CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-37J4-88RP-2F6H
Vulnerability from github – Published: 2026-05-08 18:37 – Updated: 2026-05-08 18:37Impact
The getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).
On developer and CI machines, process.env routinely contains secrets such as:
AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKENGITHUB_TOKEN/NPM_TOKENOPENAI_API_KEY/DOCKER_AUTH- Internal service credentials, API keys, and database URLs
An attacker who achieves any JavaScript execution within the renderer—for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain—can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the "Info" modal in the application, though that requires local access.
Patches
A patch is yet to be available.
Workarounds
Until a patch is released: - Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application. - Do not install plugins from untrusted sources, and audit any installed plugins for network access. - Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console.
Resources
- electerm GitHub Repository
- electerm Security Policy
- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "electerm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.8.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-43942"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T18:37:42Z",
"nvd_published_at": "2026-05-08T04:16:23Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).\n\nOn developer and CI machines, `process.env` routinely contains secrets such as:\n\n- `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`\n- `GITHUB_TOKEN` / `NPM_TOKEN`\n- `OPENAI_API_KEY` / `DOCKER_AUTH`\n- Internal service credentials, API keys, and database URLs\n\nAn attacker who achieves any JavaScript execution within the renderer\u2014for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain\u2014can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the \"Info\" modal in the application, though that requires local access.\n\n### Patches\n\nA patch is yet to be available.\n\n### Workarounds\n\nUntil a patch is released:\n- Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application.\n- Do not install plugins from untrusted sources, and audit any installed plugins for network access.\n- Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console.\n\n### Resources\n- [electerm GitHub Repository](https://github.com/electerm/electerm)\n- [electerm Security Policy](https://github.com/electerm/electerm/security)\n- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).",
"id": "GHSA-37j4-88rp-2f6h",
"modified": "2026-05-08T18:37:42Z",
"published": "2026-05-08T18:37:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43942"
},
{
"type": "PACKAGE",
"url": "https://github.com/electerm/electerm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Electerm\u0027s full process.env exposed to renderer via window.pre.env"
}
GHSA-3847-MRXP-MPH6
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26An issue was discovered on Nescomed Multipara Monitor M1000 devices. The onboard Flash memory stores data in cleartext, without integrity protection against tampering.
{
"affected": [],
"aliases": [
"CVE-2020-15485"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-26T20:15:00Z",
"severity": "LOW"
},
"details": "An issue was discovered on Nescomed Multipara Monitor M1000 devices. The onboard Flash memory stores data in cleartext, without integrity protection against tampering.",
"id": "GHSA-3847-mrxp-mph6",
"modified": "2022-05-24T17:26:38Z",
"published": "2022-05-24T17:26:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15485"
},
{
"type": "WEB",
"url": "https://payatu.com/advisory/lack-of-medical-data-encryption-in-dr-trust-ecg-or-ekg-pen"
},
{
"type": "WEB",
"url": "https://www.niscomed.com/multipara-monitor.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-389J-CW3H-6FC8
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-13 19:00During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.
{
"affected": [],
"aliases": [
"CVE-2020-9045"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.",
"id": "GHSA-389j-cw3h-6fc8",
"modified": "2022-10-13T19:00:20Z",
"published": "2022-05-24T22:28:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9045"
},
{
"type": "WEB",
"url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-38HW-368M-7JMG
Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:05Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.
Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.
Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:ansible"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "205.v4cb"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32982"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-17T03:05:51Z",
"nvd_published_at": "2023-05-16T16:15:10Z",
"severity": "MODERATE"
},
"details": "Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.\n\nAnsible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.\n\nThese extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.\n\nAnsible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.",
"id": "GHSA-38hw-368m-7jmg",
"modified": "2023-05-17T03:05:51Z",
"published": "2023-05-16T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32982"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/ansible-plugin/commit/4cbc48657c21a65a917b3b3049918480198c0cfb"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Ansible Plugin stores and displays secrets in plain text"
}
GHSA-39F6-9C52-27P8
Vulnerability from github – Published: 2024-02-07 18:30 – Updated: 2025-11-04 00:30IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.
{
"affected": [],
"aliases": [
"CVE-2023-31002"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-07T17:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.",
"id": "GHSA-39f6-9c52-27p8",
"modified": "2025-11-04T00:30:45Z",
"published": "2024-02-07T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31002"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7106586"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3CMF-2R4C-R97P
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
{
"affected": [],
"aliases": [
"CVE-2018-11242"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-20T14:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.",
"id": "GHSA-3cmf-2r4c-r97p",
"modified": "2022-05-13T01:49:11Z",
"published": "2022-05-13T01:49:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11242"
},
{
"type": "WEB",
"url": "https://gist.github.com/NinjaXshell/ba0aeee4b77b4bdea76d0c0c095d53b1"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44690"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3FPX-G9H3-HH8X
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2024-01-30 21:17Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:neuvector-vulnerability-scanner"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10430"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-30T21:17:55Z",
"nvd_published_at": "2019-09-25T16:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.",
"id": "GHSA-3fpx-g9h3-hh8x",
"modified": "2024-01-30T21:17:55Z",
"published": "2022-05-24T22:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10430"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text "
}
GHSA-3FRC-879C-J9H5
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-10-26 22:45Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.brianfromoregon:caliper-ci"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10351"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-26T22:45:32Z",
"nvd_published_at": "2019-07-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Caliper CI Plugin stores credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-3frc-879c-j9h5",
"modified": "2023-10-26T22:45:32Z",
"published": "2022-05-24T16:50:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10351"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1437"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Caliper CI Plugin stores credentials in plain text"
}
GHSA-3G7H-7745-2CMG
Vulnerability from github – Published: 2022-05-02 03:13 – Updated: 2025-04-09 04:09iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network.
{
"affected": [],
"aliases": [
"CVE-2009-0152"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-05-13T15:30:00Z",
"severity": "MODERATE"
},
"details": "iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network.",
"id": "GHSA-3g7h-7745-2cmg",
"modified": "2025-04-09T04:09:46Z",
"published": "2022-05-02T03:13:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0152"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50487"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2009/May/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35074"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3549"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/34926"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1022212"
},
{
"type": "WEB",
"url": "http://www.us-cert.gov/cas/techalerts/TA09-133A.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/1297"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3G7R-R3CR-Q6F8
Vulnerability from github – Published: 2024-06-07 15:30 – Updated: 2024-08-14 21:33Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.
{
"affected": [],
"aliases": [
"CVE-2024-36790"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-07T15:15:50Z",
"severity": "HIGH"
},
"details": "Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.",
"id": "GHSA-3g7r-r3cr-q6f8",
"modified": "2024-08-14T21:33:11Z",
"published": "2024-06-07T15:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36790"
},
{
"type": "WEB",
"url": "https://redfoxsec.com/blog/security-advisory-multiple-vulnerabilities-in-netgear-wnr614-router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.