CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-884F-P57J-F258
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:59Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:soapui-pro-functional-testing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53656"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:08:00Z",
"nvd_published_at": "2025-07-09T16:15:25Z",
"severity": "MODERATE"
},
"details": "Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-884f-p57j-f258",
"modified": "2025-11-05T19:59:34Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53656"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/soapui-pro-functional-testing-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials"
}
GHSA-8F5F-WP2V-WG57
Vulnerability from github – Published: 2025-07-16 18:32 – Updated: 2025-07-16 18:32LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.
{
"affected": [],
"aliases": [
"CVE-2025-7357"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-16T16:15:29Z",
"severity": "HIGH"
},
"details": "LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.",
"id": "GHSA-8f5f-wp2v-wg57",
"modified": "2025-07-16T18:32:38Z",
"published": "2025-07-16T18:32:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7357"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-196-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8G6V-G8QC-5W7J
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-09 19:42Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.dubture.jenkins:digitalocean-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2126"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T19:42:06Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "LOW"
},
"details": "Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.",
"id": "GHSA-8g6v-g8qc-5w7j",
"modified": "2023-01-09T19:42:06Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2126"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/digitalocean-plugin/commit/ca1112c5c52a842c6340401f02f536fc07c6620a"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/digitalocean-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1559"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Token stored in plain text by DigitalOcean Plugin"
}
GHSA-8G9W-5JV6-7M4X
Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-11-30 18:45Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.incapptic.plugins:incapptic-connect-uploader"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-27218"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-30T18:45:18Z",
"nvd_published_at": "2022-03-15T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
"id": "GHSA-8g9w-5jv6-7m4x",
"modified": "2022-11-30T18:45:18Z",
"published": "2022-03-16T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27218"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/incapptic-connect-uploader-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin"
}
GHSA-8GP3-M447-GW2V
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:vaddy-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53669"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:46:57Z",
"nvd_published_at": "2025-07-09T16:15:26Z",
"severity": "MODERATE"
},
"details": "Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.",
"id": "GHSA-8gp3-m447-gw2v",
"modified": "2025-11-05T20:13:09Z",
"published": "2025-07-09T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53669"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/vaddy-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3527"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form"
}
GHSA-8MJ3-MJ87-CF2H
Vulnerability from github – Published: 2024-01-25 15:31 – Updated: 2024-01-25 15:31Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2024-22432"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-25T15:15:07Z",
"severity": "HIGH"
},
"details": "\nNetworker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.\n\n",
"id": "GHSA-8mj3-mj87-cf2h",
"modified": "2024-01-25T15:31:53Z",
"published": "2024-01-25T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22432"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8PM7-8J9R-GR39
Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA1) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA1) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA1) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA1) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA1) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA1) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA1) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1) (All versions). Affected devices store user passwords in plaintext without proper protection. This could allow a physical attacker to retrieve them from the embedded storage ICs.
{
"affected": [],
"aliases": [
"CVE-2024-39922"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T08:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA1) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA1) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA1) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA1) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA1) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA1) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA1) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1) (All versions). Affected devices store user passwords in plaintext without proper protection. This could allow a physical attacker to retrieve them from the embedded storage ICs.",
"id": "GHSA-8pm7-8j9r-gr39",
"modified": "2024-08-13T09:30:52Z",
"published": "2024-08-13T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39922"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-921449.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8X2H-C9MX-CX2J
Vulnerability from github – Published: 2024-09-26 15:30 – Updated: 2024-09-26 15:30IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.
{
"affected": [],
"aliases": [
"CVE-2024-31899"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T14:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.",
"id": "GHSA-8x2h-c9mx-cx2j",
"modified": "2024-09-26T15:30:43Z",
"published": "2024-09-26T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31899"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7149734"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9387-XRFR-3WFR
Vulnerability from github – Published: 2024-09-18 18:30 – Updated: 2024-09-19 03:30Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.
{
"affected": [],
"aliases": [
"CVE-2023-41610"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T18:15:05Z",
"severity": "HIGH"
},
"details": "Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.",
"id": "GHSA-9387-xrfr-3wfr",
"modified": "2024-09-19T03:30:31Z",
"published": "2024-09-18T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41610"
},
{
"type": "WEB",
"url": "https://www.trevorkems.com/operation-big-brother-iot-camera"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-95F8-WGWF-V4MC
Vulnerability from github – Published: 2023-09-15 21:30 – Updated: 2024-04-04 07:42A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem.
{
"affected": [],
"aliases": [
"CVE-2022-3261"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-15T21:15:08Z",
"severity": "HIGH"
},
"details": "A flaw was found in OpenStack. Multiple components show plain-text passwords in /var/log/messages during the OpenStack overcloud update run, leading to a disclosure of sensitive information problem.",
"id": "GHSA-95f8-wgwf-v4mc",
"modified": "2024-04-04T07:42:34Z",
"published": "2023-09-15T21:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3261"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3261"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128834"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.