CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-999W-Q4XC-9WCC
Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-04 03:30Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.
{
"affected": [],
"aliases": [
"CVE-2022-48073"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-27T15:15:00Z",
"severity": "HIGH"
},
"details": "Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.",
"id": "GHSA-999w-q4xc-9wcc",
"modified": "2023-02-04T03:30:26Z",
"published": "2023-01-27T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48073"
},
{
"type": "WEB",
"url": "https://befitting-vinca-933.notion.site/Phicomm-K2-v22-6-534-263-Sensitive-Information-Disclosure-Vulnerability-530d2415593a400099451d9f0dd7371a"
},
{
"type": "WEB",
"url": "https://befitting-vinca-933.notion.site/Phicomm-K2G-v22-6-3-20-Sensitive-Information-Disclosure-Vulnerability-8649a75a7ea7455583294e7447145cc6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-99GR-Q2P8-X55M
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2026-03-27 21:31Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files.
This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
{
"affected": [],
"aliases": [
"CVE-2025-4394"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T07:15:53Z",
"severity": "MODERATE"
},
"details": "Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. \n\nThis issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025",
"id": "GHSA-99gr-q2p8-x55m",
"modified": "2026-03-27T21:31:31Z",
"published": "2025-07-25T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4394"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01"
},
{
"type": "WEB",
"url": "https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-99RV-GQRG-P5FC
Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2024-08-05 21:31This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-41688"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-26T12:15:03Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.",
"id": "GHSA-99rv-gqrg-p5fc",
"modified": "2024-08-05T21:31:19Z",
"published": "2024-07-26T12:35:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41688"
},
{
"type": "WEB",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9C4X-5HGQ-Q3WH
Vulnerability from github – Published: 2021-12-08 19:52 – Updated: 2021-12-14 15:32Impact
Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server:
- Inline secrets for metrics instance configs in the base YAML file are exposed at
/-/config - Inline secrets for integrations are exposed at
/-/config - Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at
/-/config. - Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at
/-/config. - Inline secrets for metrics instance configs loaded from the scraping service are exposed at
/agent/api/v1/configs/{name}.
Inline secrets will be exposed to anyone being able to reach these endpoints.
Secrets found in these sections are used for:
- Delivering metrics to a Prometheus Remote Write system
- Authenticating against a system for discovering Prometheus targets
- Authenticating against a system for collecting metrics (scrape_configs and integrations)
- Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode
- Authenticating against Kafka for receiving traces
Non-inlined secrets, such as *_file-based secrets, are not impacted by this vulnerability.
Patches
Download v0.20.1 or any version past v0.21.2 to patch Grafana Agent. These patches obfuscate the listed impacted secrets from the vulnerable endpoints.
The patches also disable the endpoints by default. Pass the command-line flag --config.enable-read-api to opt-in and re-enable the endpoints.
Workarounds
If for some reason you cannot upgrade, use non-inline secrets where possible. Not all configuration options may have a non-inline equivalent.
You also may desire to restrict API access to Grafana Agent, with some combination of:
- Restrict network interfaces Grafana Agent listens on through
http_listen_addressin theserverblock.127.0.0.1is the most restrictive,0.0.0.0is the default. - Configure Grafana Agent to use HTTPS with client authentication.
- Use firewall rules to restrict external access to Grafana Agent's API.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/agent"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41090"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-08T19:32:31Z",
"nvd_published_at": "2021-12-08T17:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nSome inline secrets are exposed in plaintext over the Grafana Agent HTTP server:\n\n* Inline secrets for metrics instance configs in the base YAML file are exposed at `/-/config` \n* Inline secrets for integrations are exposed at `/-/config`\n* Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at `/-/config`.\n* Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at `/-/config`.\n* Inline secrets for metrics instance configs loaded from the scraping service are exposed at `/agent/api/v1/configs/{name}`.\n\nInline secrets will be exposed to anyone being able to reach these endpoints.\n\nSecrets found in these sections are used for:\n\n* Delivering metrics to a Prometheus Remote Write system \n* Authenticating against a system for discovering Prometheus targets \n* Authenticating against a system for collecting metrics (scrape_configs and integrations)\n* Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode \n* Authenticating against Kafka for receiving traces\n\nNon-inlined secrets, such as `*_file`-based secrets, are not impacted by this vulnerability. \n\n### Patches\n\nDownload [v0.20.1](https://github.com/grafana/agent/releases/tag/v0.20.1) or any version past [v0.21.2](https://github.com/grafana/agent/releases/tag/v0.21.2) to patch Grafana Agent. These patches obfuscate the listed impacted secrets from the vulnerable endpoints.\n\nThe patches also disable the endpoints by default. Pass the command-line flag `--config.enable-read-api` to opt-in and re-enable the endpoints. \n \n### Workarounds\nIf for some reason you cannot upgrade, use non-inline secrets where possible. Not all configuration options may have a non-inline equivalent.\n\nYou also may desire to restrict API access to Grafana Agent, with some combination of:\n\n* Restrict network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block. `127.0.0.1` is the most restrictive, `0.0.0.0` is the default. \n* Configure Grafana Agent to use HTTPS with client authentication. \n* Use firewall rules to restrict external access to Grafana Agent\u0027s API.",
"id": "GHSA-9c4x-5hgq-q3wh",
"modified": "2021-12-14T15:32:21Z",
"published": "2021-12-08T19:52:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41090"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/pull/1152"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/commit/a5479755e946e5c7cddb793ee9adda8f5692ba11"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/agent"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/releases/tag/v0.20.1"
},
{
"type": "WEB",
"url": "https://github.com/grafana/agent/releases/tag/v0.21.2"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20211229-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Instance config inline secret exposure in Grafana"
}
GHSA-9F3X-2884-FFF7
Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-04 03:30Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.
{
"affected": [],
"aliases": [
"CVE-2022-48071"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-27T15:15:00Z",
"severity": "HIGH"
},
"details": "Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.",
"id": "GHSA-9f3x-2884-fff7",
"modified": "2023-02-04T03:30:26Z",
"published": "2023-01-27T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48071"
},
{
"type": "WEB",
"url": "https://befitting-vinca-933.notion.site/Phicomm-K2-v22-6-534-263-Sensitive-Information-Disclosure-Vulnerability-530d2415593a400099451d9f0dd7371a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9G94-M2HG-VJ88
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to access an administrative account.
{
"affected": [],
"aliases": [
"CVE-2019-18238"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-26T22:15:00Z",
"severity": "MODERATE"
},
"details": "Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to access an administrative account.",
"id": "GHSA-9g94-m2hg-vj88",
"modified": "2022-05-24T17:09:40Z",
"published": "2022-05-24T17:09:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18238"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-056-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9GGF-9PGF-QPQ9
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command.
{
"affected": [],
"aliases": [
"CVE-2021-31791"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-23T22:15:00Z",
"severity": "HIGH"
},
"details": "In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command.",
"id": "GHSA-9ggf-9pgf-qpq9",
"modified": "2022-05-24T17:48:44Z",
"published": "2022-05-24T17:48:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31791"
},
{
"type": "WEB",
"url": "https://www.sentrysoftware.com/library/releaseNotes/index.html?hardwaresentrykmforpatrol10_0_01releasenotes.htm"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9GGG-37FJ-XC96
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-03-01 00:01A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.
{
"affected": [],
"aliases": [
"CVE-2021-3551"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T17:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-9ggg-37fj-xc96",
"modified": "2022-03-01T00:01:08Z",
"published": "2022-02-17T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3551"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1959971"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9GXG-3RJH-XV63
Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.
{
"affected": [],
"aliases": [
"CVE-2024-7259"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T16:15:08Z",
"severity": "MODERATE"
},
"details": "A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.",
"id": "GHSA-9gxg-3rjh-xv63",
"modified": "2024-09-26T18:31:44Z",
"published": "2024-09-26T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7259"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-7259"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314229"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9H64-8G5H-R7HM
Vulnerability from github – Published: 2025-12-02 15:30 – Updated: 2025-12-02 18:30Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).
{
"affected": [],
"aliases": [
"CVE-2025-59701"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-02T15:15:55Z",
"severity": "MODERATE"
},
"details": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).",
"id": "GHSA-9h64-8g5h-r7hm",
"modified": "2025-12-02T18:30:35Z",
"published": "2025-12-02T15:30:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59701"
},
{
"type": "WEB",
"url": "https://www.entrust.com/use-case/why-use-an-hsm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.