CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-4W46-W44M-3JQ3
Vulnerability from github – Published: 2020-12-28 16:33 – Updated: 2021-01-07 22:32Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26288"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2020-12-28T16:32:50Z",
"nvd_published_at": "2020-12-30T20:15:00Z",
"severity": "LOW"
},
"details": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.\nIn Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext.\nThis is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.",
"id": "GHSA-4w46-w44m-3jq3",
"modified": "2021-01-07T22:32:25Z",
"published": "2020-12-28T16:33:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26288"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92a"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/releases/tag/4.5.0"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/1593"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Parse Server stores password in plain text"
}
GHSA-4WW8-FPRQ-CQ34
Vulnerability from github – Published: 2024-08-22 09:30 – Updated: 2024-08-23 21:17Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact remote users' original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.9.0"
},
{
"fixed": "9.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.10.0"
},
{
"fixed": "9.10.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "9.8.0"
},
{
"fixed": "9.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32939"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-23T21:17:12Z",
"nvd_published_at": "2024-08-22T07:15:03Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 9.9.x \u003c= 9.9.1, 9.5.x \u003c= 9.5.7, 9.10.x \u003c= 9.10.0, 9.8.x \u003c= 9.8.2, when shared channels are enabled, fail to redact remote users\u0027 original email addresses stored in user props when email addresses are otherwise configured not to be visible in the local server.",
"id": "GHSA-4ww8-fprq-cq34",
"modified": "2024-08-23T21:17:12Z",
"published": "2024-08-22T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32939"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mattermost doesn\u0027t redact remote users\u0027 original email addresses"
}
GHSA-4WX5-C723-XVWV
Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-12-16 23:00Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3"
},
"package": {
"ecosystem": "Maven",
"name": "org.fedoraproject.jenkins.plugins:copr"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2177"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-16T23:00:33Z",
"nvd_published_at": "2020-04-16T19:15:00Z",
"severity": "MODERATE"
},
"details": "Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.\n\nCopr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.",
"id": "GHSA-4wx5-c723-xvwv",
"modified": "2022-12-16T23:00:33Z",
"published": "2022-05-24T17:15:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2177"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/copr-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1556"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/16/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credentials stored in plain text by Jenkins Copr Plugin"
}
GHSA-4X65-4FJX-R7M6
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:39Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:github-pr-coverage-status"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24442"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T01:03:17Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "MODERATE"
},
"details": "Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-4x65-4fjx-r7m6",
"modified": "2023-02-03T20:39:15Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24442"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin"
}
GHSA-4X99-8PJ6-G63H
Vulnerability from github – Published: 2023-08-31 03:30 – Updated: 2024-04-04 07:18Brocade SANnav before v2.3.0 and v2.2.2a stores SNMPv3 Authentication passwords in plaintext. A privileged user could retrieve these credentials with knowledge and access to these log files. SNMP credentials could be seen in SANnav SupportSave if the capture is performed after an SNMP configuration failure causes an SNMP communication log dump.
{
"affected": [],
"aliases": [
"CVE-2023-31925"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T01:15:08Z",
"severity": "MODERATE"
},
"details": "Brocade\n SANnav before v2.3.0 and v2.2.2a stores SNMPv3 Authentication passwords\n in plaintext. A privileged user could retrieve these credentials with \nknowledge and access to these log files. SNMP \ncredentials could be seen in SANnav SupportSave if the capture is \nperformed after an SNMP configuration failure causes an SNMP \ncommunication log dump.\n\n\n",
"id": "GHSA-4x99-8pj6-g63h",
"modified": "2024-04-04T07:18:19Z",
"published": "2023-08-31T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31925"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XHV-QC2F-6267
Vulnerability from github – Published: 2024-06-29 21:30 – Updated: 2024-11-25 21:30NewPass before 1.2.0 stores passwords (rather than password hashes) directly, which makes it easier to obtain unauthorized access to sensitive information. NOTE: in each case, data at rest is encrypted, but is decrypted within process memory during use.
{
"affected": [],
"aliases": [
"CVE-2024-39846"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-29T21:15:09Z",
"severity": "LOW"
},
"details": "NewPass before 1.2.0 stores passwords (rather than password hashes) directly, which makes it easier to obtain unauthorized access to sensitive information. NOTE: in each case, data at rest is encrypted, but is decrypted within process memory during use.",
"id": "GHSA-4xhv-qc2f-6267",
"modified": "2024-11-25T21:30:48Z",
"published": "2024-06-29T21:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39846"
},
{
"type": "WEB",
"url": "https://github.com/6eero/NewPass/commit/13f0a844d64927450fa751deb7cc06beba699720"
},
{
"type": "WEB",
"url": "https://github.com/6eero/NewPass/releases/tag/v1.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4XQV-47RM-37MM
Vulnerability from github – Published: 2024-10-02 19:29 – Updated: 2024-11-13 23:24Summary
OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).
Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition
Impact
This issue may lead to Information Disclosure.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.19.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@openc3/tool-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.19.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.19.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47529"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-02T19:29:35Z",
"nvd_published_at": "2024-10-02T20:15:11Z",
"severity": "MODERATE"
},
"details": "### Summary\nOpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128).\n\nNote: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition\n\n### Impact\nThis issue may lead to Information Disclosure.",
"id": "GHSA-4xqv-47rm-37mm",
"modified": "2024-11-13T23:24:16Z",
"published": "2024-10-02T19:29:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47529"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/commit/b5ab34fe7fa54c0c8171c4aa3caf4e03d6f63bd7"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/openc3/PYSEC-2024-121.yaml"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2024-127_GHSL-2024-129_OpenC3_COSMOS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenC3 stores passwords in clear text (`GHSL-2024-129`)"
}
GHSA-52G9-8355-62QV
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2023-12-31 15:30If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.
{
"affected": [],
"aliases": [
"CVE-2020-12801"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-18T15:15:00Z",
"severity": "MODERATE"
},
"details": "If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice\u0027s default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.",
"id": "GHSA-52g9-8355-62qv",
"modified": "2023-12-31T15:30:24Z",
"published": "2022-05-24T17:18:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12801"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html"
},
{
"type": "WEB",
"url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00011.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-53G5-CHM2-F34R
Vulnerability from github – Published: 2024-03-25 15:30 – Updated: 2024-08-01 21:31An issue in axonaut v.3.1.23 and before allows a remote attacker to obtain sensitive information via the log.txt component.
{
"affected": [],
"aliases": [
"CVE-2024-28387"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-25T14:15:09Z",
"severity": "HIGH"
},
"details": "An issue in axonaut v.3.1.23 and before allows a remote attacker to obtain sensitive information via the log.txt component.",
"id": "GHSA-53g5-chm2-f34r",
"modified": "2024-08-01T21:31:39Z",
"published": "2024-03-25T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28387"
},
{
"type": "WEB",
"url": "https://axonaut.com/integration/detail/prestashop"
},
{
"type": "WEB",
"url": "https://security.friendsofpresta.org/modules/2024/03/19/axonaut.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-544J-92PR-W749
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 211403.
{
"affected": [],
"aliases": [
"CVE-2021-38949"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 211403.",
"id": "GHSA-544j-92pr-w749",
"modified": "2022-05-24T19:20:48Z",
"published": "2022-05-24T19:20:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38949"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/211403"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6516424"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.