CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-45V6-9X5V-7H9M
Vulnerability from github – Published: 2025-10-14 18:30 – Updated: 2025-10-14 18:30Cleartext storage of sensitive information in Windows Kernel allows an unauthorized attacker to bypass a security feature locally.
{
"affected": [],
"aliases": [
"CVE-2025-55334"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T17:15:46Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of sensitive information in Windows Kernel allows an unauthorized attacker to bypass a security feature locally.",
"id": "GHSA-45v6-9x5v-7h9m",
"modified": "2025-10-14T18:30:30Z",
"published": "2025-10-14T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55334"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55334"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45W9-4PGF-X3FR
Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00HCL Launch may store certain data for recurring activities in a plain text format.
{
"affected": [],
"aliases": [
"CVE-2022-27549"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-06T21:15:00Z",
"severity": "MODERATE"
},
"details": "HCL Launch may store certain data for recurring activities in a plain text format.",
"id": "GHSA-45w9-4pgf-x3fr",
"modified": "2022-07-15T00:00:17Z",
"published": "2022-07-07T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27549"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0099254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4685-5233-G3FQ
Vulnerability from github – Published: 2022-04-20 00:00 – Updated: 2022-04-28 00:00IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215589.
{
"affected": [],
"aliases": [
"CVE-2021-39078"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium 10.5 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215589.",
"id": "GHSA-4685-5233-g3fq",
"modified": "2022-04-28T00:00:42Z",
"published": "2022-04-20T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39078"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/215589"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6572983"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-468W-RC5F-76WX
Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-17 00:00Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice
{
"affected": [],
"aliases": [
"CVE-2022-37401"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-326",
"CWE-331"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-15T11:21:00Z",
"severity": "HIGH"
},
"details": "Apache OpenOffice supports the storage of passwords for web connections in the user\u0027s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice",
"id": "GHSA-468w-rc5f-76wx",
"modified": "2022-08-17T00:00:22Z",
"published": "2022-08-16T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37401"
},
{
"type": "WEB",
"url": "https://www.openoffice.org/security/cves/CVE-2022-37401.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/08/13/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46G7-VHP2-8MJ6
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2022-11-04 19:01"IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587."
{
"affected": [],
"aliases": [
"CVE-2021-39077"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "\"IBM Security Guardium 10.5, 10.6, 11.0, 11.1, 11.2, 11.3, and 11.4 stores user credentials in plain clear text which can be read by a local privileged user. IBM X-Force ID: 215587.\"",
"id": "GHSA-46g7-vhp2-8mj6",
"modified": "2022-11-04T19:01:16Z",
"published": "2022-11-04T12:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39077"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/215587"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6831647"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-46M4-W92R-69HM
Vulnerability from github – Published: 2026-02-09 15:30 – Updated: 2026-06-05 09:33Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-10464"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-09T13:15:50Z",
"severity": "MODERATE"
},
"details": "Insecure Storage of Sensitive Information vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Retrieve Embedded Sensitive Data.This issue affects Senseway: through 09022026.\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-46m4-w92r-69hm",
"modified": "2026-06-05T09:33:45Z",
"published": "2026-02-09T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10464"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0022"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-26-0022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-46Q2-6XFQ-6Q9P
Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-09-11 18:31A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles.
{
"affected": [],
"aliases": [
"CVE-2024-8689"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T17:15:14Z",
"severity": "MODERATE"
},
"details": "A problem with the ActiveMQ integration for both Cortex XSOAR and Cortex XSIAM can result in the cleartext exposure of the configured ActiveMQ credentials in log bundles.",
"id": "GHSA-46q2-6xfq-6q9p",
"modified": "2024-09-11T18:31:08Z",
"published": "2024-09-11T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8689"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2024-8689"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-46VW-42GH-2HF4
Vulnerability from github – Published: 2025-08-12 12:30 – Updated: 2025-08-12 12:30A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.
{
"affected": [],
"aliases": [
"CVE-2025-40752"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T12:15:36Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions \u003e= V2.60 \u003c V2.62), POWER METER SICAM Q200 family (All versions \u003e= V2.70 \u003c V2.80). Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes.",
"id": "GHSA-46vw-42gh-2hf4",
"modified": "2025-08-12T12:30:33Z",
"published": "2025-08-12T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40752"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-529291.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-474Q-VP74-243Q
Vulnerability from github – Published: 2022-05-13 01:16 – Updated: 2025-05-22 18:31Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
{
"affected": [],
"aliases": [
"CVE-2018-18984"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-14T15:29:00Z",
"severity": "MODERATE"
},
"details": "Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.",
"id": "GHSA-474q-vp74-243q",
"modified": "2025-05-22T18:31:09Z",
"published": "2022-05-13T01:16:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18984"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins/carelink-9790-2090-29901.html"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-347-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106215"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-47G9-557V-5C66
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37IBM Security Secret Server 10.6 stores potentially sensitive information in config files that could be read by an authenticated user. IBM X-Force ID: 190048.
{
"affected": [],
"aliases": [
"CVE-2020-4843"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Secret Server 10.6 stores potentially sensitive information in config files that could be read by an authenticated user. IBM X-Force ID: 190048.",
"id": "GHSA-47g9-557v-5c66",
"modified": "2022-05-24T17:37:11Z",
"published": "2022-05-24T17:37:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4843"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190048"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6250375"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.