Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-5M8F-V3GW-H94W

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2023-10-27 16:52
VLAI
Summary
Jenkins Support Core Plugin stores sensitive data in plain text
Details

Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:support-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.79.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25187"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-27T21:24:40Z",
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted.",
  "id": "GHSA-5m8f-v3gw-h94w",
  "modified": "2023-10-27T16:52:02Z",
  "published": "2022-02-16T00:01:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25187"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin/commit/c6d20da4f372f03bd3e4844f0df2f109df68a63c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/support-core-plugin/commit/e90487a87bc0a3445c887203f5badec17af905c5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/support-core-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Support Core Plugin stores sensitive data in plain text"
}

GHSA-5PRQ-GJQM-96R8

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-10-07 18:15
VLAI
Details

A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14886"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-05T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.",
  "id": "GHSA-5prq-gjqm-96r8",
  "modified": "2022-10-07T18:15:56Z",
  "published": "2022-05-24T17:10:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14886"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14886"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/?utm_medium=email\u0026utm_source=footer#!msg/jbpm-usage/74pSuwfGKRU/0oXpmRScBQAJ"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/?utm_medium=email\u0026utm_source=footer#%21msg/jbpm-usage/74pSuwfGKRU/0oXpmRScBQAJ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5PVG-8R46-4JQJ

Vulnerability from github – Published: 2025-10-10 09:30 – Updated: 2025-10-10 09:30
VLAI
Details

Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-10T07:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access backup data from applications. User interaction is required for triggering this vulnerability.",
  "id": "GHSA-5pvg-8r46-4jqj",
  "modified": "2025-10-10T09:30:48Z",
  "published": "2025-10-10T09:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21060"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025\u0026month=10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q2Q-3PX6-4458

Vulnerability from github – Published: 2023-08-14 15:33 – Updated: 2024-04-04 06:55
VLAI
Details

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-14T15:15:12Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.",
  "id": "GHSA-5q2q-3px6-4458",
  "modified": "2024-04-04T06:55:02Z",
  "published": "2023-08-14T15:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31041"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge/SA-2023047"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QM4-CM2H-3CGF

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-07-13 00:01
VLAI
Details

When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-14T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.",
  "id": "GHSA-5qm4-cm2h-3cgf",
  "modified": "2022-07-13T00:01:34Z",
  "published": "2022-05-24T19:14:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38150"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/3060621"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R46-4F86-PMC5

Vulnerability from github – Published: 2022-08-03 00:00 – Updated: 2022-08-09 00:00
VLAI
Details

Lanling OA Landray Office Automation (OA) internal patch number #133383/#137780 contains an arbitrary file read vulnerability via the component /sys/ui/extend/varkind/custom.jsp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-02T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Lanling OA Landray Office Automation (OA) internal patch number #133383/#137780 contains an arbitrary file read vulnerability via the component /sys/ui/extend/varkind/custom.jsp.",
  "id": "GHSA-5r46-4f86-pmc5",
  "modified": "2022-08-09T00:00:27Z",
  "published": "2022-08-03T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34924"
    },
    {
      "type": "WEB",
      "url": "https://codeantenna.com/a/DXQfemaZEH"
    },
    {
      "type": "WEB",
      "url": "https://developpaper.com/lanling-oa-foreground-arbitrary-file-reading-vulnerability-exploitation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RC5-4C5C-4CWX

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-10-26 23:07
VLAI
Summary
Jenkins View26 Test-Reporting Plugin stores access token in plain text
Details

Jenkins View26 Test-Reporting Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:view26"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T23:07:40Z",
    "nvd_published_at": "2019-10-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins View26 Test-Reporting Plugin stores an access token unencrypted in job `config.xml` files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.\n\nAs of publication of this advisory there is no fix.",
  "id": "GHSA-5rc5-4c5c-4cwx",
  "modified": "2023-10-26T23:07:40Z",
  "published": "2022-05-24T16:58:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10452"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1440"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins View26 Test-Reporting Plugin stores access token in plain text"
}

GHSA-5RGV-V326-94H6

Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32
VLAI
Details

In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-5559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-28T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response sent over an encrypted channel. This issue does not affect Rapid7 Komand version 0.42.0 and later versions.",
  "id": "GHSA-5rgv-v326-94h6",
  "modified": "2022-05-13T01:32:04Z",
  "published": "2022-05-13T01:32:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5559"
    },
    {
      "type": "WEB",
      "url": "https://docs.komand.com/docs/release-notes#section-komand-v0-42-0-2018-11-1"
    },
    {
      "type": "WEB",
      "url": "https://www.alexanderjaeger.de/cve-2018-5559_my_first_cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RHW-R4V4-3C33

Vulnerability from github – Published: 2023-08-03 03:30 – Updated: 2024-04-04 06:30
VLAI
Details

Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-03T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext.",
  "id": "GHSA-5rhw-r4v4-3c33",
  "modified": "2024-04-04T06:30:28Z",
  "published": "2023-08-03T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39144"
    },
    {
      "type": "WEB",
      "url": "https://getknowmore.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cduram/CVE-2023-39144"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5RP3-83J5-W2G4

Vulnerability from github – Published: 2023-12-07 06:30 – Updated: 2025-12-31 03:30
VLAI
Details

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T04:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.",
  "id": "GHSA-5rp3-83j5-w2g4",
  "modified": "2025-12-31T03:30:27Z",
  "published": "2023-12-07T06:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40238"
    },
    {
      "type": "WEB",
      "url": "https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240105-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge"
    },
    {
      "type": "WEB",
      "url": "https://www.insyde.com/security-pledge/SA-2023053"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/811862"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.