CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-JR25-FRC3-R97P
Vulnerability from github – Published: 2024-07-10 03:30 – Updated: 2024-07-10 03:30IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 281429.
{
"affected": [],
"aliases": [
"CVE-2024-25023"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T01:15:09Z",
"severity": "MODERATE"
},
"details": "IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 281429.",
"id": "GHSA-jr25-frc3-r97p",
"modified": "2024-07-10T03:30:35Z",
"published": "2024-07-10T03:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25023"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/281429"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7159768"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JV9R-MGX5-PQQ6
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI.
{
"affected": [],
"aliases": [
"CVE-2020-12032"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix EM1200 Versions 1.1, 1.2 systems store device data with sensitive information in an unencrypted database. This could allow an attacker with network access to view or modify sensitive data including PHI.",
"id": "GHSA-jv9r-mgx5-pqq6",
"modified": "2022-05-24T17:21:59Z",
"published": "2022-05-24T17:21:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12032"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JVFR-HP47-8RX8
Vulnerability from github – Published: 2026-02-03 03:30 – Updated: 2026-03-03 03:32A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords.
{
"affected": [],
"aliases": [
"CVE-2025-12774"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T02:16:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file.\u00a0An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords.",
"id": "GHSA-jvfr-hp47-8rx8",
"modified": "2026-03-03T03:32:41Z",
"published": "2026-02-03T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12774"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JVXJ-9X2F-RJ8H
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An issue was discovered on FiberHome HG6245D devices through RP2613. wifi_custom.cfg has cleartext passwords and 0644 permissions.
{
"affected": [],
"aliases": [
"CVE-2021-27174"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered on FiberHome HG6245D devices through RP2613. wifi_custom.cfg has cleartext passwords and 0644 permissions.",
"id": "GHSA-jvxj-9x2f-rj8h",
"modified": "2022-05-24T17:41:51Z",
"published": "2022-05-24T17:41:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27174"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#system-credentials-clear-text-files"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JX45-XP6Q-CWJC
Vulnerability from github – Published: 2025-01-30 21:31 – Updated: 2025-03-13 19:19Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:zoom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-0142"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:19:06Z",
"nvd_published_at": "2025-01-30T20:15:33Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of sensitive information in the Zoom Jenkins Marketplace plugin before version 1.4 may allow an authenticated user to conduct a disclosure of information via network access.",
"id": "GHSA-jx45-xp6q-cwjc",
"modified": "2025-03-13T19:19:06Z",
"published": "2025-01-30T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0142"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/zoom-plugin"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-25001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Zoom Plugin Stores Sensitive Information in Cleartext"
}
GHSA-M23H-Q673-4JCQ
Vulnerability from github – Published: 2022-08-11 00:00 – Updated: 2022-08-14 00:00Dell Wyse Management Suite 3.6.1 and below contains an Plain-text Password Storage Vulnerability in UI. An attacker with low privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2022-33928"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-10T17:15:00Z",
"severity": "HIGH"
},
"details": "Dell Wyse Management Suite 3.6.1 and below contains an Plain-text Password Storage Vulnerability in UI. An attacker with low privileges could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
"id": "GHSA-m23h-q673-4jcq",
"modified": "2022-08-14T00:00:23Z",
"published": "2022-08-11T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33928"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000201383/dsa-2022-134-dell-wyse-management-suite-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M365-98J8-W96W
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-06 17:03Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:zephyr-for-jira-test-management"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2154"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-06T17:03:57Z",
"nvd_published_at": "2020-03-09T16:15:00Z",
"severity": "LOW"
},
"details": "Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file `com.thed.zephyr.jenkins.reporter.ZfjReporter.xml` on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-m365-98j8-w96w",
"modified": "2023-01-06T17:03:57Z",
"published": "2022-05-24T17:10:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2154"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/zephyr-for-jira-test-management-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1550"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Zephyr for JIRA Test Management Plugin stores credentials in plain text"
}
GHSA-M3FH-CX4W-XF4M
Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2024-04-04 02:49Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under '/root/.urcaps' as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property.
{
"affected": [],
"aliases": [
"CVE-2020-10267"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-06T12:15:00Z",
"severity": "HIGH"
},
"details": "Universal Robots control box CB 3.1 across firmware versions (tested on 1.12.1, 1.12, 1.11 and 1.10) does not encrypt or protect in any way the intellectual property artifacts installed from the UR+ platform of hardware and software components (URCaps). These files (*.urcaps) are stored under \u0027/root/.urcaps\u0027 as plain zip files containing all the logic to add functionality to the UR3, UR5 and UR10 robots. This flaw allows attackers with access to the robot or the robot network (while in combination with other flaws) to retrieve and easily exfiltrate all installed intellectual property.",
"id": "GHSA-m3fh-cx4w-xf4m",
"modified": "2024-04-04T02:49:40Z",
"published": "2022-05-24T17:13:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10267"
},
{
"type": "WEB",
"url": "https://github.com/aliasrobotics/RVD/issues/1489"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M3HF-H8R4-HRGJ
Vulnerability from github – Published: 2025-03-11 12:30 – Updated: 2025-03-11 12:30This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on the vulnerable device.
{
"affected": [],
"aliases": [
"CVE-2025-2189"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T12:15:12Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in the Tinxy smart devices due to storage of credentials in plaintext within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the plaintext credentials stored on the vulnerable device.",
"id": "GHSA-m3hf-h8r4-hrgj",
"modified": "2025-03-11T12:30:59Z",
"published": "2025-03-11T12:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2189"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M3PG-8XJ4-P62W
Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 all versions and Mitsubishi Electric MX OPC UA Module Configurator-R all versions allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users can gain unauthorized access to the CPU module and the OPC UA server module.
{
"affected": [],
"aliases": [
"CVE-2022-25164"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T00:15:00Z",
"severity": "HIGH"
},
"details": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 all versions and Mitsubishi Electric MX OPC UA Module Configurator-R all versions allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthorized users can gain unauthorized access to the CPU module and the OPC UA server module.",
"id": "GHSA-m3pg-8xj4-p62w",
"modified": "2022-11-28T21:30:21Z",
"published": "2022-11-25T00:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25164"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU97244961/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.