CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-XCM6-W86X-XG6R
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V2.12). The affected application writes sensitive data, such as database credentials in configuration files. A local attacker with access to the configuration files could use this information to launch further attacks.
{
"affected": [],
"aliases": [
"CVE-2020-10053"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-09T12:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions \u003c V2.12). The affected application writes sensitive data, such as database credentials in configuration files. A local attacker with access to the configuration files could use this information to launch further attacks.",
"id": "GHSA-xcm6-w86x-xg6r",
"modified": "2022-05-24T19:20:11Z",
"published": "2022-05-24T19:20:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10053"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XF2Q-QXHF-RQH5
Vulnerability from github – Published: 2023-01-22 06:30 – Updated: 2024-03-21 03:34** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
{
"affected": [],
"aliases": [
"CVE-2023-24055"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-22T04:15:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor\u0027s position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.",
"id": "GHSA-xf2q-qxhf-rqh5",
"modified": "2024-03-21T03:34:38Z",
"published": "2023-01-22T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24055"
},
{
"type": "WEB",
"url": "https://securityboulevard.com/2023/01/keepass-password-manager-leak-cve-richixbw"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/keepass/feature-requests/2773"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG53-7PJ5-CCGW
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-07-13 00:01RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.
{
"affected": [],
"aliases": [
"CVE-2021-36165"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-28T10:15:00Z",
"severity": "MODERATE"
},
"details": "RICON Industrial Cellular Router S9922L 16.10.3(3794) is affected by cleartext storage of sensitive information and sends username and password as base64.",
"id": "GHSA-xg53-7pj5-ccgw",
"modified": "2022-07-13T00:01:29Z",
"published": "2022-05-24T19:16:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36165"
},
{
"type": "WEB",
"url": "https://yunus-shn.medium.com/ricon-industrial-cellular-router-cleartext-credentials-e236052415d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XG8P-CP7F-CPHX
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2023-12-14 18:09Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:dingding-notifications"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10433"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-14T18:09:56Z",
"nvd_published_at": "2019-10-01T14:15:00Z",
"severity": "LOW"
},
"details": "Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.",
"id": "GHSA-xg8p-cp7f-cphx",
"modified": "2023-12-14T18:09:56Z",
"published": "2022-05-24T16:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10433"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/dingtalk-plugin/commit/b2d4b3ecd2f467ae344eef55d8b51ae765d054a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/dingtalk-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-862"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "DingTalk Plugin stores credentials in plain text"
}
GHSA-XHHP-64QQ-P9X5
Vulnerability from github – Published: 2024-09-10 15:31 – Updated: 2024-09-10 15:31A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump.
{
"affected": [],
"aliases": [
"CVE-2024-35282"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T15:15:16Z",
"severity": "MODERATE"
},
"details": "A cleartext storage of sensitive information in memory vulnerability [CWE-316] affecting FortiClient VPN iOS 7.2 all versions, 7.0 all versions, 6.4 all versions, 6.2 all versions, 6.0 all versions may allow an unauthenticated attacker that has physical access to a jailbroken device to obtain cleartext passwords via keychain dump.",
"id": "GHSA-xhhp-64qq-p9x5",
"modified": "2024-09-10T15:31:05Z",
"published": "2024-09-10T15:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35282"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XJ8M-2H9P-P8WM
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-10-26 12:00Cleartext Storage of Sensitive Information in Memory vulnerability in Gallagher Command Centre Server allows OSDP reader master keys to be discoverable in server memory dumps. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); All versions of 8.30.
{
"affected": [],
"aliases": [
"CVE-2021-23182"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Gallagher Command Centre Server allows OSDP reader master keys to be discoverable in server memory dumps. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3); All versions of 8.30.",
"id": "GHSA-xj8m-2h9p-p8wm",
"modified": "2022-10-26T12:00:31Z",
"published": "2022-05-24T19:05:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23182"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XJ9G-83CQ-WF3M
Vulnerability from github – Published: 2024-09-02 18:31 – Updated: 2026-06-03 15:30Cleartext Storage of Sensitive Information vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Retrieve Embedded Sensitive Data.This issue affects NACPremium: through 01082024.
{
"affected": [],
"aliases": [
"CVE-2024-6921"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T18:15:38Z",
"severity": "HIGH"
},
"details": "Cleartext Storage of Sensitive Information vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Retrieve Embedded Sensitive Data.This issue affects NACPremium: through 01082024.",
"id": "GHSA-xj9g-83cq-wf3m",
"modified": "2026-06-03T15:30:34Z",
"published": "2024-09-02T18:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6921"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1376"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XMHJ-9CM5-RW2X
Vulnerability from github – Published: 2023-05-30 18:30 – Updated: 2024-04-04 04:23PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains License Key Stored in Cleartext vulnerability. A local user with access to the installation directory can retrieve the license key of the product and use it to install and license PowerPath on different systems.
{
"affected": [],
"aliases": [
"CVE-2023-32448"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T16:15:09Z",
"severity": "MODERATE"
},
"details": "\nPowerPath for Windows, versions 7.0, 7.1 \u0026 7.2 contains License Key Stored in Cleartext vulnerability. A local user with access to the installation directory can retrieve the license key of the product and use it to install and license PowerPath on different systems.\n\n",
"id": "GHSA-xmhj-9cm5-rw2x",
"modified": "2024-04-04T04:23:28Z",
"published": "2023-05-30T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32448"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000214248/dsa-2023-154-powerpath-windows-security-update-for-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XP2P-9WQ2-WX5Q
Vulnerability from github – Published: 2024-04-18 03:30 – Updated: 2025-02-04 18:30A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the Brocade SANnav password in clear text in supportsave logs when a user schedules a switch Supportsave from Brocade SANnav.
{
"affected": [],
"aliases": [
"CVE-2024-29956"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-18T02:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the Brocade SANnav password in clear text in supportsave logs when a user schedules a switch Supportsave from Brocade SANnav.",
"id": "GHSA-xp2p-9wq2-wx5q",
"modified": "2025-02-04T18:30:44Z",
"published": "2024-04-18T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29956"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/external/content/SecurityAdvisories/0/23240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XPH6-FRVR-HQ8F
Vulnerability from github – Published: 2022-05-24 22:33 – Updated: 2022-05-24 22:33Proxy functionality built into Hubs Cloud’s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud < mozillareality/reticulum/1.0.1/20210428201255.
{
"affected": [],
"aliases": [
"CVE-2021-29954"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Proxy functionality built into Hubs Cloud\u2019s Reticulum software allowed access to internal URLs, including the metadata service. This vulnerability affects Hubs Cloud \u003c mozillareality/reticulum/1.0.1/20210428201255.",
"id": "GHSA-xph6-frvr-hq8f",
"modified": "2022-05-24T22:33:55Z",
"published": "2022-05-24T22:33:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29954"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1707898"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-21"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.