CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-5C2R-F52F-MQ7P
Vulnerability from github – Published: 2024-11-26 09:30 – Updated: 2025-11-04 18:31User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].
{
"affected": [],
"aliases": [
"CVE-2024-29146"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T08:15:05Z",
"severity": "MODERATE"
},
"details": "User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References].",
"id": "GHSA-5c2r-f52f-mq7p",
"modified": "2025-11-04T18:31:30Z",
"published": "2024-11-26T09:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29146"
},
{
"type": "WEB",
"url": "https://global.sharp/products/copier/info/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jp.sharp/business/print/information/info_security_2024-05.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93051062"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.co.jp/information/20240531_02.html"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20240531_02.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5CJR-MRQ7-Q7WQ
Vulnerability from github – Published: 2024-01-09 03:30 – Updated: 2024-01-12 21:30TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.
{
"affected": [],
"aliases": [
"CVE-2023-27098"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T02:15:44Z",
"severity": "HIGH"
},
"details": "TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.",
"id": "GHSA-5cjr-mrq7-q7wq",
"modified": "2024-01-12T21:30:18Z",
"published": "2024-01-09T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27098"
},
{
"type": "WEB",
"url": "https://github.com/c0d3x27/CVEs/tree/main/CVE-2023-27098"
},
{
"type": "WEB",
"url": "https://www.tp-link.com/support/contact-technical-support/#LiveChat-Support"
},
{
"type": "WEB",
"url": "http://tp-lin.com"
},
{
"type": "WEB",
"url": "http://tp-link.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5F2H-GXRX-J654
Vulnerability from github – Published: 2024-08-02 12:31 – Updated: 2025-11-04 00:31A vulnerability has been identified in Omnivise T3000 Application Server (All versions), Omnivise T3000 Domain Controller (All versions), Omnivise T3000 Network Intrusion Detection System (NIDS) (All versions), Omnivise T3000 Product Data Management (PDM) (All versions), Omnivise T3000 Security Server (All versions), Omnivise T3000 Terminal Server (All versions), Omnivise T3000 Thin Client (All versions), Omnivise T3000 Whitelisting Server (All versions). The affected devices stores initial system credentials without sufficient protection. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss allowing the attacker to laterally move within the affected network.
{
"affected": [],
"aliases": [
"CVE-2024-38877"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-02T11:16:41Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Omnivise\u00a0T3000 Application Server (All versions), Omnivise T3000 Domain Controller (All versions), Omnivise T3000 Network Intrusion Detection System (NIDS) (All versions), Omnivise T3000 Product Data Management (PDM) (All versions), Omnivise T3000 Security Server (All versions), Omnivise\u00a0T3000 Terminal Server (All versions), Omnivise T3000 Thin Client (All versions), Omnivise T3000 Whitelisting Server (All versions). The affected devices stores initial system credentials without sufficient protection. An attacker with remote shell access or physical access could retrieve the credentials leading to confidentiality loss allowing the attacker to laterally move within the affected network.",
"id": "GHSA-5f2h-gxrx-j654",
"modified": "2025-11-04T00:31:10Z",
"published": "2024-08-02T12:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38877"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-857368.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5FXV-93PC-G3CM
Vulnerability from github – Published: 2022-05-24 17:38 – Updated: 2022-05-24 17:38Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X & T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2020-29501"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-05T22:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Text Password Storage Vulnerability in PowerStore X \u0026 T environments. A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
"id": "GHSA-5fxv-93pc-g3cm",
"modified": "2022-05-24T17:38:01Z",
"published": "2022-05-24T17:38:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29501"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000180775"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5H92-393W-8JC6
Vulnerability from github – Published: 2024-07-25 12:32 – Updated: 2024-07-25 12:32Plaintext vulnerability in the Gallery search module. Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-39674"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-25T12:15:03Z",
"severity": "MODERATE"
},
"details": "Plaintext vulnerability in the Gallery search module.\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-5h92-393w-8jc6",
"modified": "2024-07-25T12:32:02Z",
"published": "2024-07-25T12:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39674"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HGV-M339-HWV4
Vulnerability from github – Published: 2024-12-11 03:31 – Updated: 2024-12-11 03:31IBM OpenPages with Watson 9.0 may write sensitive information, under specific configurations, in clear text to the system tracing log files that could be obtained by a privileged user.
{
"affected": [],
"aliases": [
"CVE-2024-35117"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-11T02:15:05Z",
"severity": "MODERATE"
},
"details": "IBM OpenPages with Watson 9.0 may write sensitive information, under specific configurations, in clear text to the system tracing log files that could be obtained by a privileged user.",
"id": "GHSA-5hgv-m339-hwv4",
"modified": "2024-12-11T03:31:58Z",
"published": "2024-12-11T03:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35117"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7165392"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HHG-Q22C-6G39
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-10-26 22:29Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:port-allocator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10350"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-26T22:29:25Z",
"nvd_published_at": "2019-07-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Port Allocator Plugin stores credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-5hhg-q22c-6g39",
"modified": "2023-10-26T22:29:25Z",
"published": "2022-05-24T16:50:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10350"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1441"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Port Allocator Plugin stores credentials in plain text"
}
GHSA-5J38-56HC-67J7
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45IBM UrbanCode Deploy (UCD) 7.0.3.0, 7.0.4.0, 7.0.5.3, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2, stores keystore passwords in plain in plain text after a manuel edit, which can be read by a local user. IBM X-Force ID: 191944.
{
"affected": [],
"aliases": [
"CVE-2020-4944"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-30T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) 7.0.3.0, 7.0.4.0, 7.0.5.3, 7.0.5.4, 7.1.0.0, 7.1.1.0, 7.1.1.1, and 7.1.1.2, stores keystore passwords in plain in plain text after a manuel edit, which can be read by a local user. IBM X-Force ID: 191944.",
"id": "GHSA-5j38-56hc-67j7",
"modified": "2022-05-24T17:45:42Z",
"published": "2022-05-24T17:45:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4944"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/191944"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6437567"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5J75-MF86-7H39
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary.
{
"affected": [],
"aliases": [
"CVE-2017-3214"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-20T00:29:00Z",
"severity": "HIGH"
},
"details": "The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary.",
"id": "GHSA-5j75-mf86-7h39",
"modified": "2022-05-13T01:26:23Z",
"published": "2022-05-13T01:26:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3214"
},
{
"type": "WEB",
"url": "https://duo.com/blog/bug-hunting-drilling-into-the-internet-of-things-iot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JW2-VQXM-5FMX
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-42408"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:47Z",
"severity": "MODERATE"
},
"details": "When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-5jw2-vqxm-5fmx",
"modified": "2026-05-13T18:30:56Z",
"published": "2026-05-13T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42408"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000157981"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.