CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
CVE-2020-15105 (GCVE-0-2020-15105)
Vulnerability from cvelistv5 – Published: 2020-07-10 20:55 – Updated: 2024-08-04 13:08- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://github.com/Bouke/django-two-factor-auth/s… | x_refsource_CONFIRM |
| https://github.com/Bouke/django-two-factor-auth/c… | x_refsource_MISC |
| https://github.com/Bouke/django-two-factor-auth/b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Bouke | django-two-factor-auth |
Affected:
< 1.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.577Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "django-two-factor-auth",
"vendor": "Bouke",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Django Two-Factor Authentication before 1.12, stores the user\u0027s password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you\u0027re using Django\u0027s default database session storage, then users\u0027 passwords are stored in clear text in your database. In the best case, if you\u0027re using Django\u0027s signed cookie session, then users\u0027 passwords are only stored in clear text within their browser\u0027s cookie store. In the common case of using Django\u0027s cache session store, the users\u0027 passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you\u0027re using the database session backend, you\u0027ll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django\u0027s session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-10T20:55:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08"
}
],
"source": {
"advisory": "GHSA-vhr6-pvjm-9qwf",
"discovery": "UNKNOWN"
},
"title": "In Django Two-Factor Authentication, user passwords are stored in clear text in the Django session",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15105",
"STATE": "PUBLIC",
"TITLE": "In Django Two-Factor Authentication, user passwords are stored in clear text in the Django session"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "django-two-factor-auth",
"version": {
"version_data": [
{
"version_value": "\u003c 1.12"
}
]
}
}
]
},
"vendor_name": "Bouke"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Django Two-Factor Authentication before 1.12, stores the user\u0027s password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authentication code. This means that the password is stored in clear text in the session for an arbitrary amount of time, and potentially forever if the user begins the login process by entering their username and password and then leaves before entering their two-factor authentication code. The severity of this issue depends on which type of session storage you have configured: in the worst case, if you\u0027re using Django\u0027s default database session storage, then users\u0027 passwords are stored in clear text in your database. In the best case, if you\u0027re using Django\u0027s signed cookie session, then users\u0027 passwords are only stored in clear text within their browser\u0027s cookie store. In the common case of using Django\u0027s cache session store, the users\u0027 passwords are stored in clear text in whatever cache storage you have configured (typically Memcached or Redis). This has been fixed in 1.12. After upgrading, users should be sure to delete any clear text passwords that have been stored. For example, if you\u0027re using the database session backend, you\u0027ll likely want to delete any session record from the database and purge that data from any database backups or replicas. In addition, affected organizations who have suffered a database breach while using an affected version should inform their users that their clear text passwords have been compromised. All organizations should encourage users whose passwords were insecurely stored to change these passwords on any sites where they were used. As a workaround, wwitching Django\u0027s session storage to use signed cookies instead of the database or cache lessens the impact of this issue, but should not be done without a thorough understanding of the security tradeoffs of using signed cookies rather than a server-side session storage. There is no way to fully mitigate the issue without upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312: Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf",
"refsource": "CONFIRM",
"url": "https://github.com/Bouke/django-two-factor-auth/security/advisories/GHSA-vhr6-pvjm-9qwf"
},
{
"name": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359",
"refsource": "MISC",
"url": "https://github.com/Bouke/django-two-factor-auth/commit/454fd9842fa6e8bb772dbf0943976bc8e3335359"
},
{
"name": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08",
"refsource": "MISC",
"url": "https://github.com/Bouke/django-two-factor-auth/blob/master/CHANGELOG.md#112---2020-07-08"
}
]
},
"source": {
"advisory": "GHSA-vhr6-pvjm-9qwf",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15105",
"datePublished": "2020-07-10T20:55:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.577Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15085 (GCVE-0-2020-15085)
Vulnerability from cvelistv5 – Published: 2020-06-30 16:25 – Updated: 2024-08-04 13:08- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://github.com/mirumee/saleor-storefront/secu… | x_refsource_CONFIRM |
| https://github.com/mirumee/saleor-storefront/blob… | x_refsource_MISC |
| https://github.com/mirumee/saleor-storefront/comm… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| mirumee | saleor-storefront |
Affected:
< 2.10.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "saleor-storefront",
"vendor": "mirumee",
"versions": [
{
"status": "affected",
"version": "\u003c 2.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T16:25:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
}
],
"source": {
"advisory": "GHSA-4279-h39w-2jqm",
"discovery": "UNKNOWN"
},
"title": "Client caching login operation with plaintext password in Saleor Storefront",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15085",
"STATE": "PUBLIC",
"TITLE": "Client caching login operation with plaintext password in Saleor Storefront"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "saleor-storefront",
"version": {
"version_data": [
{
"version_value": "\u003c 2.10.3"
}
]
}
}
]
},
"vendor_name": "mirumee"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Saleor Storefront before version 2.10.3, request data used to authenticate customers was inadvertently cached in the browser\u0027s local storage mechanism, including credentials. A malicious user with direct access to the browser could extract the email and password. In versions prior to 2.10.0 persisted the cache even after the user logged out. This is fixed in version 2.10.3. A workaround is to manually clear application data (browser\u0027s local storage) after logging into Saleor Storefront."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312 Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm",
"refsource": "CONFIRM",
"url": "https://github.com/mirumee/saleor-storefront/security/advisories/GHSA-4279-h39w-2jqm"
},
{
"name": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103",
"refsource": "MISC",
"url": "https://github.com/mirumee/saleor-storefront/blob/master/CHANGELOG.md#2103"
},
{
"name": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458",
"refsource": "MISC",
"url": "https://github.com/mirumee/saleor-storefront/commit/7c331e1be805022c9a7be719bd69d050b2577458"
}
]
},
"source": {
"advisory": "GHSA-4279-h39w-2jqm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15085",
"datePublished": "2020-06-30T16:25:13.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-14480 (GCVE-0-2020-14480)
Vulnerability from cvelistv5 – Published: 2022-02-24 18:27 – Updated: 2025-04-17 18:47| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Rockwell Automation | FactoryTalk View SE |
Affected:
unspecified , ≤ 9.0
(custom)
Affected: 10.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:46:34.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-14480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T17:49:28.049402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:47:48.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FactoryTalk View SE",
"vendor": "Rockwell Automation",
"versions": [
{
"lessThanOrEqual": "9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"status": "affected",
"version": "10.0"
}
]
}
],
"datePublic": "2020-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-24T18:27:14.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"DATE_PUBLIC": "2020-06-25T16:00:00.000Z",
"ID": "CVE-2020-14480",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "FactoryTalk View SE",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "9.0"
},
{
"version_affected": "=",
"version_value": "10.0"
}
]
}
}
]
},
"vendor_name": "Rockwell Automation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Due to usernames/passwords being stored in plaintext in Random Access Memory (RAM), a local, authenticated attacker could gain access to certain credentials, including Windows Logon credentials."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03",
"refsource": "MISC",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-20-177-03"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-14480",
"datePublished": "2022-02-24T18:27:14.889Z",
"dateReserved": "2020-06-19T00:00:00.000Z",
"dateUpdated": "2025-04-17T18:47:48.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10706 (GCVE-0-2020-10706)
Vulnerability from cvelistv5 – Published: 2020-05-12 13:48 – Updated: 2024-08-04 11:06| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| [UNKNOWN] | openshift/openshift-apiserver |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:06:11.155Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "openshift/openshift-apiserver",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-12T13:48:36.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10706",
"datePublished": "2020-05-12T13:48:36.000Z",
"dateReserved": "2020-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:06:11.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10053 (GCVE-0-2020-10053)
Vulnerability from cvelistv5 – Published: 2021-11-09 11:31 – Updated: 2024-08-04 10:50- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://cert-portal.siemens.com/productcert/pdf/s… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | SIMATIC RTLS Locating Manager |
Affected:
All versions < V2.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:50:57.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SIMATIC RTLS Locating Manager",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions \u003c V2.12). The affected application writes sensitive data, such as database credentials in configuration files. A local attacker with access to the configuration files could use this information to launch further attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-09T11:31:37.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2020-10053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SIMATIC RTLS Locating Manager",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.12"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions \u003c V2.12). The affected application writes sensitive data, such as database credentials in configuration files. A local attacker with access to the configuration files could use this information to launch further attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312: Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-145157.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2020-10053",
"datePublished": "2021-11-09T11:31:37.000Z",
"dateReserved": "2020-03-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:50:57.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9045 (GCVE-0-2020-9045)
Vulnerability from cvelistv5 – Published: 2020-05-21 14:45 – Updated: 2024-08-04 10:19- CWE-312 - - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://www.johnsoncontrols.com/cyber-solutions/s… | x_refsource_CONFIRM |
| https://www.us-cert.gov/ics/advisories/ICSA-20-142-01 | third-party-advisoryx_refsource_CERT |
| Vendor | Product | Version | |
|---|---|---|---|
| Johnson Controls | Software House C•CURE 9000 v2.70 |
Affected:
2.70
|
|
| Johnson Controls | American Dynamics victor Video Management System v5.2 |
Affected:
5.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:19:19.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Software House C\u2022CURE 9000 v2.70",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "2.70"
}
]
},
{
"product": "American Dynamics victor Video Management System v5.2",
"vendor": "Johnson Controls",
"versions": [
{
"status": "affected",
"version": "5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 - Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T14:45:44.000Z",
"orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"shortName": "jci"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"tags": [
"third-party-advisory",
"x_refsource_CERT"
],
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"solutions": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productsecurity@jci.com",
"ID": "CVE-2020-9045",
"STATE": "PUBLIC",
"TITLE": "C\u2022CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Software House C\u2022CURE 9000 v2.70",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2.70"
}
]
}
},
{
"product_name": "American Dynamics victor Video Management System v5.2",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Johnson Controls"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312 - Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories",
"refsource": "CONFIRM",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"name": "ICS-CERT Advisory",
"refsource": "CERT",
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "All users should upgrade to the latest version. \n\nPlease note that while the upgrade will automatically remove the log file, we recommend existing deployments to securely delete the log file from the following path c:\\ProgramData\\Tyco\\InstallerTemp and then change the password for the affected user account."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
"assignerShortName": "jci",
"cveId": "CVE-2020-9045",
"datePublished": "2020-05-21T14:45:44.000Z",
"dateReserved": "2020-02-18T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:19:19.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8276 (GCVE-0-2020-8276)
Vulnerability from cvelistv5 – Published: 2020-11-09 14:05 – Updated: 2024-08-04 09:56- CWE-312 - Cleartext Storage of Sensitive Information (CWE-312)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/1024668 | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | https://github.com/brave/brave-core |
Affected:
v1.18.35
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1024668"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/brave/brave-core",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "v1.18.35"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The implementation of Brave Desktop\u0027s privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave\u0027s server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext Storage of Sensitive Information (CWE-312)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T14:05:23.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1024668"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8276",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/brave/brave-core",
"version": {
"version_data": [
{
"version_value": "v1.18.35"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The implementation of Brave Desktop\u0027s privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave\u0027s server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (CWE-312)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1024668",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1024668"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8276",
"datePublished": "2020-11-09T14:05:23.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:28.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8225 (GCVE-0-2020-8225)
Vulnerability from cvelistv5 – Published: 2020-09-18 20:11 – Updated: 2024-08-04 09:56- CWE-312 - Cleartext Storage of Sensitive Information (CWE-312)
| URL | Tags |
|---|---|
| https://hackerone.com/reports/685990 | x_refsource_MISC |
| https://nextcloud.com/security/advisory/?id=NC-SA… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Desktop Client |
Affected:
Fixed in 2.6.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:27.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/685990"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-031"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Desktop Client",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 2.6.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "Cleartext Storage of Sensitive Information (CWE-312)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T20:11:32.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/685990"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-031"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2020-8225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Desktop Client",
"version": {
"version_data": [
{
"version_value": "Fixed in 2.6.5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cleartext Storage of Sensitive Information (CWE-312)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/685990",
"refsource": "MISC",
"url": "https://hackerone.com/reports/685990"
},
{
"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-031",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-031"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2020-8225",
"datePublished": "2020-09-18T20:11:32.000Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:56:27.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7517 (GCVE-0-2020-7517)
Vulnerability from cvelistv5 – Published: 2020-07-23 20:47 – Updated: 2024-08-04 09:33- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://www.se.com/ww/en/download/document/SEVD-2… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Easergy Builder (Version 1.4.7.2 and older) |
Affected:
Easergy Builder (Version 1.4.7.2 and older)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easergy Builder (Version 1.4.7.2 and older)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Easergy Builder (Version 1.4.7.2 and older)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-23T20:47:20.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7517",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easergy Builder (Version 1.4.7.2 and older)",
"version": {
"version_data": [
{
"version_value": "Easergy Builder (Version 1.4.7.2 and older)"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-312: Cleartext Storage of Sensitive Information vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker to read user credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312: Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05",
"refsource": "MISC",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7517",
"datePublished": "2020-07-23T20:47:20.000Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:33:19.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7516 (GCVE-0-2020-7516)
Vulnerability from cvelistv5 – Published: 2020-07-23 20:47 – Updated: 2024-08-04 09:33- CWE-312 - Cleartext Storage of Sensitive Information
| URL | Tags |
|---|---|
| https://download.schneider-electric.com/files?p_D… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Easergy Builder V1.4.7.2 and prior |
Affected:
Easergy Builder V1.4.7.2 and prior
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:33:19.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Easergy Builder V1.4.7.2 and prior",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Easergy Builder V1.4.7.2 and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker access to login credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312: Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-11T17:27:01.000Z",
"orgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"shortName": "schneider"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@schneider-electric.com",
"ID": "CVE-2020-7516",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Easergy Builder V1.4.7.2 and prior",
"version": {
"version_data": [
{
"version_value": "Easergy Builder V1.4.7.2 and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder V1.4.7.2 and prior which could allow an attacker access to login credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-312: Cleartext Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05",
"refsource": "MISC",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "076d1eb6-cfab-4401-b34d-6dfc2a413bdb",
"assignerShortName": "schneider",
"cveId": "CVE-2020-7516",
"datePublished": "2020-07-23T20:47:11.000Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:33:19.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.