CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-FGHJ-2J25-CQQP
Vulnerability from github – Published: 2024-06-03 21:30 – Updated: 2024-07-03 18:44Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions
{
"affected": [],
"aliases": [
"CVE-2022-0555"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-03T19:15:09Z",
"severity": "HIGH"
},
"details": "Subiquity Shows Guided Storage Passphrase in Plaintext with Read-all Permissions",
"id": "GHSA-fghj-2j25-cqqp",
"modified": "2024-07-03T18:44:08Z",
"published": "2024-06-03T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0555"
},
{
"type": "WEB",
"url": "https://github.com/canonical/subiquity/pull/1181"
},
{
"type": "WEB",
"url": "https://github.com/canonical/subiquity/pull/1182"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/subiquity/+bug/1960162"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0555"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FHVJ-XR7H-8MMG
Vulnerability from github – Published: 2025-03-05 06:31 – Updated: 2025-11-03 21:33Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Password Stored in Process List V-2023-011.
{
"affected": [],
"aliases": [
"CVE-2025-27656"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T06:15:37Z",
"severity": "CRITICAL"
},
"details": "Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.862 Application 20.0.2014 allows Password Stored in Process List V-2023-011.",
"id": "GHSA-fhvj-xr7h-8mmg",
"modified": "2025-11-03T21:33:06Z",
"published": "2025-03-05T06:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27656"
},
{
"type": "WEB",
"url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2025-04-08-vasion-printerlogic-83-vulnerabilities.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMQ9-R4P2-8272
Vulnerability from github – Published: 2022-09-22 00:00 – Updated: 2023-06-27 20:52Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
This API token can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:cons3rt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41255"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T00:39:13Z",
"nvd_published_at": "2022-09-21T16:15:00Z",
"severity": "LOW"
},
"details": "Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThis API token can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-fmq9-r4p2-8272",
"modified": "2023-06-27T20:52:17Z",
"published": "2022-09-22T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41255"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/cons3rt-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2759"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/09/21/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "API token stored in plain text by Jenkins CONS3RT Plugin"
}
GHSA-FRQC-23QH-4RQ8
Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-04-25 18:30A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay's database.
{
"affected": [],
"aliases": [
"CVE-2024-3623"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-25T18:15:09Z",
"severity": "HIGH"
},
"details": "A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay\u0027s database.",
"id": "GHSA-frqc-23qh-4rq8",
"modified": "2024-04-25T18:30:40Z",
"published": "2024-04-25T18:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3623"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-3623"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274404"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G29V-5PWH-WXX4
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-06 16:39Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:jira-steps"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.165.v8846cf59f3db"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24439"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:00:15Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "MODERATE"
},
"details": "Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-g29v-5pwh-wxx4",
"modified": "2023-02-06T16:39:45Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24439"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin"
}
GHSA-G2J8-J26J-56QH
Vulnerability from github – Published: 2026-05-29 18:31 – Updated: 2026-05-29 18:31Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat.
{
"affected": [],
"aliases": [
"CVE-2018-25396"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-29T16:16:19Z",
"severity": "HIGH"
},
"details": "Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat.",
"id": "GHSA-g2j8-j26j-56qh",
"modified": "2026-05-29T18:31:31Z",
"published": "2026-05-29T18:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25396"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45623"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-credential-disclosure-via-networksetup-htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G5J9-P3RW-C77M
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2024-03-21 03:33** DISPUTED ** An issue was discovered in SMA Solar Technology products. Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are "encrypted" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and authenticate to the device. NOTE: the vendor reports that only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected.
{
"affected": [],
"aliases": [
"CVE-2017-9856"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-05T17:29:00Z",
"severity": "CRITICAL"
},
"details": "** DISPUTED ** An issue was discovered in SMA Solar Technology products. Sniffed passwords from SMAdata2+ communication can be decrypted very easily. The passwords are \"encrypted\" using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and authenticate to the device. NOTE: the vendor reports that only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected.",
"id": "GHSA-g5j9-p3rw-c77m",
"modified": "2024-03-21T03:33:21Z",
"published": "2022-05-13T01:48:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9856"
},
{
"type": "WEB",
"url": "https://horusscenario.com/CVE-information"
},
{
"type": "WEB",
"url": "http://www.sma.de/en/statement-on-cyber-security.html"
},
{
"type": "WEB",
"url": "http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G772-Q552-GGR6
Vulnerability from github – Published: 2025-12-31 00:31 – Updated: 2025-12-31 00:31Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system's web server.
{
"affected": [],
"aliases": [
"CVE-2025-15113"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T23:15:49Z",
"severity": "HIGH"
},
"details": "Ksenia Security Lares 4.0 Home Automation version 1.6 contains an unprotected endpoint vulnerability that allows authenticated attackers to upload MPFS File System binary images. Attackers can exploit this vulnerability to overwrite flash program memory and potentially execute arbitrary code on the home automation system\u0027s web server.",
"id": "GHSA-g772-q552-ggr6",
"modified": "2025-12-31T00:31:11Z",
"published": "2025-12-31T00:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15113"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/190178"
},
{
"type": "WEB",
"url": "https://www.kseniasecurity.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/ksenia-security-lares-home-automation-remote-code-execution-via-mpfs-upload"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5930.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GC3F-WWWQ-J375
Vulnerability from github – Published: 2024-11-26 06:31 – Updated: 2024-11-26 06:31IBM Workload Scheduler 9.5, 10.1, and 10.2 stores user credentials in plain text which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2024-49351"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T04:15:05Z",
"severity": "MODERATE"
},
"details": "IBM Workload Scheduler 9.5, 10.1, and 10.2 stores user credentials in plain text which can be read by a local user.",
"id": "GHSA-gc3f-wwwq-j375",
"modified": "2024-11-26T06:31:02Z",
"published": "2024-11-26T06:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49351"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7177061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGMX-PQ89-7MCR
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-06-28 23:07Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins:configuration-as-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10345"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T23:07:38Z",
"nvd_published_at": "2019-07-31T13:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.",
"id": "GHSA-ggmx-pq89-7mcr",
"modified": "2022-06-28T23:07:38Z",
"published": "2022-05-24T16:51:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10345"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/73afe3cb10a723cb06e29c2e5499206aadae3a0d"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1303"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Configuration as Code Plugin"
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.