CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-5M8F-V3GW-H94W
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-10-27 16:52Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:support-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.79.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25187"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-312",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-27T21:24:40Z",
"nvd_published_at": "2022-02-15T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.",
"id": "GHSA-5m8f-v3gw-h94w",
"modified": "2023-10-27T16:52:02Z",
"published": "2022-02-16T00:01:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25187"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin/commit/c6d20da4f372f03bd3e4844f0df2f109df68a63c"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/support-core-plugin/commit/e90487a87bc0a3445c887203f5badec17af905c5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/support-core-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Support Core Plugin stores sensitive data in plain text"
}
GHSA-5PRQ-GJQM-96R8
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-10-07 18:15A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.
{
"affected": [],
"aliases": [
"CVE-2019-14886"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-05T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.",
"id": "GHSA-5prq-gjqm-96r8",
"modified": "2022-10-07T18:15:56Z",
"published": "2022-05-24T17:10:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14886"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14886"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/?utm_medium=email\u0026utm_source=footer#!msg/jbpm-usage/74pSuwfGKRU/0oXpmRScBQAJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/?utm_medium=email\u0026utm_source=footer#%21msg/jbpm-usage/74pSuwfGKRU/0oXpmRScBQAJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5PVG-8R46-4JQJ
Vulnerability from github – Published: 2025-10-10 09:30 – Updated: 2025-10-10 09:30Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-21060"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T07:15:41Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.",
"id": "GHSA-5pvg-8r46-4jqj",
"modified": "2025-10-10T09:30:48Z",
"published": "2025-10-10T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21060"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5Q2Q-3PX6-4458
Vulnerability from github – Published: 2023-08-14 15:33 – Updated: 2024-04-04 06:55An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-31041"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T15:15:12Z",
"severity": "HIGH"
},
"details": "An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.",
"id": "GHSA-5q2q-3px6-4458",
"modified": "2024-04-04T06:55:02Z",
"published": "2023-08-14T15:33:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31041"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2023047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5QM4-CM2H-3CGF
Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-07-13 00:01When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.
{
"affected": [],
"aliases": [
"CVE-2021-38150"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-14T12:15:00Z",
"severity": "MODERATE"
},
"details": "When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.",
"id": "GHSA-5qm4-cm2h-3cgf",
"modified": "2022-07-13T00:01:34Z",
"published": "2022-05-24T19:14:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38150"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3060621"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R46-4F86-PMC5
Vulnerability from github – Published: 2022-08-03 00:00 – Updated: 2022-08-09 00:00Lanling OA Landray Office Automation (OA) internal patch number #133383/#137780 contains an arbitrary file read vulnerability via the component /sys/ui/extend/varkind/custom.jsp.
{
"affected": [],
"aliases": [
"CVE-2022-34924"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-02T20:15:00Z",
"severity": "HIGH"
},
"details": "Lanling OA Landray Office Automation (OA) internal patch number #133383/#137780 contains an arbitrary file read vulnerability via the component /sys/ui/extend/varkind/custom.jsp.",
"id": "GHSA-5r46-4f86-pmc5",
"modified": "2022-08-09T00:00:27Z",
"published": "2022-08-03T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34924"
},
{
"type": "WEB",
"url": "https://codeantenna.com/a/DXQfemaZEH"
},
{
"type": "WEB",
"url": "https://developpaper.com/lanling-oa-foreground-arbitrary-file-reading-vulnerability-exploitation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RC5-4C5C-4CWX
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-10-26 23:07Jenkins View26 Test-Reporting Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:view26"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10452"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-26T23:07:40Z",
"nvd_published_at": "2019-10-16T14:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins View26 Test-Reporting Plugin stores an access token unencrypted in job `config.xml` files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.\n\nAs of publication of this advisory there is no fix.",
"id": "GHSA-5rc5-4c5c-4cwx",
"modified": "2023-10-26T23:07:40Z",
"published": "2022-05-24T16:58:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10452"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1440"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins View26 Test-Reporting Plugin stores access token in plain text"
}
GHSA-5RGV-V326-94H6
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.
{
"affected": [],
"aliases": [
"CVE-2018-5559"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-28T19:29:00Z",
"severity": "MODERATE"
},
"details": "In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.",
"id": "GHSA-5rgv-v326-94h6",
"modified": "2022-05-13T01:32:04Z",
"published": "2022-05-13T01:32:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5559"
},
{
"type": "WEB",
"url": "https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1"
},
{
"type": "WEB",
"url": "https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RHW-R4V4-3C33
Vulnerability from github – Published: 2023-08-03 03:30 – Updated: 2024-04-04 06:30Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.
{
"affected": [],
"aliases": [
"CVE-2023-39144"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-03T03:15:10Z",
"severity": "HIGH"
},
"details": "Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.",
"id": "GHSA-5rhw-r4v4-3c33",
"modified": "2024-04-04T06:30:28Z",
"published": "2023-08-03T03:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39144"
},
{
"type": "WEB",
"url": "https://getknowmore.com"
},
{
"type": "WEB",
"url": "https://github.com/cduram/CVE-2023-39144"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RP3-83J5-W2G4
Vulnerability from github – Published: 2023-12-07 06:30 – Updated: 2025-12-31 03:30A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.
{
"affected": [],
"aliases": [
"CVE-2023-40238"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-07T04:15:06Z",
"severity": "MODERATE"
},
"details": "A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.",
"id": "GHSA-5rp3-83j5-w2g4",
"modified": "2025-12-31T03:30:27Z",
"published": "2023-12-07T06:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40238"
},
{
"type": "WEB",
"url": "https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240105-0002"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge"
},
{
"type": "WEB",
"url": "https://www.insyde.com/security-pledge/SA-2023053"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/811862"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.