T00:33:11Z",
"published": "2022-05-24T17:22:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2208"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/slack-uploader-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1627"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Secret stored in plain text by Jenkins Slack Upload Plugin"
}
GHSA-6793-GMP9-2535
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-05 21:39Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.catalogic.ecxjenkins:catalogic-ecx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2128"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-05T21:39:10Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
"id": "GHSA-6793-gmp9-2535",
"modified": "2023-01-05T21:39:10Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2128"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/catalogic-ecx-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1549"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Password stored in plain text by ECX Copy Data Management Plugin"
}
GHSA-683F-HCW3-5VGR
Vulnerability from github – Published: 2023-10-12 15:31 – Updated: 2024-04-04 08:35SnapGathers versions prior to 4.9 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext domain user credentials
{
"affected": [],
"aliases": [
"CVE-2023-27315"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-12T14:15:10Z",
"severity": "MODERATE"
},
"details": "SnapGathers versions prior to 4.9 are susceptible to a vulnerability \nwhich could allow a local authenticated attacker to discover plaintext \ndomain user credentials",
"id": "GHSA-683f-hcw3-5vgr",
"modified": "2024-04-04T08:35:35Z",
"published": "2023-10-12T15:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27315"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231009-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6G92-JHV6-7WCP
Vulnerability from github – Published: 2025-03-05 06:31 – Updated: 2025-03-05 18:32Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Password in URL OVE-20230524-0005.
{
"affected": [],
"aliases": [
"CVE-2025-27662"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T06:15:38Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Password in URL OVE-20230524-0005.",
"id": "GHSA-6g92-jhv6-7wcp",
"modified": "2025-03-05T18:32:08Z",
"published": "2025-03-05T06:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27662"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HQV-2JJV-PJCR
Vulnerability from github – Published: 2024-04-26 21:31 – Updated: 2024-07-03 18:37Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.
{
"affected": [],
"aliases": [
"CVE-2024-28325"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T19:15:47Z",
"severity": "MODERATE"
},
"details": "Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.",
"id": "GHSA-6hqv-2jjv-pjcr",
"modified": "2024-07-03T18:37:06Z",
"published": "2024-04-26T21:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28325"
},
{
"type": "WEB",
"url": "https://github.com/ShravanSinghRathore/ASUS-RT-N300-B1/wiki/Credentials-Stored-in-Cleartext-CVE%E2%80%902024%E2%80%9028325"
},
{
"type": "WEB",
"url": "http://asus.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6HW7-X86V-WRGF
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-02 17:31Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:view-cloner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24450"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:28:47Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "MODERATE"
},
"details": "Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
"id": "GHSA-6hw7-x86v-wrgf",
"modified": "2023-02-02T17:31:58Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24450"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/view-cloner-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Passwords stored in plain text by Jenkins view-cloner Plugin "
}
GHSA-6MQ5-FG4V-Q2MG
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 15:33EisBaer Scada - CWE-256: Plaintext Storage of a Password
{
"affected": [],
"aliases": [
"CVE-2023-42493"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-25T18:17:31Z",
"severity": "CRITICAL"
},
"details": " EisBaer Scada - CWE-256: Plaintext Storage of a Password",
"id": "GHSA-6mq5-fg4v-q2mg",
"modified": "2023-11-01T15:33:29Z",
"published": "2023-10-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42493"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6P5V-Q973-HX46
Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2024-03-21 03:35** UNSUPPPORTED WHEN ASSIGNED **
The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.
{
"affected": [],
"aliases": [
"CVE-2023-39452"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T21:16:04Z",
"severity": "HIGH"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThe web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
"id": "GHSA-6p5v-q973-hx46",
"modified": "2024-03-21T03:35:47Z",
"published": "2023-09-18T21:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39452"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6PQM-PP65-MC26
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-07-05 19:58Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "net.arangamani.jenkins:gem-publisher"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10426"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-09T23:07:59Z",
"nvd_published_at": "2019-09-25T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
"id": "GHSA-6pqm-pp65-mc26",
"modified": "2023-07-05T19:58:04Z",
"published": "2022-05-24T22:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10426"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/gem-publisher-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1573"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Gem Publisher Plugin stores credentials as plaintext"
}
GHSA-6QJV-W5W3-XFR7
Vulnerability from github – Published: 2024-02-10 18:30 – Updated: 2024-02-10 18:30IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.
{
"affected": [],
"aliases": [
"CVE-2024-22312"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-10T16:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.",
"id": "GHSA-6qjv-w5w3-xfr7",
"modified": "2024-02-10T18:30:34Z",
"published": "2024-02-10T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22312"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/278748"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7115261"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.