CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-5C45-MGCF-3HHJ
Vulnerability from github – Published: 2025-01-08 18:30 – Updated: 2025-01-08 18:30Dell VxRail, versions 8.0.000 through 8.0.311, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.
{
"affected": [],
"aliases": [
"CVE-2025-21111"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-08T18:15:20Z",
"severity": "HIGH"
},
"details": "Dell VxRail, versions 8.0.000 through 8.0.311, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.",
"id": "GHSA-5c45-mgcf-3hhj",
"modified": "2025-01-08T18:30:49Z",
"published": "2025-01-08T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21111"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000269958/dsa-2025-025-security-update-for-dell-vxrail-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5C97-GXR3-R368
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-12-06 21:47Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:weibo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16572"
],
"database_specific": {
"cwe_ids": [
"CWE-1024",
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T21:47:50Z",
"nvd_published_at": "2019-12-17T15:15:00Z",
"severity": "LOW"
},
"details": "Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
"id": "GHSA-5c97-gxr3-r368",
"modified": "2022-12-06T21:47:50Z",
"published": "2022-05-24T17:03:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16572"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1597"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file"
}
GHSA-5JJF-WCVF-923W
Vulnerability from github – Published: 2026-04-20 03:34 – Updated: 2026-04-24 20:22A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6597"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T20:20:33Z",
"nvd_published_at": "2026-04-20T03:16:17Z",
"severity": "LOW"
},
"details": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-5jjf-wcvf-923w",
"modified": "2026-04-24T20:22:08Z",
"published": "2026-04-20T03:34:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6597"
},
{
"type": "WEB",
"url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"
},
{
"type": "PACKAGE",
"url": "https://github.com/langflow-ai/langflow"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/791920"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358232"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/358232/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Langflow has an Information Leak through Incomplete API Key Redaction"
}
GHSA-5Q29-F827-Q5CX
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Plaintext Storage of a Password issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application's configuration file contains parameters that represent passwords in plaintext.
{
"affected": [],
"aliases": [
"CVE-2017-7913"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-29T16:29:00Z",
"severity": "CRITICAL"
},
"details": "A Plaintext Storage of a Password issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. The application\u0027s configuration file contains parameters that represent passwords in plaintext.",
"id": "GHSA-5q29-f827-q5cx",
"modified": "2022-05-13T01:36:15Z",
"published": "2022-05-13T01:36:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7913"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-143-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5Q66-V53Q-PM35
Vulnerability from github – Published: 2023-09-12 21:10 – Updated: 2023-09-12 21:10A flaw was discovered in Keycloak Core package. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text.
Impact
Passwords for self-registered users are stored as cleartext attributes associated with the user.
Mitigation
Disable self-registration for users in all realms until patched.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-core"
},
"ranges": [
{
"events": [
{
"introduced": "22.0.2"
},
{
"fixed": "22.0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"22.0.2"
]
}
],
"aliases": [
"CVE-2023-4918"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-319"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-12T21:10:37Z",
"nvd_published_at": "2023-09-12T20:15:10Z",
"severity": "HIGH"
},
"details": "A flaw was discovered in Keycloak Core package. When a user registers itself through registration flow, the \"password\" and \"password-confirm\" field from the form will occur as regular attributes in the users attributes. The password is also created, but the user attributes must not be there. This way, any entities (all users and clients with proper rights/roles) are able to retrieve the users passwords in clear-text. \n\n### Impact\nPasswords for self-registered users are stored as cleartext attributes associated with the user. \n\n### Mitigation\nDisable self-registration for users in all realms until patched.\n\n",
"id": "GHSA-5q66-v53q-pm35",
"modified": "2023-09-12T21:10:37Z",
"published": "2023-09-12T21:10:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-5q66-v53q-pm35"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4918"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4918"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238588"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to Plaintext Storage of User Password"
}
GHSA-5R5F-HCWF-R9JH
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 00:49GitHub Coverage Reporter Plugin 1.10 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This token can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:github-coverage-reporter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2212"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T00:49:42Z",
"nvd_published_at": "2020-07-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "GitHub Coverage Reporter Plugin 1.10 and earlier stores a GitHub access token in plain text in its global configuration file `io.jenkins.plugins.gcr.PluginConfiguration.xml`. This token can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-5r5f-hcwf-r9jh",
"modified": "2022-12-29T00:49:42Z",
"published": "2022-05-24T17:22:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2212"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/github-coverage-reporter-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1632"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Secret stored in plain text by Jenkins GitHub Coverage Reporter Plugin"
}
GHSA-5RJ2-F4XF-8M9Q
Vulnerability from github – Published: 2026-02-03 00:30 – Updated: 2026-03-03 03:32Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.
{
"affected": [],
"aliases": [
"CVE-2025-12680"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T23:15:58Z",
"severity": "MODERATE"
},
"details": "Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.",
"id": "GHSA-5rj2-f4xf-8m9q",
"modified": "2026-03-03T03:32:40Z",
"published": "2026-02-03T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12680"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5V78-8GV6-C945
Vulnerability from github – Published: 2024-04-15 12:30 – Updated: 2024-07-08 15:31Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product's login page may obtain configured credentials.
{
"affected": [],
"aliases": [
"CVE-2024-23486"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-15T11:15:07Z",
"severity": "CRITICAL"
},
"details": "Plaintext storage of a password issue exists in BUFFALO wireless LAN routers, which may allow a network-adjacent unauthenticated attacker with access to the product\u0027s login page may obtain configured credentials.",
"id": "GHSA-5v78-8gv6-c945",
"modified": "2024-07-08T15:31:54Z",
"published": "2024-04-15T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23486"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN58236836"
},
{
"type": "WEB",
"url": "https://www.buffalo.jp/news/detail/20240410-01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-63CG-FQR3-853J
Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-08 21:30Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials.
Active Directory accounts are not affected by this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2026-14867"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T10:16:40Z",
"severity": "MODERATE"
},
"details": "Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all\u00a0versions prior to 17.0.0. A local attacker could retrieve users\u2019 credentials.\u00a0\n\nActive Directory accounts are not affected by this vulnerability.",
"id": "GHSA-63cg-fqr3-853j",
"modified": "2026-07-08T21:30:25Z",
"published": "2026-07-07T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14867"
},
{
"type": "WEB",
"url": "https://www.pcvue.com/security/#SB2026-5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-64JR-GGW8-H9JC
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-14 05:28debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ru.yandex.jenkins.plugins.debuilder:debian-package-builder"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.6.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2125"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:28:50Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "LOW"
},
"details": "debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file `ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml` on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-64jr-ggw8-h9jc",
"modified": "2023-01-14T05:28:50Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2125"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/debian-package-builder-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1558"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credentials stored in plain text by debian-package-builder Plugin"
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.