Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-656G-HF8V-X2RW

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 00:33
VLAI
Summary
Secret stored in plain text by Jenkins Slack Upload Plugin
Details

Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:slack-uploader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-29T00:33:11Z",
    "nvd_published_at": "2020-07-02T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job `config.xml` files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-656g-hf8v-x2rw",
  "modified": "2022-12-29T00:33:11Z",
  "published": "2022-05-24T17:22:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2208"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/slack-uploader-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1627"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Secret stored in plain text by Jenkins Slack Upload Plugin"
}

GHSA-6793-GMP9-2535

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-05 21:39
VLAI
Summary
Password stored in plain text by ECX Copy Data Management Plugin
Details

Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.catalogic.ecxjenkins:catalogic-ecx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-05T21:39:10Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-6793-gmp9-2535",
  "modified": "2023-01-05T21:39:10Z",
  "published": "2022-05-24T17:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2128"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/catalogic-ecx-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1549"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password stored in plain text by ECX Copy Data Management Plugin"
}

GHSA-683F-HCW3-5VGR

Vulnerability from github – Published: 2023-10-12 15:31 – Updated: 2024-04-04 08:35
VLAI
Details

SnapGathers versions prior to 4.9 are susceptible to a vulnerability which could allow a local authenticated attacker to discover plaintext domain user credentials

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T14:15:10Z",
    "severity": "MODERATE"
  },
  "details": "SnapGathers versions prior to 4.9 are susceptible to a vulnerability \nwhich could allow a local authenticated attacker to discover plaintext \ndomain user credentials",
  "id": "GHSA-683f-hcw3-5vgr",
  "modified": "2024-04-04T08:35:35Z",
  "published": "2023-10-12T15:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27315"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231009-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6G92-JHV6-7WCP

Vulnerability from github – Published: 2025-03-05 06:31 – Updated: 2025-03-05 18:32
VLAI
Details

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Password in URL OVE-20230524-0005.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T06:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Password in URL OVE-20230524-0005.",
  "id": "GHSA-6g92-jhv6-7wcp",
  "modified": "2025-03-05T18:32:08Z",
  "published": "2025-03-05T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27662"
    },
    {
      "type": "WEB",
      "url": "https://help.printerlogic.com/saas/Print/Security/Security-Bulletins.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HQV-2JJV-PJCR

Vulnerability from github – Published: 2024-04-26 21:31 – Updated: 2024-07-03 18:37
VLAI
Details

Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28325"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T19:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.",
  "id": "GHSA-6hqv-2jjv-pjcr",
  "modified": "2024-07-03T18:37:06Z",
  "published": "2024-04-26T21:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28325"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ShravanSinghRathore/ASUS-RT-N300-B1/wiki/Credentials-Stored-in-Cleartext-CVE%E2%80%902024%E2%80%9028325"
    },
    {
      "type": "WEB",
      "url": "http://asus.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HW7-X86V-WRGF

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-02 17:31
VLAI
Summary
Passwords stored in plain text by Jenkins view-cloner Plugin
Details

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:view-cloner"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:28:47Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
  "id": "GHSA-6hw7-x86v-wrgf",
  "modified": "2023-02-02T17:31:58Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24450"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/view-cloner-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Passwords stored in plain text by Jenkins view-cloner Plugin "
}

GHSA-6MQ5-FG4V-Q2MG

Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-11-01 15:33
VLAI
Details

EisBaer Scada - CWE-256: Plaintext Storage of a Password

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-25T18:17:31Z",
    "severity": "CRITICAL"
  },
  "details": "   EisBaer Scada - CWE-256: Plaintext Storage of a Password",
  "id": "GHSA-6mq5-fg4v-q2mg",
  "modified": "2023-11-01T15:33:29Z",
  "published": "2023-10-25T18:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42493"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/Departments/faq/cve_advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P5V-Q973-HX46

Vulnerability from github – Published: 2023-09-18 21:30 – Updated: 2024-03-21 03:35
VLAI
Details

** UNSUPPPORTED WHEN ASSIGNED **

The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-18T21:16:04Z",
    "severity": "HIGH"
  },
  "details": "** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThe web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n",
  "id": "GHSA-6p5v-q973-hx46",
  "modified": "2024-03-21T03:35:47Z",
  "published": "2023-09-18T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39452"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6PQM-PP65-MC26

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-07-05 19:58
VLAI
Summary
Jenkins Gem Publisher Plugin stores credentials as plaintext
Details

Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "net.arangamani.jenkins:gem-publisher"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-09T23:07:59Z",
    "nvd_published_at": "2019-09-25T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Gem Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
  "id": "GHSA-6pqm-pp65-mc26",
  "modified": "2023-07-05T19:58:04Z",
  "published": "2022-05-24T22:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10426"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/gem-publisher-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1573"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/09/25/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Gem Publisher Plugin stores credentials as plaintext"
}

GHSA-6QJV-W5W3-XFR7

Vulnerability from github – Published: 2024-02-10 18:30 – Updated: 2024-02-10 18:30
VLAI
Details

IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22312"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-10T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user.  IBM X-Force ID:  278748.",
  "id": "GHSA-6qjv-w5w3-xfr7",
  "modified": "2024-02-10T18:30:34Z",
  "published": "2024-02-10T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22312"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/278748"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7115261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.