Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-54CW-RVR3-W6CX

Vulnerability from github – Published: 2023-04-12 18:30 – Updated: 2023-04-12 20:43
VLAI
Summary
Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
Details

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:consul-kv-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T20:43:41Z",
    "nvd_published_at": "2023-04-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file `org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml` on the Jenkins controller as part of its configuration.\n\nThis token can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-54cw-rvr3-w6cx",
  "modified": "2023-04-12T20:43:41Z",
  "published": "2023-04-12T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30531"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2944"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted"
}

GHSA-54VR-FJ39-37MX

Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 21:30
VLAI
Details

A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T18:15:48Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in the Application Server of Desktop Alert PingAlert version 6.1.0.11 to 6.1.1.2. There is Exposure of Sensitive Information because of Incompatible Policies.",
  "id": "GHSA-54vr-fj39-37mx",
  "modified": "2025-11-14T21:30:28Z",
  "published": "2025-11-14T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54342"
    },
    {
      "type": "WEB",
      "url": "https://desktopalert.net"
    },
    {
      "type": "WEB",
      "url": "https://desktopalert.net/cve-2025-54342"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5534-3QGP-MMMX

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local privileged user. IBM X-Force ID: 184861.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Guardium Insights 2.0.2 stores user credentials in plain in clear text which can be read by a local privileged user. IBM X-Force ID: 184861.",
  "id": "GHSA-5534-3qgp-mmmx",
  "modified": "2022-05-24T17:38:59Z",
  "published": "2022-05-24T17:38:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4604"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/184881"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6403463"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5557-V6F7-673V

Vulnerability from github – Published: 2026-01-08 00:31 – Updated: 2026-01-08 00:31
VLAI
Details

FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device's SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T00:15:58Z",
    "severity": "MODERATE"
  },
  "details": "FaceSentry Access Control System 6.4.8 contains a cleartext password storage vulnerability that allows attackers to access unencrypted credentials in the device\u0027s SQLite database. Attackers can directly read sensitive login information stored in /faceGuard/database/FaceSentryWeb.sqlite without additional authentication.",
  "id": "GHSA-5557-v6f7-673v",
  "modified": "2026-01-08T00:31:14Z",
  "published": "2026-01-08T00:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25279"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/163190"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/153501"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5529.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-55VQ-XPJF-R2XC

Vulnerability from github – Published: 2023-04-27 21:30 – Updated: 2025-09-30 18:53
VLAI
Summary
Lightbend Alpakka Kafka logs credentials on debug level
Details

Lightbend Alpakka Kafka before 4.0.2 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-stream-kafka_3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-stream-kafka_2.13"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-stream-kafka_2.12"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.0.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.typesafe.akka:akka-stream-kafka_2.11"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29471"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-27T23:53:28Z",
    "nvd_published_at": "2023-04-27T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Lightbend Alpakka Kafka before 4.0.2 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.",
  "id": "GHSA-55vq-xpjf-r2xc",
  "modified": "2025-09-30T18:53:16Z",
  "published": "2023-04-27T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29471"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akka/alpakka-kafka/issues/1592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/akka/alpakka-kafka/pull/1614/commits/4011b704e93b22f6fd956aac516c7159d384644c"
    },
    {
      "type": "WEB",
      "url": "https://akka.io/security/alpakka-kafka-cve-2023-29471.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/akka/alpakka-kafka"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lightbend Alpakka Kafka logs credentials on debug level"
}

GHSA-573V-9J9R-XM6W

Vulnerability from github – Published: 2024-09-13 18:31 – Updated: 2024-09-13 18:31
VLAI
Details

The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-13T17:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encryption were insecurely stored, which could be abused to possibly change or remove the server configuration.",
  "id": "GHSA-573v-9j9r-xm6w",
  "modified": "2024-09-13T18:31:47Z",
  "published": "2024-09-13T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31415"
    },
    {
      "type": "WEB",
      "url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5745-C668-F862

Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38
VLAI
Details

Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-05T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X \u0026 T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
  "id": "GHSA-5745-c668-f862",
  "modified": "2022-05-24T17:38:01Z",
  "published": "2022-05-24T17:38:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29502"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000180775"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-594C-9JX7-C63X

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2022-05-26 00:01
VLAI
Details

IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser's application command history. By accessing browser history, an attacker could exploit this vulnerability to obtain other user accounts' passwords. IBM X-Force ID: 226322.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-17T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a local attacker to obtain sensitive information, caused by plain text user account passwords potentially being stored in the browser\u0027s application command history. By accessing browser history, an attacker could exploit this vulnerability to obtain other user accounts\u0027 passwords. IBM X-Force ID: 226322.",
  "id": "GHSA-594c-9jx7-c63x",
  "modified": "2022-05-26T00:01:25Z",
  "published": "2022-05-18T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22484"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/226322"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6586314"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5975-C4RR-XPWG

Vulnerability from github – Published: 2022-03-05 00:00 – Updated: 2022-03-17 00:03
VLAI
Details

" Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-04T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "\" Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information.\"",
  "id": "GHSA-5975-c4rr-xpwg",
  "modified": "2022-03-17T00:03:21Z",
  "published": "2022-03-05T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27757"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0095303"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59JX-M3C4-2M9W

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2025-10-22 00:32
VLAI
Details

Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29583"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-22T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.",
  "id": "GHSA-59jx-m3c4-2m9w",
  "modified": "2025-10-22T00:32:01Z",
  "published": "2022-05-24T17:37:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29583"
    },
    {
      "type": "WEB",
      "url": "https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release"
    },
    {
      "type": "WEB",
      "url": "https://businessforum.zyxel.com/discussion/5254/whats-new-for-zld4-60-patch-1-available-on-dec-15"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-29583"
    },
    {
      "type": "WEB",
      "url": "https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html"
    },
    {
      "type": "WEB",
      "url": "https://www.secpod.com/blog/a-secret-zyxel-firewall-and-ap-controllers-could-allow-for-administrative-access-cve-2020-29583"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/support/CVE-2020-29583.shtml"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/support/security_advisories.shtml"
    },
    {
      "type": "WEB",
      "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60%28AALA.1%29C0_2.pdf"
    },
    {
      "type": "WEB",
      "url": "http://ftp.zyxel.com/USG40/firmware/USG40_4.60(AALA.1)C0_2.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.