CWE-316
AllowedCleartext Storage of Sensitive Information in Memory
Abstraction: Variant · Status: Draft
The product stores sensitive information in cleartext in memory.
62 vulnerabilities reference this CWE, most recent first.
GHSA-2P2F-PX33-4VV5
Vulnerability from github – Published: 2026-07-14 20:05 – Updated: 2026-07-14 20:05Impact
The web handler renderMobileBundle (internal/web/handlers.go:1325) passes the real *pki.CAResolver directly into mobilebundle.Build. Inside Build (internal/mobilebundle/builder.go:54), resolver.LoadByID decrypts the CA's ed25519 private key into a *pki.CAManager, but Build never calls CAManager.Wipe() on any return path (success or any of the error paths at lines 56, 62, 68, 80, 86, 92, 98, 102, 109, 118, 150).
As a result, when a mobile-bundle request goes through the web UI and Build returns — especially on error (missing network, invalid prefix, DB error, signing failure) — the plaintext CA private key remains on the Go heap, unwiped, until garbage collection. An attacker able to read process memory (core dump, swap, memory-scraping) can recover the CA signing key, which would allow minting arbitrary host certificates for the mesh.
The API handler (internal/api/mobile_bundle.go:74) already does this correctly: it loads the CAManager, defer caMgr.Wipe(), and wraps it in caManagerResolver. Only the web path is affected.
This is the same key-zeroization class previously addressed in GHSA-8h84-fhqq-q58v.
Patches
Add defer caMgr.Wipe() inside mobilebundle.Build immediately after the LoadByID call so every caller (web and API) is protected on all return paths. Ensure CAManager.Wipe() is idempotent, since the API handler also wipes the same manager.
Workarounds
None at the configuration level; requires a code fix.
Resources
internal/web/handlers.go:1325internal/mobilebundle/builder.go:54internal/api/mobile_bundle.go:74(correct reference implementation)- Prior related advisory: GHSA-8h84-fhqq-q58v
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/forgekeep/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53604"
],
"database_specific": {
"cwe_ids": [
"CWE-212",
"CWE-316"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-14T20:05:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Impact\n\nThe web handler `renderMobileBundle` (`internal/web/handlers.go:1325`) passes the real `*pki.CAResolver` directly into `mobilebundle.Build`. Inside `Build` (`internal/mobilebundle/builder.go:54`), `resolver.LoadByID` decrypts the CA\u0027s ed25519 private key into a `*pki.CAManager`, but `Build` never calls `CAManager.Wipe()` on any return path (success or any of the error paths at lines 56, 62, 68, 80, 86, 92, 98, 102, 109, 118, 150).\n\nAs a result, when a mobile-bundle request goes through the **web** UI and `Build` returns \u2014 especially on error (missing network, invalid prefix, DB error, signing failure) \u2014 the plaintext CA private key remains on the Go heap, unwiped, until garbage collection. An attacker able to read process memory (core dump, swap, memory-scraping) can recover the CA signing key, which would allow minting arbitrary host certificates for the mesh.\n\nThe **API** handler (`internal/api/mobile_bundle.go:74`) already does this correctly: it loads the `CAManager`, `defer caMgr.Wipe()`, and wraps it in `caManagerResolver`. Only the web path is affected.\n\nThis is the same key-zeroization class previously addressed in GHSA-8h84-fhqq-q58v.\n\n## Patches\n\nAdd `defer caMgr.Wipe()` inside `mobilebundle.Build` immediately after the `LoadByID` call so every caller (web and API) is protected on all return paths. Ensure `CAManager.Wipe()` is idempotent, since the API handler also wipes the same manager.\n\n## Workarounds\n\nNone at the configuration level; requires a code fix.\n\n## Resources\n\n- `internal/web/handlers.go:1325`\n- `internal/mobilebundle/builder.go:54`\n- `internal/api/mobile_bundle.go:74` (correct reference implementation)\n- Prior related advisory: GHSA-8h84-fhqq-q58v",
"id": "GHSA-2p2f-px33-4vv5",
"modified": "2026-07-14T20:05:38Z",
"published": "2026-07-14T20:05:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-2p2f-px33-4vv5"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/commit/1f1ab9aa8472239763d967e3d50a3cd53a1a79b9"
},
{
"type": "PACKAGE",
"url": "https://github.com/forgekeep/nebula-mesh"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "nebula-mesh: CA private key not zeroized on web mobile-bundle error paths"
}
GHSA-2WPH-4XPG-R884
Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2023-12-12 12:30A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application.
{
"affected": [],
"aliases": [
"CVE-2022-46141"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-12T12:15:10Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions \u003c V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application.",
"id": "GHSA-2wph-4xpg-r884",
"modified": "2023-12-12T12:30:53Z",
"published": "2023-12-12T12:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46141"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-887801.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4265-PFR7-6XJV
Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.
Browser self-protection should be enabled to mitigate this issue.
{
"affected": [],
"aliases": [
"CVE-2025-4618"
],
"database_specific": {
"cwe_ids": [
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T18:15:47Z",
"severity": "MODERATE"
},
"details": "A sensitive information disclosure vulnerability in Palo Alto Networks Prisma\u00ae Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.\n\nBrowser self-protection should be enabled to mitigate this issue.",
"id": "GHSA-4265-pfr7-6xjv",
"modified": "2025-11-14T18:31:39Z",
"published": "2025-11-14T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4618"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2025-4618"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-49QV-652V-577V
Vulnerability from github – Published: 2026-05-20 12:30 – Updated: 2026-05-20 12:30Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component.
This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.
{
"affected": [],
"aliases": [
"CVE-2026-0857"
],
"database_specific": {
"cwe_ids": [
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T11:16:25Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component.\n\nThis issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.",
"id": "GHSA-49qv-652v-577v",
"modified": "2026-05-20T12:30:38Z",
"published": "2026-05-20T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0857"
},
{
"type": "WEB",
"url": "https://seccore.at/blog/cves-meona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4CVC-J8GF-MG3G
Vulnerability from github – Published: 2024-07-14 15:30 – Updated: 2024-07-14 15:30IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that could be obtained by a malicious user. IBM X-Force ID: 295791.
{
"affected": [],
"aliases": [
"CVE-2024-39732"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-14T13:15:20Z",
"severity": "MODERATE"
},
"details": "IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that could be obtained by a malicious user. IBM X-Force ID: 295791.",
"id": "GHSA-4cvc-j8gf-mg3g",
"modified": "2024-07-14T15:30:57Z",
"published": "2024-07-14T15:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39732"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/295791"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7160185"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59P6-QQ9J-XGJC
Vulnerability from github – Published: 2025-11-11 03:30 – Updated: 2025-11-11 03:30SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability.
{
"affected": [],
"aliases": [
"CVE-2025-42888"
],
"database_specific": {
"cwe_ids": [
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T01:15:37Z",
"severity": "MODERATE"
},
"details": "SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability.",
"id": "GHSA-59p6-qq9j-xgjc",
"modified": "2025-11-11T03:30:28Z",
"published": "2025-11-11T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42888"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3651097"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-62VX-HPCR-M9CH
Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 18:48Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@perfood/couch-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-60794"
],
"database_specific": {
"cwe_ids": [
"CWE-316"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-20T18:48:26Z",
"nvd_published_at": "2025-11-20T15:17:37Z",
"severity": "MODERATE"
},
"details": "Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.",
"id": "GHSA-62vx-hpcr-m9ch",
"modified": "2025-11-20T18:48:27Z",
"published": "2025-11-20T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60794"
},
{
"type": "PACKAGE",
"url": "https://github.com/perfood/couch-auth"
},
{
"type": "WEB",
"url": "https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@perfood/couch-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "@perfood/couch-auth may expose session tokens, passwords"
}
GHSA-6844-78P7-PCMC
Vulnerability from github – Published: 2023-07-19 09:30 – Updated: 2023-07-19 09:30A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2023-3762"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T07:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-6844-78p7-pcmc",
"modified": "2023-07-19T09:30:54Z",
"published": "2023-07-19T09:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3762"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.234447"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.234447"
},
{
"type": "WEB",
"url": "https://youtu.be/Ee2KU-T_0pI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7R3R-R496-RRFW
Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.
{
"affected": [],
"aliases": [
"CVE-2022-29832"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-25T00:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.",
"id": "GHSA-7r3r-r496-rrfw",
"modified": "2022-11-28T21:30:22Z",
"published": "2022-11-25T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29832"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU97244961"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C244-PRPX-2Q63
Vulnerability from github – Published: 2022-05-17 04:39 – Updated: 2025-10-06 18:31upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.
{
"affected": [],
"aliases": [
"CVE-2014-2366"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-07-19T05:09:00Z",
"severity": "MODERATE"
},
"details": "upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.",
"id": "GHSA-c244-prpx-2q63",
"modified": "2025-10-06T18:31:00Z",
"published": "2022-05-17T04:39:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2366"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-198-02"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"
},
{
"type": "WEB",
"url": "http://webaccess.advantech.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.