Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-37J4-88RP-2F6H

Vulnerability from github – Published: 2026-05-08 18:37 – Updated: 2026-05-08 18:37
VLAI
Summary
Electerm's full process.env exposed to renderer via window.pre.env
Details

Impact

The getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).

On developer and CI machines, process.env routinely contains secrets such as:

  • AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN
  • GITHUB_TOKEN / NPM_TOKEN
  • OPENAI_API_KEY / DOCKER_AUTH
  • Internal service credentials, API keys, and database URLs

An attacker who achieves any JavaScript execution within the renderer—for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain—can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the "Info" modal in the application, though that requires local access.

Patches

A patch is yet to be available.

Workarounds

Until a patch is released: - Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application. - Do not install plugins from untrusted sources, and audit any installed plugins for network access. - Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console.

Resources

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electerm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T18:37:42Z",
    "nvd_published_at": "2026-05-08T04:16:23Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context).\n\nOn developer and CI machines, `process.env` routinely contains secrets such as:\n\n- `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`\n- `GITHUB_TOKEN` / `NPM_TOKEN`\n- `OPENAI_API_KEY` / `DOCKER_AUTH`\n- Internal service credentials, API keys, and database URLs\n\nAn attacker who achieves any JavaScript execution within the renderer\u2014for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain\u2014can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the \"Info\" modal in the application, though that requires local access.\n\n### Patches\n\nA patch is yet to be available.\n\n### Workarounds\n\nUntil a patch is released:\n- Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application.\n- Do not install plugins from untrusted sources, and audit any installed plugins for network access.\n- Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console.\n\n### Resources\n- [electerm GitHub Repository](https://github.com/electerm/electerm)\n- [electerm Security Policy](https://github.com/electerm/electerm/security)\n- Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10).",
  "id": "GHSA-37j4-88rp-2f6h",
  "modified": "2026-05-08T18:37:42Z",
  "published": "2026-05-08T18:37:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43942"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electerm/electerm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electerm\u0027s full process.env exposed to renderer via window.pre.env"
}

GHSA-3847-MRXP-MPH6

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26
VLAI
Details

An issue was discovered on Nescomed Multipara Monitor M1000 devices. The onboard Flash memory stores data in cleartext, without integrity protection against tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-26T20:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered on Nescomed Multipara Monitor M1000 devices. The onboard Flash memory stores data in cleartext, without integrity protection against tampering.",
  "id": "GHSA-3847-mrxp-mph6",
  "modified": "2022-05-24T17:26:38Z",
  "published": "2022-05-24T17:26:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15485"
    },
    {
      "type": "WEB",
      "url": "https://payatu.com/advisory/lack-of-medical-data-encryption-in-dr-trust-ecg-or-ekg-pen"
    },
    {
      "type": "WEB",
      "url": "https://www.niscomed.com/multipara-monitor.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-389J-CW3H-6FC8

Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-13 19:00
VLAI
Details

During installation or upgrade to Software House C•CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-05-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "During installation or upgrade to Software House C\u2022CURE 9000 v2.70 and American Dynamics victor Video Management System v5.2, the credentials of the user used to perform the installation or upgrade are logged in a file. The install log file persists after the installation.",
  "id": "GHSA-389j-cw3h-6fc8",
  "modified": "2022-10-13T19:00:20Z",
  "published": "2022-05-24T22:28:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9045"
    },
    {
      "type": "WEB",
      "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/ICSA-20-142-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-38HW-368M-7JMG

Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:05
VLAI
Summary
Jenkins Ansible Plugin stores and displays secrets in plain text
Details

Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.

Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "205.v4cb"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-311",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:05:51Z",
    "nvd_published_at": "2023-05-16T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.\n\nAnsible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.\n\nThese extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.\n\nAnsible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.",
  "id": "GHSA-38hw-368m-7jmg",
  "modified": "2023-05-17T03:05:51Z",
  "published": "2023-05-16T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32982"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/ansible-plugin/commit/4cbc48657c21a65a917b3b3049918480198c0cfb"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Ansible Plugin stores and displays secrets in plain text"
}

GHSA-39F6-9C52-27P8

Vulnerability from github – Published: 2024-02-07 18:30 – Updated: 2025-11-04 00:30
VLAI
Details

IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. IBM X-Force ID: 254657.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-07T17:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user.  IBM X-Force ID:  254657.",
  "id": "GHSA-39f6-9c52-27p8",
  "modified": "2025-11-04T00:30:45Z",
  "published": "2024-02-07T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31002"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7106586"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3CMF-2R4C-R97P

Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49
VLAI
Details

An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-11242"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-20T14:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.",
  "id": "GHSA-3cmf-2r4c-r97p",
  "modified": "2022-05-13T01:49:11Z",
  "published": "2022-05-13T01:49:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11242"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/NinjaXshell/ba0aeee4b77b4bdea76d0c0c095d53b1"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3FPX-G9H3-HH8X

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2024-01-30 21:17
VLAI
Summary
Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text
Details

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:neuvector-vulnerability-scanner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T21:17:55Z",
    "nvd_published_at": "2019-09-25T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.",
  "id": "GHSA-3fpx-g9h3-hh8x",
  "modified": "2024-01-30T21:17:55Z",
  "published": "2022-05-24T22:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10430"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins NeuVector Vulnerability Scanner Plugin stored credentials in plain text "
}

GHSA-3FRC-879C-J9H5

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-10-26 22:45
VLAI
Summary
Jenkins Caliper CI Plugin stores credentials in plain text
Details

Jenkins Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.brianfromoregon:caliper-ci"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T22:45:32Z",
    "nvd_published_at": "2019-07-11T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Caliper CI Plugin stores credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-3frc-879c-j9h5",
  "modified": "2023-10-26T22:45:32Z",
  "published": "2022-05-24T16:50:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10351"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1437"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Caliper CI Plugin stores credentials in plain text"
}

GHSA-3G7H-7745-2CMG

Vulnerability from github – Published: 2022-05-02 03:13 – Updated: 2025-04-09 04:09
VLAI
Details

iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-05-13T15:30:00Z",
    "severity": "MODERATE"
  },
  "details": "iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network.",
  "id": "GHSA-3g7h-7745-2cmg",
  "modified": "2025-04-09T04:09:46Z",
  "published": "2022-05-02T03:13:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0152"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50487"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2009/May/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35074"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT3549"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/34926"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022212"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-133A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1297"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3G7R-R3CR-Q6F8

Vulnerability from github – Published: 2024-06-07 15:30 – Updated: 2024-08-14 21:33
VLAI
Details

Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-07T15:15:50Z",
    "severity": "HIGH"
  },
  "details": "Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store credentials in plaintext.",
  "id": "GHSA-3g7r-r3cr-q6f8",
  "modified": "2024-08-14T21:33:11Z",
  "published": "2024-06-07T15:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36790"
    },
    {
      "type": "WEB",
      "url": "https://redfoxsec.com/blog/security-advisory-multiple-vulnerabilities-in-netgear-wnr614-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.