CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-C8C6-87MV-3FM9
Vulnerability from github – Published: 2024-04-05 18:30 – Updated: 2025-03-28 21:30In Unify CP IP Phone firmware 1.10.4.3, files are not encrypted and contain sensitive information such as the root password hash.
{
"affected": [],
"aliases": [
"CVE-2024-28065"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-05T18:15:09Z",
"severity": "MODERATE"
},
"details": "In Unify CP IP Phone firmware 1.10.4.3, files are not encrypted and contain sensitive information such as the root password hash.",
"id": "GHSA-c8c6-87mv-3fm9",
"modified": "2025-03-28T21:30:39Z",
"published": "2024-04-05T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28065"
},
{
"type": "WEB",
"url": "https://syss.de"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-007.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CC23-R63P-28WP
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges.
{
"affected": [],
"aliases": [
"CVE-2021-38422"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-03T20:15:00Z",
"severity": "HIGH"
},
"details": "Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges.",
"id": "GHSA-cc23-r63p-28wp",
"modified": "2022-05-24T19:19:31Z",
"published": "2022-05-24T19:19:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38422"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-294-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CC4R-8R99-3QMP
Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2024-08-05 21:31This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router's firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.
{
"affected": [],
"aliases": [
"CVE-2024-41691"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-26T12:15:03Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to storing of FTP credentials in plaintext within the SquashFS-root filesystem associated with the router\u0027s firmware. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext FTP credentials from the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the FTP server associated with the targeted system.",
"id": "GHSA-cc4r-8r99-3qmp",
"modified": "2024-08-05T21:31:19Z",
"published": "2024-07-26T12:35:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41691"
},
{
"type": "WEB",
"url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CC6F-J84G-6GMR
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2021-36096"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-06T15:15:00Z",
"severity": "MODERATE"
},
"details": "Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions.",
"id": "GHSA-cc6f-j84g-6gmr",
"modified": "2022-05-24T19:13:03Z",
"published": "2022-05-24T19:13:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36096"
},
{
"type": "WEB",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2021-10"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CCC3-C3HC-G88X
Vulnerability from github – Published: 2023-05-10 06:30 – Updated: 2024-04-04 03:58Cleartext storage of sensitive information exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote authenticated attacker to obtain an APN credential for the product.
{
"affected": [],
"aliases": [
"CVE-2023-24586"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T06:15:12Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of sensitive information exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote authenticated attacker to obtain an APN credential for the product.",
"id": "GHSA-ccc3-c3hc-g88x",
"modified": "2024-04-04T03:58:29Z",
"published": "2023-05-10T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24586"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN40604023"
},
{
"type": "WEB",
"url": "https://www.seiko-sol.co.jp/archives/73969"
},
{
"type": "WEB",
"url": "https://www.seiko-sol.co.jp/products/skybridge/skybridge_download/mb-a100"
},
{
"type": "WEB",
"url": "https://www.seiko-sol.co.jp/products/skybridge/skybridge_download/mb-a130"
},
{
"type": "WEB",
"url": "https://www.seiko-sol.co.jp/products/skybridge/skybridge_download/mb-a200"
},
{
"type": "WEB",
"url": "https://www.seiko-sol.co.jp/products/skyspider/skyspider_download/mb-r210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CCMG-3338-RH6P
Vulnerability from github – Published: 2025-04-30 15:30 – Updated: 2025-04-30 15:30Incorrect Permission Assignment for Critical Resource, Cleartext Storage of Sensitive Information vulnerability in ABB Automation Builder.This issue affects Automation Builder: through 2.8.0.
{
"affected": [],
"aliases": [
"CVE-2025-3395"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-30T13:15:49Z",
"severity": "HIGH"
},
"details": "Incorrect Permission Assignment for Critical Resource, Cleartext Storage of Sensitive Information vulnerability in ABB Automation Builder.This issue affects Automation Builder: through 2.8.0.",
"id": "GHSA-ccmg-3338-rh6p",
"modified": "2025-04-30T15:30:48Z",
"published": "2025-04-30T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3395"
},
{
"type": "WEB",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=3ADR011407\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CG49-X3J6-7J3G
Vulnerability from github – Published: 2025-05-26 12:30 – Updated: 2025-05-26 12:30The data stored in Be-Tech Mifare Classic card is stored in cleartext. An attacker having access to a Be-Tech hotel guest Mifare Classic card can create a master key card that unlocks all the locks in the building.
This issue affects all Be-Tech Mifare Classic card systems. To fix the vulnerability, it is necessary to replace the software, encoder, cards, and PCBs in the locks.
{
"affected": [],
"aliases": [
"CVE-2025-4053"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T10:15:21Z",
"severity": "MODERATE"
},
"details": "The data\u00a0stored in\u00a0Be-Tech Mifare Classic card\u00a0is stored in cleartext.\u00a0An attacker having access to a Be-Tech hotel guest\u00a0Mifare Classic card can create a master key card that unlocks all the locks in the building. \n\nThis issue affects all\u00a0Be-Tech Mifare Classic card systems.\u00a0To fix the vulnerability, it is necessary to replace the software, encoder, cards, and PCBs in the locks.",
"id": "GHSA-cg49-x3j6-7j3g",
"modified": "2025-05-26T12:30:30Z",
"published": "2025-05-26T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4053"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2025/05/CVE-2025-4053"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CG8Q-MVMC-QR6H
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-07-28 00:00When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
{
"affected": [],
"aliases": [
"CVE-2021-31817"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-08T11:15:00Z",
"severity": "HIGH"
},
"details": "When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.",
"id": "GHSA-cg8q-mvmc-qr6h",
"modified": "2022-07-28T00:00:45Z",
"published": "2022-05-24T19:07:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31817"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/adv/2021-06---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-31817).2121138201.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CGRW-9Q9P-34FJ
Vulnerability from github – Published: 2024-07-10 00:30 – Updated: 2024-07-10 00:30SnapCenter versions prior to 5.0p1 are susceptible to a vulnerability which could allow an authenticated attacker to discover plaintext credentials.
{
"affected": [],
"aliases": [
"CVE-2024-21993"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T22:15:01Z",
"severity": "MODERATE"
},
"details": "SnapCenter versions prior to 5.0p1 are susceptible to a vulnerability\n which could allow an authenticated attacker to discover plaintext \ncredentials.",
"id": "GHSA-cgrw-9q9p-34fj",
"modified": "2024-07-10T00:30:41Z",
"published": "2024-07-10T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21993"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240705-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CHM8-X5HX-J7RX
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11An information disclosure vulnerability exists in the EPA protocol of Dut Computer Control Engineering Co.'s PLC MAC1100.
{
"affected": [],
"aliases": [
"CVE-2020-18759"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-13T17:15:00Z",
"severity": "HIGH"
},
"details": "An information disclosure vulnerability exists in the EPA protocol of Dut Computer Control Engineering Co.\u0027s PLC MAC1100.",
"id": "GHSA-chm8-x5hx-j7rx",
"modified": "2022-05-24T19:11:03Z",
"published": "2022-05-24T19:11:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18759"
},
{
"type": "WEB",
"url": "https://github.com/Ni9htMar3/vulnerability/blob/master/PLC/DCCE/DCCE%20MAC1100%20PLC_leak2.md"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.