CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-64QM-6FCC-V9X3
Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17Dell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.
{
"affected": [],
"aliases": [
"CVE-2023-32455"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-20T13:15:11Z",
"severity": "MODERATE"
},
"details": "\nDell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.\n\n",
"id": "GHSA-64qm-6fcc-v9x3",
"modified": "2024-04-04T06:17:44Z",
"published": "2023-07-20T18:33:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32455"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000215864/dsa-2023-247"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-64RG-7PF2-5P8V
Vulnerability from github – Published: 2023-02-01 06:30 – Updated: 2023-02-08 15:30Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2022-45098"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-01T06:15:00Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.",
"id": "GHSA-64rg-7pf2-5p8v",
"modified": "2023-02-08T15:30:33Z",
"published": "2023-02-01T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45098"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000206357/dell-emc-powerscale-onefs-security-updates-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6577-56W8-V2RG
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.
{
"affected": [],
"aliases": [
"CVE-2025-34270"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:47Z",
"severity": "MODERATE"
},
"details": "Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.",
"id": "GHSA-6577-56w8-v2rg",
"modified": "2025-11-06T18:32:48Z",
"published": "2025-10-31T00:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34270"
},
{
"type": "WEB",
"url": "https://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.html"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/#log-server"
},
{
"type": "WEB",
"url": "https://www.nagios.com/products/security/#log-server-2024R2"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscated"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6658-GV7V-29HJ
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.
{
"affected": [],
"aliases": [
"CVE-2020-27557"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-17T15:15:00Z",
"severity": "MODERATE"
},
"details": "Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.",
"id": "GHSA-6658-gv7v-29hj",
"modified": "2022-05-24T17:34:30Z",
"published": "2022-05-24T17:34:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27557"
},
{
"type": "WEB",
"url": "https://infosec.rm-it.de/2020/11/04/basetech-ip-camera-analysis/#vulns"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6844-78P7-PCMC
Vulnerability from github – Published: 2023-07-19 09:30 – Updated: 2023-07-19 09:30A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-3762"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T07:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-6844-78p7-pcmc",
"modified": "2023-07-19T09:30:54Z",
"published": "2023-07-19T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3762"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.234447"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.234447"
},
{
"type": "WEB",
"url": "https://youtu.be/Ee2KU-T_0pI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-69PF-XVPG-V736
Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-04 15:30Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db.
{
"affected": [],
"aliases": [
"CVE-2024-55027"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T20:16:41Z",
"severity": "HIGH"
},
"details": "Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db.",
"id": "GHSA-69pf-xvpg-v736",
"modified": "2026-03-04T15:30:34Z",
"published": "2026-03-03T21:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55027"
},
{
"type": "WEB",
"url": "https://gist.github.com/AenganZ/f86ed0da28825a1432ec697f484622de"
},
{
"type": "WEB",
"url": "https://plain-trick-71d.notion.site/weintek-cMT-3072XH2-14687a89c4c181eeb21ad61e0392f34b?pvs=4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C5Q-H46J-P8GQ
Vulnerability from github – Published: 2022-05-02 03:33 – Updated: 2024-02-13 18:38The Huawei D100 stores the administrator's account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors.
{
"affected": [],
"aliases": [
"CVE-2009-2272"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-07-01T13:00:00Z",
"severity": "MODERATE"
},
"details": "The Huawei D100 stores the administrator\u0027s account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors.",
"id": "GHSA-6c5q-h46j-p8gq",
"modified": "2024-02-13T18:38:21Z",
"published": "2022-05-02T03:33:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2272"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/504645/100/0/threaded"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6C6P-VQC7-GJ3W
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device.
Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.
{
"affected": [],
"aliases": [
"CVE-2026-9274"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-25T10:16:15Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. \n\n\n\nSuccessful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.",
"id": "GHSA-6c6p-vqc7-gj3w",
"modified": "2026-05-26T13:30:41Z",
"published": "2026-05-26T13:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9274"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0266"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6C88-GVXW-F5HG
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2025-05-14 07:50The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0"
},
{
"last_affected": "7.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.10.fp93"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.10.fp19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.2.10.fp7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-33325"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-14T07:50:26Z",
"nvd_published_at": "2021-08-03T19:15:00Z",
"severity": "MODERATE"
},
"details": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user\u0027s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user\u0027s password.",
"id": "GHSA-6c88-gvxw-f5hg",
"modified": "2025-05-14T07:50:26Z",
"published": "2022-05-24T19:09:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33325"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://issues.liferay.com/browse/LPE-17042"
},
{
"type": "WEB",
"url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP Stores User Passwords in Cleartext"
}
GHSA-6CJM-4PXW-7XP9
Vulnerability from github – Published: 2024-04-18 18:22 – Updated: 2025-09-15 20:06Impact
When authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validate_superuser. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.
Patches
- Self-hosted users on affected versions should upgrade to 24.4.1 or later.
- Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.
Workarounds
Users can configure the logging level to exclude logs of the INFO level and only generate logs for levels at WARNING or higher. For details on configuring self-hosted Sentry's logging level see our documentation at: https://develop.sentry.dev/config/#logging
References
- Bug introduced in https://github.com/getsentry/sentry/pull/66393
- Security fix in https://github.com/getsentry/sentry/pull/69148
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sentry"
},
"ranges": [
{
"events": [
{
"introduced": "24.3.0"
},
{
"fixed": "24.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32474"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-18T18:22:42Z",
"nvd_published_at": "2024-04-18T20:15:17Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.\n\n### Patches\n- Self-hosted users on affected versions should upgrade to 24.4.1 or later.\n- Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.\n\n### Workarounds\nUsers can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or higher. For details on configuring self-hosted Sentry\u0027s logging level see our documentation at: https://develop.sentry.dev/config/#logging\n\n### References\n- Bug introduced in https://github.com/getsentry/sentry/pull/66393\n- Security fix in https://github.com/getsentry/sentry/pull/69148",
"id": "GHSA-6cjm-4pxw-7xp9",
"modified": "2025-09-15T20:06:42Z",
"published": "2024-04-18T18:22:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32474"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/66393"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/69148"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sentry vulnerable to leaking superuser cleartext password in logs"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.