Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-4MWX-89HH-M9VR

Vulnerability from github – Published: 2023-01-09 09:30 – Updated: 2023-01-13 00:30
VLAI
Details

IBM Security Verify Governance 10.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225232.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22470"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-09T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Governance 10.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225232.",
  "id": "GHSA-4mwx-89hh-m9vr",
  "modified": "2023-01-13T00:30:38Z",
  "published": "2023-01-09T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22470"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/225232"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6852697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4P59-P85X-F3WX

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-12-06 21:57
VLAI
Summary
Jenkins Delphix Plugin vulnerable to Cleartext credential storage
Details

Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:delphix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:57:01Z",
    "nvd_published_at": "2019-10-16T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
  "id": "GHSA-4p59-p85x-f3wx",
  "modified": "2022-12-06T21:57:01Z",
  "published": "2022-05-24T16:58:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10453"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/delphix-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1450"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Delphix Plugin vulnerable to Cleartext credential storage"
}

GHSA-4Q47-PH87-FQ4F

Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-12-22 13:54
VLAI
Summary
Passwords stored in plain text by Jenkins Artifactory Plugin
Details

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:artifactory"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2164"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-22T13:54:52Z",
    "nvd_published_at": "2020-03-25T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by users with access to the Jenkins controller file system.\n\nArtifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.",
  "id": "GHSA-4q47-ph87-fq4f",
  "modified": "2022-12-22T13:54:52Z",
  "published": "2022-05-24T17:12:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2164"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/artifactory-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20(1)"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Passwords stored in plain text by Jenkins Artifactory Plugin"
}

GHSA-4QRM-9H4R-V2FX

Vulnerability from github – Published: 2024-09-03 19:41 – Updated: 2024-09-03 21:45
VLAI
Summary
Tina search token leak via lock file in TinaCMS
Details

Impact

Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are impacted.

If your Tina-enabled website has search setup, you should rotate that key immediately.

Patches

This issue has been patched in @tinacms/cli@1.6.2

Workarounds

Upgrading, and rotating search token is required for the proper fix.

References

https://github.com/tinacms/tinacms/pull/4758

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@tinacms/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-03T19:41:59Z",
    "nvd_published_at": "2024-09-03T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nTina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli \u003c 1.6.2 that use a search token are impacted.\n\nIf your Tina-enabled website has search setup, you should rotate that key immediately.\n\n### Patches\nThis issue has been patched in @tinacms/cli@1.6.2\n\n### Workarounds\nUpgrading, and rotating search token is required for the proper fix.\n\n### References\nhttps://github.com/tinacms/tinacms/pull/4758\n",
  "id": "GHSA-4qrm-9h4r-v2fx",
  "modified": "2024-09-03T21:45:34Z",
  "published": "2024-09-03T19:41:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45391"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/pull/4758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tinacms/tinacms/commit/110f1ceea4574d636a64526648f7c8bf6539b26a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tinacms/tinacms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Tina search token leak via lock file in TinaCMS"
}

GHSA-4QWM-996C-W925

Vulnerability from github – Published: 2022-08-27 00:00 – Updated: 2022-09-02 00:01
VLAI
Details

A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager.",
  "id": "GHSA-4qwm-996c-w925",
  "modified": "2022-09-02T00:01:09Z",
  "published": "2022-08-27T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3585"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2021-3585"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/tripleo/+bug/1931132"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1961709"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968247"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791988"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RGC-5G6R-2RJF

Vulnerability from github – Published: 2023-12-12 00:58 – Updated: 2023-12-12 00:58
VLAI
Summary
lakeFS logs S3 credentials in plain text
Details

Impact

S3 credentials are logged in plain text

S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

appears as part of the log message:

time="2023-05-12T13:51:52Z" level=error msg="failed to perform diff" func="pkg/plugins/diff.(*Service).RunDiff" file="build/pkg/plugins/diff/service.go:124" error="rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL" host="localhost:8000" method=GET operation_id=OtfDiff params="{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}" path="/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F&type=delta" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker

Discovered when investigating #5862

Patches

Has the problem been patched? What versions should users upgrade to?

No

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

disable all logging?

References

Are there any links users can visit to find out more?

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/treeverse/lakefs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.101.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-12T00:58:29Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nS3 credentials are logged in plain text\n\n```\nS3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY\n```\n\nappears as part of the log message: \n\n```\ntime=\"2023-05-12T13:51:52Z\" level=error msg=\"failed to perform diff\" func=\"pkg/plugins/diff.(*Service).RunDiff\" file=\"build/pkg/plugins/diff/service.go:124\" error=\"rpc error: code = Canceled desc = stream terminated by RST_STREAM with error code: CANCEL\" host=\"localhost:8000\" method=GET operation_id=OtfDiff params=\"{TablePaths:{Left:{Ref:data_load@ Path:aggs/agg_variety/} Right:{Ref:data_load Path:aggs/agg_variety/} Base:{Ref: Path:}} S3Creds:{Key:AKIAIOSFODNN7EXAMPLE Secret:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Endpoint:http://0.0.0.0:8000} Repo:example}\" path=\"/api/v1/repositories/example/otf/refs/data_load%40/diff/data_load?table_path=aggs%2Fagg_variety%2F\u0026type=delta\" request_id=d3b6fdc7-2544-4c12-8e05-376f16e35a80 service_name=rest_api type=delta user=docker\n```\n\nDiscovered when investigating [#5862](https://github.com/treeverse/lakeFS/issues/5862)\n\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nNo\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\ndisable all logging? \n\n### References\n_Are there any links users can visit to find out more?_\n\n",
  "id": "GHSA-4rgc-5g6r-2rjf",
  "modified": "2023-12-12T00:58:29Z",
  "published": "2023-12-12T00:58:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/treeverse/lakeFS/security/advisories/GHSA-4rgc-5g6r-2rjf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/treeverse/lakeFS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lakeFS logs S3 credentials in plain text"
}

GHSA-4RP2-WHVP-25JM

Vulnerability from github – Published: 2022-05-13 01:10 – Updated: 2022-05-13 01:10
VLAI
Details

Amazon AWS SDK <=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android's fundamental security mechanisms).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-04T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "Amazon AWS SDK \u003c=2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have \"root\" privilege access to the Android filesystem in order to exploit this vulnerability (i.e. the device has been compromised, such as disabling or bypassing Android\u0027s fundamental security mechanisms).",
  "id": "GHSA-4rp2-whvp-25jm",
  "modified": "2022-05-13T01:10:20Z",
  "published": "2022-05-13T01:10:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19981"
    },
    {
      "type": "WEB",
      "url": "https://aws-amplify.github.io/aws-sdk-android/docs/reference/com/amazonaws/auth/CognitoCachingCredentialsProvider.html"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp_01.png"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp_02.png"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/lorenzodifuccia/cloudflare/master/Images/vulns/aws/aws_sdk_sp_03.png"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V3C-22G9-X3JM

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2023-03-03 21:30
VLAI
Details

IBM Maximo Asset Management 7.6 could allow a an authenticated user to replace a target page with a phishing site which could allow the attacker to obtain highly sensitive information. IBM X-Force ID: 155554.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-2028"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-06T01:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Maximo Asset Management 7.6 could allow a an authenticated user to replace a target page with a phishing site which could allow the attacker to obtain highly sensitive information. IBM X-Force ID: 155554.",
  "id": "GHSA-4v3c-22g9-x3jm",
  "modified": "2023-03-03T21:30:18Z",
  "published": "2022-05-24T16:47:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-2028"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/155554"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880145"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VFM-9FHJ-8C5X

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2022-05-24 17:20
VLAI
Details

An issue was discovered in the stashcat app through 3.9.2 for macOS, Windows, Android, iOS, and possibly other platforms. It stores the client_key, the device_id, and the public key for end-to-end encryption in cleartext, enabling an attacker (by copying or having access to the local storage database file) to login to the system from any other computer, and get unlimited access to all data in the users's context.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-17T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the stashcat app through 3.9.2 for macOS, Windows, Android, iOS, and possibly other platforms. It stores the client_key, the device_id, and the public key for end-to-end encryption in cleartext, enabling an attacker (by copying or having access to the local storage database file) to login to the system from any other computer, and get unlimited access to all data in the users\u0027s context.",
  "id": "GHSA-4vfm-9fhj-8c5x",
  "modified": "2022-05-24T17:20:46Z",
  "published": "2022-05-24T17:20:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13637"
    },
    {
      "type": "WEB",
      "url": "http://www.jvanlaak.de/stashcat.html"
    },
    {
      "type": "WEB",
      "url": "http://www.jvanlaak.de/stashcat_CWE_312_200527.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4VRP-PMWP-P4H4

Vulnerability from github – Published: 2025-04-23 18:30 – Updated: 2025-04-23 18:30
VLAI
Details

BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from storing credentials in a recoverable format. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25986.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-23T17:16:55Z",
    "severity": "MODERATE"
  },
  "details": "BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the web-based user interface. The issue results from storing credentials in a recoverable format. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25986.",
  "id": "GHSA-4vrp-pmwp-p4h4",
  "modified": "2025-04-23T18:30:59Z",
  "published": "2025-04-23T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2770"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.