Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-WCJJ-QM5V-J4PC

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2025-04-30 20:25
VLAI
Summary
Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords
Details

Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:reverse-proxy-auth-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.3"
            },
            {
              "fixed": "1.7.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45384"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T22:22:01Z",
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.",
  "id": "GHSA-wcjj-qm5v-j4pc",
  "modified": "2025-04-30T20:25:23Z",
  "published": "2022-11-16T12:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45384"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/reverse-proxy-auth-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2094"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords"
}

GHSA-WCJQ-XFXV-X7MX

Vulnerability from github – Published: 2026-06-04 15:30 – Updated: 2026-06-08 15:32
VLAI
Details

GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-36174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface.",
  "id": "GHSA-wcjq-xfxv-x7mx",
  "modified": "2026-06-08T15:32:42Z",
  "published": "2026-06-04T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md"
    },
    {
      "type": "WEB",
      "url": "http://gncc.com"
    },
    {
      "type": "WEB",
      "url": "http://gp5.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WJ85-RG5G-V8JM

Vulnerability from github – Published: 2024-05-30 18:15 – Updated: 2024-05-30 18:15
VLAI
Summary
TYPO3 Information Disclosure in User Authentication
Details

It has been discovered that login failures have been logged on the default stream with log level "warning" including plain-text user credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-30T18:15:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "It has been discovered that login failures have been logged on the default stream with log level \"warning\" including plain-text user credentials.",
  "id": "GHSA-wj85-rg5g-v8jm",
  "modified": "2024-05-30T18:15:08Z",
  "published": "2024-05-30T18:15:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3-CMS/core/commit/ac0565b7a539398a07adf21f04f85cd2574817d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-05-07-5.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/core"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2019-010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TYPO3 Information Disclosure in User Authentication"
}

GHSA-WMP3-7QC8-4X9F

Vulnerability from github – Published: 2023-03-03 06:30 – Updated: 2023-03-14 18:30
VLAI
Details

Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-03T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U(C) CPU modules all models all versions, FX5UJ CPU modules all models all versions, FX5S CPU modules all models all versions, FX5-ENET all versions and FX5-ENET/IP all versions allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server.",
  "id": "GHSA-wmp3-7qc8-4x9f",
  "modified": "2023-03-14T18:30:26Z",
  "published": "2023-03-03T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0457"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU93891523/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-061-01"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WPHQ-J78P-FHGP

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-21 00:21
VLAI
Summary
Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin
Details

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:Parameterized-Remote-Trigger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-311"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-21T00:21:31Z",
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.\n\nParameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.",
  "id": "GHSA-wphq-j78p-fhgp",
  "modified": "2022-12-21T00:21:31Z",
  "published": "2022-05-24T17:27:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2239"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/parameterized-remote-trigger-plugin/commit/2902ef5ea6eb077f43fd25c880e4920faea4e828"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/parameterized-remote-trigger-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1625"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin"
}

GHSA-WVH7-5P38-2QFC

Vulnerability from github – Published: 2020-07-23 18:20 – Updated: 2021-09-22 21:05
VLAI
Summary
Storing Password in Local Storage
Details

The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

Example Code:

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

Proposed Solution: Before saving anything to localStorage, Parse should strip out any properties named "password" that are attempting to be stored with a Parse.User type object.

Configuration: Parse SDK: 2.9.1 Parse Server: 3.9.0

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-23T18:18:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user\u0027s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users \u003e Signing Up, it clearly states, \"We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext.\"\n\nExample Code:\n```js\nasync () =\u003e {\n    const user = Parse.User.current()\n    if (user) {\n        user.setPassword(\u0027newpass\u0027)\n        await user.save()\n    }\n}\n```\nAfter running the above code, the new password will be stored in localStorage as a property named \"password\".\n\nProposed Solution:\nBefore saving anything to localStorage, Parse should strip out any properties named \"password\" that are attempting to be stored with a Parse.User type object.\n\nConfiguration:\nParse SDK: 2.9.1\nParse Server: 3.9.0",
  "id": "GHSA-wvh7-5p38-2qfc",
  "modified": "2021-09-22T21:05:43Z",
  "published": "2020-07-23T18:20:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/Parse-SDK-JS/security/advisories/GHSA-wvh7-5p38-2qfc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/Parse-SDK-JS/commit/d1106174571b699f972929dd7cbb8e45b5283cbb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/Parse-SDK-JS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Storing Password in Local Storage"
}

GHSA-WXMC-RHR3-HX2W

Vulnerability from github – Published: 2026-06-11 18:31 – Updated: 2026-06-11 18:31
VLAI
Details

IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-11T16:16:21Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user.",
  "id": "GHSA-wxmc-rhr3-hx2w",
  "modified": "2026-06-11T18:31:34Z",
  "published": "2026-06-11T18:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45636"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7274828"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X2W2-5552-FJV6

Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2023-10-30 21:17
VLAI
Summary
Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin
Details

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.8.0.143"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:cavisson-ns-nd-integration"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.0.146"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T22:23:56Z",
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.\n\nNS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.",
  "id": "GHSA-x2w2-5552-fjv6",
  "modified": "2023-10-30T21:17:20Z",
  "published": "2022-11-16T12:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45392"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/cavisson-ns-nd-integration-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin"
}

GHSA-X784-RW8J-Q6W6

Vulnerability from github – Published: 2023-09-20 09:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the "admin.xml" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47561"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T08:15:15Z",
    "severity": "MODERATE"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** The web application stores credentials in clear text in the \"admin.xml\" file, which can be accessed without logging into the website, which could allow an attacker to obtain credentials related to all users, including admin users, in clear text, and use them to subsequently execute malicious actions.",
  "id": "GHSA-x784-rw8j-q6w6",
  "modified": "2024-03-21T03:35:47Z",
  "published": "2023-09-20T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47561"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCP5-J5FJ-3XP6

Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 21:52
VLAI
Summary
User passwords stored in plain text by Jenkins EasyQA Plugin
Details

EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.geteasyqa:easyqa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:55:55Z",
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "severity": "LOW"
  },
  "details": "EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file `EasyQAPluginProperties.xml` on the Jenkins controller as part of its configuration.\n\nThese passwords can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-xcp5-j5fj-3xp6",
  "modified": "2022-12-05T21:52:48Z",
  "published": "2022-06-24T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34202"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/easyqa-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "User passwords stored in plain text by Jenkins EasyQA Plugin"
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.