Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-64QM-6FCC-V9X3

Vulnerability from github – Published: 2023-07-20 18:33 – Updated: 2024-04-04 06:17
VLAI
Details

Dell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-532"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T13:15:11Z",
    "severity": "MODERATE"
  },
  "details": "\nDell Wyse ThinOS versions prior to 2208 (9.3.2102) contain a sensitive information disclosure vulnerability. An unauthenticated malicious user with local access to the device could exploit this vulnerability to read sensitive information written to the log files.\n\n",
  "id": "GHSA-64qm-6fcc-v9x3",
  "modified": "2024-04-04T06:17:44Z",
  "published": "2023-07-20T18:33:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32455"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000215864/dsa-2023-247"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64RG-7PF2-5P8V

Vulnerability from github – Published: 2023-02-01 06:30 – Updated: 2023-02-08 15:30
VLAI
Details

Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45098"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-01T06:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.",
  "id": "GHSA-64rg-7pf2-5p8v",
  "modified": "2023-02-08T15:30:33Z",
  "published": "2023-02-01T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45098"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000206357/dell-emc-powerscale-onefs-security-updates-for-multiple-security-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6577-56W8-V2RG

Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32
VLAI
Details

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-34270"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T22:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.",
  "id": "GHSA-6577-56w8-v2rg",
  "modified": "2025-11-06T18:32:48Z",
  "published": "2025-10-31T00:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34270"
    },
    {
      "type": "WEB",
      "url": "https://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.html"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/#log-server"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/products/security/#log-server-2024R2"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscated"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6658-GV7V-29HJ

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Unprotected Storage of Credentials vulnerability in BASETech GE-131 BT-1837836 firmware 20180921 allows local users to gain access to the video streaming username and password via SQLite files containing plain text credentials.",
  "id": "GHSA-6658-gv7v-29hj",
  "modified": "2022-05-24T17:34:30Z",
  "published": "2022-05-24T17:34:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27557"
    },
    {
      "type": "WEB",
      "url": "https://infosec.rm-it.de/2020/11/04/basetech-ip-camera-analysis/#vulns"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6844-78P7-PCMC

Vulnerability from github – Published: 2023-07-19 09:30 – Updated: 2023-07-19 09:30
VLAI
Details

A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-6844-78p7-pcmc",
  "modified": "2023-07-19T09:30:54Z",
  "published": "2023-07-19T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3762"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.234447"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.234447"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/Ee2KU-T_0pI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-69PF-XVPG-V736

Vulnerability from github – Published: 2026-03-03 21:31 – Updated: 2026-03-04 15:30
VLAI
Details

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-55027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T20:16:41Z",
    "severity": "HIGH"
  },
  "details": "Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db.",
  "id": "GHSA-69pf-xvpg-v736",
  "modified": "2026-03-04T15:30:34Z",
  "published": "2026-03-03T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55027"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/AenganZ/f86ed0da28825a1432ec697f484622de"
    },
    {
      "type": "WEB",
      "url": "https://plain-trick-71d.notion.site/weintek-cMT-3072XH2-14687a89c4c181eeb21ad61e0392f34b?pvs=4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C5Q-H46J-P8GQ

Vulnerability from github – Published: 2022-05-02 03:33 – Updated: 2024-02-13 18:38
VLAI
Details

The Huawei D100 stores the administrator's account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-07-01T13:00:00Z",
    "severity": "MODERATE"
  },
  "details": "The Huawei D100 stores the administrator\u0027s account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors.",
  "id": "GHSA-6c5q-h46j-p8gq",
  "modified": "2024-02-13T18:38:21Z",
  "published": "2022-05-02T03:33:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2272"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/504645/100/0/threaded"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6C6P-VQC7-GJ3W

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30
VLAI
Details

This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device.

Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-25T10:16:15Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. \n\n\n\nSuccessful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device.",
  "id": "GHSA-6c6p-vqc7-gj3w",
  "modified": "2026-05-26T13:30:41Z",
  "published": "2026-05-26T13:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9274"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0266"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6C88-GVXW-F5HG

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2025-05-14 07:50
VLAI
Summary
Liferay Portal and Liferay DXP Stores User Passwords in Cleartext
Details

The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user's clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user's password.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.3.0"
            },
            {
              "last_affected": "7.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.10.fp93"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.10.fp19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.10.fp7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-14T07:50:26Z",
    "nvd_published_at": "2021-08-03T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Portal Workflow module in Liferay Portal 7.3.2 and earlier, and Liferay DXP 7.0 before fix pack 93, 7.1 before fix pack 19, and 7.2 before fix pack 7, user\u0027s clear text passwords are stored in the database if workflow is enabled for user creation, which allows attackers with access to the database to obtain a user\u0027s password.",
  "id": "GHSA-6c88-gvxw-f5hg",
  "modified": "2025-05-14T07:50:26Z",
  "published": "2022-05-24T19:09:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33325"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://issues.liferay.com/browse/LPE-17042"
    },
    {
      "type": "WEB",
      "url": "https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/120748389"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP Stores User Passwords in Cleartext"
}

GHSA-6CJM-4PXW-7XP9

Vulnerability from github – Published: 2024-04-18 18:22 – Updated: 2025-09-15 20:06
VLAI
Summary
Sentry vulnerable to leaking superuser cleartext password in logs
Details

Impact

When authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validate_superuser. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.

Patches

  • Self-hosted users on affected versions should upgrade to 24.4.1 or later.
  • Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.

Workarounds

Users can configure the logging level to exclude logs of the INFO level and only generate logs for levels at WARNING or higher. For details on configuring self-hosted Sentry's logging level see our documentation at: https://develop.sentry.dev/config/#logging

References

  • Bug introduced in https://github.com/getsentry/sentry/pull/66393
  • Security fix in https://github.com/getsentry/sentry/pull/69148
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sentry"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "24.3.0"
            },
            {
              "fixed": "24.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-117",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-18T18:22:42Z",
    "nvd_published_at": "2024-04-18T20:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser.\n\n### Patches\n- Self-hosted users on affected versions should upgrade to 24.4.1 or later.\n- Sentry SaaS users do not need to take any action. This vulnerability is not applicable to SaaS.\n\n### Workarounds\nUsers can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or higher. For details on configuring self-hosted Sentry\u0027s logging level see our documentation at: https://develop.sentry.dev/config/#logging\n\n### References\n- Bug introduced in https://github.com/getsentry/sentry/pull/66393\n- Security fix in https://github.com/getsentry/sentry/pull/69148",
  "id": "GHSA-6cjm-4pxw-7xp9",
  "modified": "2025-09-15T20:06:42Z",
  "published": "2024-04-18T18:22:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/security/advisories/GHSA-6cjm-4pxw-7xp9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/66393"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/pull/69148"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry/commit/d5b34568d9f1c41362ccb62141532a0a2169512f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sentry vulnerable to leaking superuser cleartext password in logs"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.