Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-R7JQ-2WVX-J3G6

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24
VLAI
Details

A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to login credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-7516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-23T21:15:00Z",
    "severity": "LOW"
  },
  "details": "A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to login credentials.",
  "id": "GHSA-r7jq-2wvx-j3g6",
  "modified": "2022-05-24T17:24:17Z",
  "published": "2022-05-24T17:24:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7516"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05"
    },
    {
      "type": "WEB",
      "url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R84C-86VG-4C66

Vulnerability from github – Published: 2024-03-07 03:30 – Updated: 2024-08-29 21:31
VLAI
Details

SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attacker to obtain sensitive information via /admin/admin name parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24375"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-07T01:15:52Z",
    "severity": "HIGH"
  },
  "details": "SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attacker to obtain sensitive information via /admin/admin name parameter.",
  "id": "GHSA-r84c-86vg-4c66",
  "modified": "2024-08-29T21:31:02Z",
  "published": "2024-03-07T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24375"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RiverGone/records/blob/main/JFinalcms-admin-admin-name.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R85R-2583-Q5CQ

Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2024-07-30 03:30
VLAI
Details

An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11924"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.",
  "id": "GHSA-r85r-2583-q5cq",
  "modified": "2024-07-30T03:30:50Z",
  "published": "2022-05-24T17:46:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11924"
    },
    {
      "type": "WEB",
      "url": "https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9W4-5F8X-9RMM

Vulnerability from github – Published: 2023-07-13 15:30 – Updated: 2024-04-04 06:07
VLAI
Details

An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T15:15:09Z",
    "severity": "HIGH"
  },
  "details": "An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function.",
  "id": "GHSA-r9w4-5f8x-9rmm",
  "modified": "2024-04-04T06:07:24Z",
  "published": "2023-07-13T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-31821.md"
    },
    {
      "type": "WEB",
      "url": "http://albis.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R9XC-54CQ-99R7

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-11-02 00:05
VLAI
Summary
Cleartext Storage of Sensitive Information in Jenkins ElasticBox CI Plugin
Details

Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.elasticbox.jenkins-ci.plugins:elasticbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-02T00:05:16Z",
    "nvd_published_at": "2019-10-16T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
  "id": "GHSA-r9xc-54cq-99r7",
  "modified": "2022-11-02T00:05:16Z",
  "published": "2022-05-24T16:58:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10450"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cleartext Storage of Sensitive Information in Jenkins ElasticBox CI Plugin"
}

GHSA-RC78-PC2Q-79XC

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22741"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-19T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users\u0027 private key after obtaining the partial signature in multisignature.",
  "id": "GHSA-rc78-pc2q-79xc",
  "modified": "2022-05-24T19:08:25Z",
  "published": "2022-05-24T19:08:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22741"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xuperchain/xuperchain/issues/782"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RCQQ-FM3C-9R79

Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08
VLAI
Details

The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-22T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the \u0027Edit MySQL Configuration\u0027 command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).",
  "id": "GHSA-rcqq-fm3c-9r79",
  "modified": "2022-05-24T19:08:55Z",
  "published": "2022-05-24T19:08:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31581"
    },
    {
      "type": "WEB",
      "url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RFH6-9R2Q-98VF

Vulnerability from github – Published: 2025-03-06 00:31 – Updated: 2025-03-06 22:29
VLAI
Summary
Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission
Details

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.

This allows attackers with View/Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.492.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.493"
            },
            {
              "fixed": "2.500"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-06T22:29:49Z",
    "nvd_published_at": "2025-03-05T23:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI.\n\nThis allows attackers with View/Read permission to view encrypted values of secrets.\n\nJenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission.",
  "id": "GHSA-rfh6-9r2q-98vf",
  "modified": "2025-03-06T22:29:49Z",
  "published": "2025-03-06T00:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3496"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission"
}

GHSA-RH7M-R3XM-V5XG

Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-03 09:31
VLAI
Details

Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-03T08:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent\u0027s local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api\u00a01.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 \u0026 PE 2025.11.0.",
  "id": "GHSA-rh7m-r3xm-v5xg",
  "modified": "2026-07-03T09:31:28Z",
  "published": "2026-07-03T09:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8804"
    },
    {
      "type": "WEB",
      "url": "https://portal.perforce.com/s/cve/a91Qi000003511lIAA/cve20268804-cleartext-storage-of-sensitive-information-for-puppet-resource-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RHH2-F22C-XH7F

Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-08 15:31
VLAI
Details

This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-04T12:16:09Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device.",
  "id": "GHSA-rhh2-f22c-xh7f",
  "modified": "2024-11-08T15:31:12Z",
  "published": "2024-11-04T12:32:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10523"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0331"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.