CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-WCJJ-QM5V-J4PC
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2025-04-30 20:25Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:reverse-proxy-auth-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.3"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45384"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:22:01Z",
"nvd_published_at": "2022-11-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.",
"id": "GHSA-wcjj-qm5v-j4pc",
"modified": "2025-04-30T20:25:23Z",
"published": "2022-11-16T12:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45384"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/reverse-proxy-auth-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2094"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords"
}
GHSA-WCJQ-XFXV-X7MX
Vulnerability from github – Published: 2026-06-04 15:30 – Updated: 2026-06-08 15:32GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.
{
"affected": [],
"aliases": [
"CVE-2026-36174"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T15:16:51Z",
"severity": "MODERATE"
},
"details": "GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.",
"id": "GHSA-wcjq-xfxv-x7mx",
"modified": "2026-06-08T15:32:42Z",
"published": "2026-06-04T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36174"
},
{
"type": "WEB",
"url": "https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md"
},
{
"type": "WEB",
"url": "http://gncc.com"
},
{
"type": "WEB",
"url": "http://gp5.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WJ85-RG5G-V8JM
Vulnerability from github – Published: 2024-05-30 18:15 – Updated: 2024-05-30 18:15It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user credentials.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T18:15:08Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "It has been discovered that login failures have been logged on the default stream with log level \"warning\" including plain-text user credentials.",
"id": "GHSA-wj85-rg5g-v8jm",
"modified": "2024-05-30T18:15:08Z",
"published": "2024-05-30T18:15:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3-CMS/core/commit/ac0565b7a539398a07adf21f04f85cd2574817d2"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-05-07-5.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/core"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2019-010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Information Disclosure in User Authentication"
}
GHSA-WMP3-7QC8-4X9F
Vulnerability from github – Published: 2023-03-03 06:30 – Updated: 2023-03-14 18:30Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.
{
"affected": [],
"aliases": [
"CVE-2023-0457"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-03T05:15:00Z",
"severity": "HIGH"
},
"details": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.",
"id": "GHSA-wmp3-7qc8-4x9f",
"modified": "2023-03-14T18:30:26Z",
"published": "2023-03-03T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0457"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU93891523/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-061-01"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPHQ-J78P-FHGP
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-21 00:21Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.
Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:Parameterized-Remote-Trigger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2239"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-311"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-21T00:21:31Z",
"nvd_published_at": "2020-09-01T14:15:00Z",
"severity": "LOW"
},
"details": "Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.\n\nParameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.",
"id": "GHSA-wphq-j78p-fhgp",
"modified": "2022-12-21T00:21:31Z",
"published": "2022-05-24T17:27:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2239"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/parameterized-remote-trigger-plugin/commit/2902ef5ea6eb077f43fd25c880e4920faea4e828"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/parameterized-remote-trigger-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1625"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin"
}
GHSA-WVH7-5P38-2QFC
Vulnerability from github – Published: 2020-07-23 18:20 – Updated: 2021-09-22 21:05The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."
Example Code:
async () => {
const user = Parse.User.current()
if (user) {
user.setPassword('newpass')
await user.save()
}
}
After running the above code, the new password will be stored in localStorage as a property named "password".
Proposed Solution: Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.
Configuration: Parse SDK: 2.9.1 Parse Server: 3.9.0
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-23T18:18:24Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user\u0027s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users \u003e Signing Up, it clearly states, \"We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext.\"\n\nExample Code:\n```js\nasync () =\u003e {\n const user = Parse.User.current()\n if (user) {\n user.setPassword(\u0027newpass\u0027)\n await user.save()\n }\n}\n```\nAfter running the above code, the new password will be stored in localStorage as a property named \"password\".\n\nProposed Solution:\nBefore saving anything to localStorage, Parse should strip out any properties named \"password\" that are attempting to be stored with a Parse.User type object.\n\nConfiguration:\nParse SDK: 2.9.1\nParse Server: 3.9.0",
"id": "GHSA-wvh7-5p38-2qfc",
"modified": "2021-09-22T21:05:43Z",
"published": "2020-07-23T18:20:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-wvh7-5p38-2qfc"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/Parse-SDK-JS/commit/d1106174571b699f972929dd7cbb8e45b5283cbb"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/Parse-SDK-JS"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Storing Password in Local Storage"
}
GHSA-WXMC-RHR3-HX2W
Vulnerability from github – Published: 2026-06-11 18:31 – Updated: 2026-06-11 18:31IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user.
{
"affected": [],
"aliases": [
"CVE-2024-45636"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T16:16:21Z",
"severity": "MODERATE"
},
"details": "IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user.",
"id": "GHSA-wxmc-rhr3-hx2w",
"modified": "2026-06-11T18:31:34Z",
"published": "2026-06-11T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45636"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7274828"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2W2-5552-FJV6
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2023-10-30 21:17NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.
NS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.8.0.143"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:cavisson-ns-nd-integration"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.0.146"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45392"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:23:56Z",
"nvd_published_at": "2022-11-15T20:15:00Z",
"severity": "MODERATE"
},
"details": "NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.\n\nNS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.",
"id": "GHSA-x2w2-5552-fjv6",
"modified": "2023-10-30T21:17:20Z",
"published": "2022-11-16T12:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45392"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/cavisson-ns-nd-integration-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin"
}
GHSA-X784-RW8J-Q6W6
Vulnerability from github – Published: 2023-09-20 09:30 – Updated: 2024-03-21 03:35** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the "admin.xml" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.
{
"affected": [],
"aliases": [
"CVE-2022-47561"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T08:15:15Z",
"severity": "MODERATE"
},
"details": "** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the \"admin.xml\" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.",
"id": "GHSA-x784-rw8j-q6w6",
"modified": "2024-03-21T03:35:47Z",
"published": "2023-09-20T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47561"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XCP5-J5FJ-3XP6
Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 21:52EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.geteasyqa:easyqa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34202"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T22:55:55Z",
"nvd_published_at": "2022-06-23T17:15:00Z",
"severity": "LOW"
},
"details": "EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file `EasyQAPluginProperties.xml` on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-xcp5-j5fj-3xp6",
"modified": "2022-12-05T21:52:48Z",
"published": "2022-06-24T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34202"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/easyqa-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2066"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "User passwords stored in plain text by Jenkins EasyQA Plugin"
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.