Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-5C45-MGCF-3HHJ

Vulnerability from github – Published: 2025-01-08 18:30 – Updated: 2025-01-08 18:30
VLAI
Details

Dell VxRail, versions 8.0.000 through 8.0.311, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-08T18:15:20Z",
    "severity": "HIGH"
  },
  "details": "Dell VxRail, versions 8.0.000 through 8.0.311, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.",
  "id": "GHSA-5c45-mgcf-3hhj",
  "modified": "2025-01-08T18:30:49Z",
  "published": "2025-01-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21111"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000269958/dsa-2025-025-security-update-for-dell-vxrail-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5C97-GXR3-R368

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-12-06 21:47
VLAI
Summary
Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file
Details

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:weibo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1024",
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:47:50Z",
    "nvd_published_at": "2019-12-17T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
  "id": "GHSA-5c97-gxr3-r368",
  "modified": "2022-12-06T21:47:50Z",
  "published": "2022-05-24T17:03:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16572"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1597"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file"
}

GHSA-5JJF-WCVF-923W

Vulnerability from github – Published: 2026-04-20 03:34 – Updated: 2026-04-24 20:22
VLAI
Summary
Langflow has an Information Leak through Incomplete API Key Redaction
Details

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6597"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T20:20:33Z",
    "nvd_published_at": "2026-04-20T03:16:17Z",
    "severity": "LOW"
  },
  "details": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-5jjf-wcvf-923w",
  "modified": "2026-04-24T20:22:08Z",
  "published": "2026-04-20T03:34:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6597"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/791920"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358232"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/358232/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Langflow has an Information Leak through Incomplete API Key Redaction"
}

GHSA-5Q29-F827-Q5CX

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36
VLAI
Details

A Plaintext Storage of a Password issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application's configuration file contains parameters that represent passwords in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-29T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Plaintext Storage of a Password issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application\u0027s configuration file contains parameters that represent passwords in plaintext.",
  "id": "GHSA-5q29-f827-q5cx",
  "modified": "2022-05-13T01:36:15Z",
  "published": "2022-05-13T01:36:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7913"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-143-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5Q66-V53Q-PM35

Vulnerability from github – Published: 2023-09-12 21:10 – Updated: 2023-09-12 21:10
VLAI
Summary
Keycloak vulnerable to Plaintext Storage of User Password
Details

A flaw was discovered in Keycloak Core package. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text.

Impact

Passwords for self-registered users are stored as cleartext attributes associated with the user.

Mitigation

Disable self-registration for users in all realms until patched.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.2"
            },
            {
              "fixed": "22.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "22.0.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-319"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-12T21:10:37Z",
    "nvd_published_at": "2023-09-12T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "A flaw was discovered in Keycloak Core package.  When a user registers itself through registration flow, the \"password\" and \"password-confirm\" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text. \n\n### Impact\nPasswords for self-registered users are stored as cleartext attributes associated with the user. \n\n### Mitigation\nDisable self-registration for users in all realms until patched.\n\n",
  "id": "GHSA-5q66-v53q-pm35",
  "modified": "2023-09-12T21:10:37Z",
  "published": "2023-09-12T21:10:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4918"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-4918"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238588"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak vulnerable to Plaintext Storage of User Password"
}

GHSA-5R5F-HCWF-R9JH

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 00:49
VLAI
Summary
Secret stored in plain text by Jenkins GitHub Coverage Reporter Plugin
Details

GitHub Coverage Reporter Plugin 1.10 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This token can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:github-coverage-reporter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-29T00:49:42Z",
    "nvd_published_at": "2020-07-02T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "GitHub Coverage Reporter Plugin 1.10 and earlier stores a GitHub access token in plain text in its global configuration file `io.jenkins.plugins.gcr.PluginConfiguration.xml`. This token can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-5r5f-hcwf-r9jh",
  "modified": "2022-12-29T00:49:42Z",
  "published": "2022-05-24T17:22:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2212"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/github-coverage-reporter-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1632"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Secret stored in plain text by Jenkins GitHub Coverage Reporter Plugin"
}

GHSA-5RJ2-F4XF-8M9Q

Vulnerability from github – Published: 2026-02-03 00:30 – Updated: 2026-03-03 03:32
VLAI
Details

Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-02T23:15:58Z",
    "severity": "MODERATE"
  },
  "details": "Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover.  The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.",
  "id": "GHSA-5rj2-f4xf-8m9q",
  "modified": "2026-03-03T03:32:40Z",
  "published": "2026-02-03T00:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12680"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-5V78-8GV6-C945

Vulnerability from github – Published: 2024-04-15 12:30 – Updated: 2024-07-08 15:31
VLAI
Details

Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-15T11:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product\u0027s login page may obtain configured credentials.",
  "id": "GHSA-5v78-8gv6-c945",
  "modified": "2024-07-08T15:31:54Z",
  "published": "2024-04-15T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23486"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN58236836"
    },
    {
      "type": "WEB",
      "url": "https://www.buffalo.jp/news/detail/20240410-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63CG-FQR3-853J

Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-08 21:30
VLAI
Details

Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials. 

Active Directory accounts are not affected by this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T10:16:40Z",
    "severity": "MODERATE"
  },
  "details": "Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all\u00a0versions prior to 17.0.0. A local attacker could retrieve users\u2019 credentials.\u00a0\n\nActive Directory accounts are not affected by this vulnerability.",
  "id": "GHSA-63cg-fqr3-853j",
  "modified": "2026-07-08T21:30:25Z",
  "published": "2026-07-07T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14867"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvue.com/security/#SB2026-5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-64JR-GGW8-H9JC

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:28
VLAI
Summary
Credentials stored in plain text by debian-package-builder Plugin
Details

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ru.yandex.jenkins.plugins.debuilder:debian-package-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:28:50Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "LOW"
  },
  "details": "debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file `ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml` on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-64jr-ggw8-h9jc",
  "modified": "2023-01-14T05:28:50Z",
  "published": "2022-05-24T17:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/debian-package-builder-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1558"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credentials stored in plain text by debian-package-builder Plugin"
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.