CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-MF9W-62P6-2JH9
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attackers to discover cleartext passwords by reading a configuration file.
{
"affected": [],
"aliases": [
"CVE-2016-0876"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-05-31T01:59:00Z",
"severity": "HIGH"
},
"details": "Moxa Secure Router EDR-G903 devices before 3.4.12 allow remote attackers to discover cleartext passwords by reading a configuration file.",
"id": "GHSA-mf9w-62p6-2jh9",
"modified": "2022-05-13T01:02:36Z",
"published": "2022-05-13T01:02:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0876"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-042-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFQ2-2PHJ-F7GW
Vulnerability from github – Published: 2023-02-17 18:30 – Updated: 2023-03-01 21:30IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 237587.
{
"affected": [],
"aliases": [
"CVE-2022-41734"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-17T18:15:00Z",
"severity": "HIGH"
},
"details": "IBM Maximo Asset Management 7.6.1.2 and 7.6.1.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 237587.",
"id": "GHSA-mfq2-2phj-f7gw",
"modified": "2023-03-01T21:30:20Z",
"published": "2023-02-17T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41734"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/237587"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6857605"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MG2X-MGGJ-6955
Vulnerability from github – Published: 2024-01-24 15:30 – Updated: 2024-01-31 14:55Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster.
This behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-cncf-kubernetes"
},
"ranges": [
{
"events": [
{
"introduced": "5.2.0"
},
{
"fixed": "7.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-51702"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T21:13:06Z",
"nvd_published_at": "2024-01-24T13:15:08Z",
"severity": "MODERATE"
},
"details": "Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. Additionally, if used with an Airflow version between 2.3.0 and 2.6.0, the configuration dictionary will be logged as plain text in the triggerer service without masking. This allows anyone with access to the metadata or triggerer log to obtain the configuration file and use it to access the Kubernetes cluster.\n\nThis behavior was changed in version 7.0.0, which stopped serializing the file contents and started providing the file path instead to read the contents into the trigger. Users are recommended to upgrade to version 7.0.0, which fixes this issue.",
"id": "GHSA-mg2x-mggj-6955",
"modified": "2024-01-31T14:55:45Z",
"published": "2024-01-24T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51702"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/29498"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/30110"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/36492"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/89x3q6lz5pykrkr1fkr04k4rfn9pvnv9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service"
}
GHSA-MGXH-X4JJ-4GRV
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1&5 URI.
{
"affected": [],
"aliases": [
"CVE-2021-27210"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-13T01:15:00Z",
"severity": "MODERATE"
},
"details": "TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retrieve cleartext credentials via [USER_CFG#0,0,0,0,0,0#0,0,0,0,0,0]0,0 to the /cgi?1\u00265 URI.",
"id": "GHSA-mgxh-x4jj-4grv",
"modified": "2022-05-24T17:42:08Z",
"published": "2022-05-24T17:42:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27210"
},
{
"type": "WEB",
"url": "https://gokay.org/tp-links-archer-c5v-improper-authorization"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MJ3G-5JVR-4W7H
Vulnerability from github – Published: 2023-07-03 21:30 – Updated: 2024-04-04 05:21?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer.
{
"affected": [],
"aliases": [
"CVE-2023-3395"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-03T21:15:10Z",
"severity": "MODERATE"
},
"details": "\n?All versions of the TWinSoft Configuration Tool store encrypted passwords as plaintext in memory. An attacker with access to system files could open a file to load the document into memory, including sensitive information associated with document, such as password. The attacker could then obtain the plaintext password by using a memory viewer.\n\n",
"id": "GHSA-mj3g-5jvr-4w7h",
"modified": "2024-04-04T05:21:00Z",
"published": "2023-07-03T21:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3395"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJ6G-39XM-96Q9
Vulnerability from github – Published: 2024-04-09 00:30 – Updated: 2025-03-13 15:32The NMAP Importer service may expose data store credentials to authorized users of the Windows Registry.
{
"affected": [],
"aliases": [
"CVE-2024-23584"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T23:15:07Z",
"severity": "MODERATE"
},
"details": "The NMAP Importer service\u200b may expose data store credentials to authorized users of the Windows Registry.",
"id": "GHSA-mj6g-39xm-96q9",
"modified": "2025-03-13T15:32:30Z",
"published": "2024-04-09T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23584"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0112264"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MM6H-6R59-4W65
Vulnerability from github – Published: 2024-06-11 21:32 – Updated: 2024-06-11 21:32A vulnerability exists in the FOXMAN-UN/UNEM in which sensitive information is stored in cleartext within a resource that might be accessible to another control sphere.
{
"affected": [],
"aliases": [
"CVE-2024-28024"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T19:16:06Z",
"severity": "LOW"
},
"details": "A vulnerability exists in the FOXMAN-UN/UNEM in which sensitive information is \nstored in cleartext within a resource that might be accessible to an\u0002other control sphere.",
"id": "GHSA-mm6h-6r59-4w65",
"modified": "2024-06-11T21:32:17Z",
"published": "2024-06-11T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28024"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000194\u0026languageCode=en\u0026Preview=true"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201\u0026languageCode=en\u0026Preview=true"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPHF-MF2V-25FF
Vulnerability from github – Published: 2022-07-02 00:00 – Updated: 2022-07-09 00:00IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 22106.
{
"affected": [],
"aliases": [
"CVE-2022-22366"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-01T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM UrbanCode Deploy (UCD) 6.2.7.15, 7.0.5.10, 7.1.2.6, and 7.2.2.1 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 22106.",
"id": "GHSA-mphf-mf2v-25ff",
"modified": "2022-07-09T00:00:23Z",
"published": "2022-07-02T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22366"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221006"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6600065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MPJ6-2M9M-7RV8
Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2022-05-24 17:21BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.
{
"affected": [],
"aliases": [
"CVE-2019-18254"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-29T14:15:00Z",
"severity": "LOW"
},
"details": "BIOTRONIK CardioMessenger II, The affected products do not encrypt sensitive information while at rest. An attacker with physical access to the CardioMessenger can disclose medical measurement data and the serial number from the implanted cardiac device the CardioMessenger is paired with.",
"id": "GHSA-mpj6-2m9m-7rv8",
"modified": "2022-05-24T17:21:57Z",
"published": "2022-05-24T17:21:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18254"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-20-170-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MPM3-WR5W-85GH
Vulnerability from github – Published: 2025-08-06 21:31 – Updated: 2025-08-07 15:33Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.
{
"affected": [],
"aliases": [
"CVE-2025-51055"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T21:15:30Z",
"severity": "HIGH"
},
"details": "Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information.",
"id": "GHSA-mpm3-wr5w-85gh",
"modified": "2025-08-07T15:33:12Z",
"published": "2025-08-06T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51055"
},
{
"type": "WEB",
"url": "https://github.com/jacopoaugelli/vedo-suite-exploits"
},
{
"type": "WEB",
"url": "http://bottinelli.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.