Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-954J-F27R-CJ52

Vulnerability from github – Published: 2020-11-23 21:18 – Updated: 2024-02-05 11:15
VLAI
Summary
Cleartext storage of session identifier
Details

User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.

Solution

Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.

Credits

Thanks to TYPO3 security team member Helmut Hummel who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader as well as TYPO3 contributor Markus Klein who fixed the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0"
            },
            {
              "fixed": "8.7.38"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.7.0"
            },
            {
              "fixed": "8.7.38"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-23T21:10:32Z",
    "nvd_published_at": "2020-11-23T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.\n\n### Solution\nUpdate to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.\n\n### Credits\nThanks to TYPO3 security team member Helmut Hummel who reported this issue and to TYPO3 core \u0026 security team members Benni Mack \u0026 Oliver Hader as well as TYPO3 contributor Markus Klein who fixed the issue.",
  "id": "GHSA-954j-f27r-cj52",
  "modified": "2024-02-05T11:15:53Z",
  "published": "2020-11-23T21:18:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-954j-f27r-cj52"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2020-26228.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2020-26228.yaml"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2020-011"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cleartext storage of session identifier"
}

GHSA-9574-3PR7-M343

Vulnerability from github – Published: 2026-01-30 21:30 – Updated: 2026-01-30 21:30
VLAI
Details

Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data.  

The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-30T19:16:08Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext Storage of Sensitive Information vulnerability in OpenText\u2122 Vertica allows Retrieve Embedded Sensitive Data.\u00a0\u00a0\n\nThe vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.",
  "id": "GHSA-9574-3pr7-m343",
  "modified": "2026-01-30T21:30:22Z",
  "published": "2026-01-30T21:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9432"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000044937?language=en_US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-959J-89F4-F372

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42
VLAI
Details

Debug message containing addresses of memory transactions in some Intel(R) 10th Generation Core Processors supporting SGX may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Debug message containing addresses of memory transactions in some Intel(R) 10th Generation Core Processors supporting SGX may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-959j-89f4-f372",
  "modified": "2022-05-24T17:42:28Z",
  "published": "2022-05-24T17:42:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24491"
    },
    {
      "type": "WEB",
      "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00455.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9657-QHH9-38MW

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T16:16:37Z",
    "severity": "MODERATE"
  },
  "details": "When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add\u00a0and bigip_add\u00a0iControl REST commands that return the ssh-password\u00a0parameter in cleartext in the iControl REST response and is also logged in the audit log. This may allow a highly privileged, authenticated attacker with access to the audit log to view sensitive information.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-9657-qhh9-38mw",
  "modified": "2026-05-13T18:30:54Z",
  "published": "2026-05-13T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28758"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000158070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-96C7-FQXV-RMV7

Vulnerability from github – Published: 2023-04-12 18:30 – Updated: 2023-04-12 22:19
VLAI
Summary
Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted
Details

Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:consul-kv-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30530"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T22:19:14Z",
    "nvd_published_at": "2023-04-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file `org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml` on the Jenkins controller as part of its configuration.\n\nThis token can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-96c7-fqxv-rmv7",
  "modified": "2023-04-12T22:19:14Z",
  "published": "2023-04-12T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30530"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2944"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted"
}

GHSA-974Q-XV7X-QW7F

Vulnerability from github – Published: 2021-12-31 00:00 – Updated: 2022-01-08 00:00
VLAI
Details

Trendnet AC2600 TEW-827DRU version 2.08B01 stores credentials in plaintext. Usernames and passwords are stored in plaintext in the config files on the device. For example, /etc/config/cameo contains the admin password in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-30T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Trendnet AC2600 TEW-827DRU version 2.08B01 stores credentials in plaintext. Usernames and passwords are stored in plaintext in the config files on the device. For example, /etc/config/cameo contains the admin password in plaintext.",
  "id": "GHSA-974q-xv7x-qw7f",
  "modified": "2022-01-08T00:00:32Z",
  "published": "2021-12-31T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20162"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2021-54"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-97C5-JW9R-3FWJ

Vulnerability from github – Published: 2022-03-22 00:00 – Updated: 2022-03-30 00:01
VLAI
Details

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-26148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-21T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. The Zabbix password can be found in the api_jsonrpc.php HTML source code. When the user logs in and allows the user to register, one can right click to view the source code and use Ctrl-F to search for password in api_jsonrpc.php to discover the Zabbix account password and URL address.",
  "id": "GHSA-97c5-jw9r-3fwj",
  "modified": "2022-03-30T00:01:17Z",
  "published": "2022-03-22T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26148"
    },
    {
      "type": "WEB",
      "url": "https://2k8.org/post-319.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220425-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97WP-63WQ-HFWH

Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:06
VLAI
Summary
Jenkins Ansible Plugin job configuration form does not mask variables
Details

Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.

Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "205.v4cb"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:06:37Z",
    "nvd_published_at": "2023-05-16T16:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.\n\nAnsible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.\n\nAnsible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.",
  "id": "GHSA-97wp-63wq-hfwh",
  "modified": "2023-05-17T03:06:37Z",
  "published": "2023-05-16T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32983"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/ansible-plugin/commit/4cbc48657c21a65a917b3b3049918480198c0cfb"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Ansible Plugin job configuration form does not mask variables"
}

GHSA-98P6-6428-77V7

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-02-15 22:21
VLAI
Summary
Jenkins NeoLoad Plugin stores credentials in cleartext
Details

Jenkins NeoLoad Plugin prior to version 2.2.6 stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:neoload-jenkins-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:47:27Z",
    "nvd_published_at": "2019-10-16T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins NeoLoad Plugin prior to version 2.2.6 stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-98p6-6428-77v7",
  "modified": "2023-02-15T22:21:01Z",
  "published": "2022-05-24T16:58:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/neoload-plugin/commit/83c8300c8318502b4f4d4c802dd2a10cadfee4c9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/neoload-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1427"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-932"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/16/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins NeoLoad Plugin stores credentials in cleartext"
}

GHSA-98QC-V8VG-MCX4

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:35
VLAI
Summary
Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin
Details

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:testquality-updater"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T00:58:21Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-98qc-v8vg-mcx4",
  "modified": "2023-02-03T20:35:16Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24454"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2091"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.