CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-MXRQ-2VQC-2JH4
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2024-03-21 03:33** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host's clipboard data to the Android application by default. NOTE: the vendor's position is that this is intended behavior that can be changed through the Settings > Device screen.
{
"affected": [],
"aliases": [
"CVE-2021-27549"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-22T17:15:00Z",
"severity": "MODERATE"
},
"details": "** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host\u0027s clipboard data to the Android application by default. NOTE: the vendor\u0027s position is that this is intended behavior that can be changed through the Settings \u003e Device screen.",
"id": "GHSA-mxrq-2vqc-2jh4",
"modified": "2024-03-21T03:33:59Z",
"published": "2022-05-24T17:42:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27549"
},
{
"type": "WEB",
"url": "https://docs.genymotion.com/desktop/latest/02_Application.html"
},
{
"type": "WEB",
"url": "https://github.com/eybisi/misc/tree/main/clipwatch"
},
{
"type": "WEB",
"url": "https://twitter.com/0xabc0/status/1363788023956185090"
},
{
"type": "WEB",
"url": "https://twitter.com/0xabc0/status/1363855602477387783"
},
{
"type": "WEB",
"url": "https://twitter.com/0xabc0/status/1363856804602671104"
},
{
"type": "WEB",
"url": "https://www.genymotion.com/download"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=Tod8Q6sf0P8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P2CM-6JC2-7JH2
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-08-13 00:00ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user’s privilege.
{
"affected": [],
"aliases": [
"CVE-2021-41302"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-30T11:15:00Z",
"severity": "HIGH"
},
"details": "ECOA BAS controller stores sensitive data (backup exports) in clear-text, thus the unauthenticated attacker can remotely query user password and obtain user\u2019s privilege.",
"id": "GHSA-p2cm-6jc2-7jh2",
"modified": "2022-08-13T00:00:35Z",
"published": "2022-05-24T22:28:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41302"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-5138-d40ae-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-P2JG-7VXG-X4VP
Vulnerability from github – Published: 2026-02-25 21:31 – Updated: 2026-02-26 18:31Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
{
"affected": [],
"aliases": [
"CVE-2026-3221"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T19:43:26Z",
"severity": "MODERATE"
},
"details": "Sensitive\n user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with \naccess to the database to obtain sensitive user \ninformation via direct database access.",
"id": "GHSA-p2jg-7vxg-x4vp",
"modified": "2026-02-26T18:31:39Z",
"published": "2026-02-25T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3221"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2026-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P34J-R3CH-C985
Vulnerability from github – Published: 2025-03-06 00:31 – Updated: 2025-03-06 22:30Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI.
This allows attackers with Agent/Extended Read permission to view encrypted values of secrets.
Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent config.xml accessed via REST API or CLI for users lacking Agent/Configure permission.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.493"
},
{
"fixed": "2.500"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.492.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27622"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-06T22:30:07Z",
"nvd_published_at": "2025-03-05T23:15:13Z",
"severity": "MODERATE"
},
"details": "Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI.\n\nThis allows attackers with Agent/Extended Read permission to view encrypted values of secrets.\n\nJenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent `config.xml` accessed via REST API or CLI for users lacking Agent/Configure permission.",
"id": "GHSA-p34j-r3ch-c985",
"modified": "2025-03-06T22:30:08Z",
"published": "2025-03-06T00:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27622"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission"
}
GHSA-P3FF-JH52-G57X
Vulnerability from github – Published: 2022-12-26 06:30 – Updated: 2023-01-05 18:30Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0.
{
"affected": [],
"aliases": [
"CVE-2022-24120"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T05:15:00Z",
"severity": "MODERATE"
},
"details": "Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0.",
"id": "GHSA-p3ff-jh52-g57x",
"modified": "2023-01-05T18:30:30Z",
"published": "2022-12-26T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24120"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P3RG-2CJ3-M987
Vulnerability from github – Published: 2026-04-08 15:31 – Updated: 2026-04-08 15:31Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
{
"affected": [],
"aliases": [
"CVE-2025-14815"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-08T14:16:24Z",
"severity": "CRITICAL"
},
"details": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.",
"id": "GHSA-p3rg-2cj3-m987",
"modified": "2026-04-08T15:31:44Z",
"published": "2026-04-08T15:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14815"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU90646130"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P449-Q86C-MX7R
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-07-26 21:31An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password.
{
"affected": [],
"aliases": [
"CVE-2024-31840"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:25Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password.",
"id": "GHSA-p449-q86c-mx7r",
"modified": "2024-07-26T21:31:15Z",
"published": "2024-05-21T18:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31840"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P469-7GQP-FP24
Vulnerability from github – Published: 2022-05-13 01:02 – Updated: 2022-05-13 01:02In a certain atypical IBM Spectrum Protect 7.1 and 8.1 configurations, the node password could be displayed in plain text in the IBM Spectrum Protect client trace file. IBM X-Force ID: 151968.
{
"affected": [],
"aliases": [
"CVE-2018-1882"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-08T15:29:00Z",
"severity": "MODERATE"
},
"details": "In a certain atypical IBM Spectrum Protect 7.1 and 8.1 configurations, the node password could be displayed in plain text in the IBM Spectrum Protect client trace file. IBM X-Force ID: 151968.",
"id": "GHSA-p469-7gqp-fp24",
"modified": "2022-05-13T01:02:36Z",
"published": "2022-05-13T01:02:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1882"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/151968"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10869208"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=ibm10869436"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107861"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P57H-3CMC-XPJQ
Vulnerability from github – Published: 2024-12-02 18:35 – Updated: 2024-12-02 18:35Impact
The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases:
- The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs
- The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs
- The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs
- The 'password' property when creating or updating an HMC user, in the zhmcclient API log
- The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs
This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above.
Patches
Has been fixed in zhmcclient version 1.18.1
Workarounds
Not applicable, since fix is available.
References
None
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zhmcclient"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-53865"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T18:35:18Z",
"nvd_published_at": "2024-11-29T19:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe Python package \"zhmcclient\" writes password-like properties in clear text into its HMC and API logs in the following cases:\n\n* The \u0027boot-ftp-password\u0027 and \u0027ssc-master-pw\u0027 properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs\n* The \u0027ssc-master-pw\u0027 and \u0027zaware-master-pw\u0027 properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs\n* The \u0027ssc-master-pw\u0027 and \u0027zaware-master-pw\u0027 properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs\n* The \u0027password\u0027 property when creating or updating an HMC user, in the zhmcclient API log\n* The \u0027bind-password\u0027 property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs\n\nThis issue affects only users of the zhmcclient package that have enabled the Python loggers named \"zhmcclient.api\" (for the API log) or \"zhmcclient.hmc\" (for the HMC log) and that use the functions listed above.\n\n### Patches\n\nHas been fixed in zhmcclient version 1.18.1\n\n### Workarounds\n\nNot applicable, since fix is available.\n\n### References\n\nNone\n",
"id": "GHSA-p57h-3cmc-xpjq",
"modified": "2024-12-02T18:35:18Z",
"published": "2024-12-02T18:35:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zhmcclient/python-zhmcclient/security/advisories/GHSA-p57h-3cmc-xpjq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53865"
},
{
"type": "WEB",
"url": "https://github.com/zhmcclient/python-zhmcclient/commit/ad32781e782d0f604c6da4680fce48e4cc1f4433"
},
{
"type": "PACKAGE",
"url": "https://github.com/zhmcclient/python-zhmcclient"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Python package \"zhmcclient\" stores passwords in clear text in its HMC and API logs"
}
GHSA-P598-8V9Q-QJHX
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45In all versions of GitLab starting from 13.7, marshalled session keys were being stored in Redis.
{
"affected": [],
"aliases": [
"CVE-2021-22194"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-26T20:15:00Z",
"severity": "MODERATE"
},
"details": "In all versions of GitLab starting from 13.7, marshalled session keys were being stored in Redis.",
"id": "GHSA-p598-8v9q-qjhx",
"modified": "2022-05-24T17:45:32Z",
"published": "2022-05-24T17:45:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22194"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22194.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/262107"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.