Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-962Q-84V8-HXHJ

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:00
VLAI
Summary
Jenkins QMetry Test Management Plugin vulnerability exposes API keys
Details

QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:qmetry-test-management"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T21:04:35Z",
    "nvd_published_at": "2025-07-09T16:15:25Z",
    "severity": "MODERATE"
  },
  "details": "QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-962q-84v8-hxhj",
  "modified": "2025-11-05T20:00:38Z",
  "published": "2025-07-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53660"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/qmetry-test-management-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins QMetry Test Management Plugin vulnerability exposes API keys"
}

GHSA-989J-7H35-9P79

Vulnerability from github – Published: 2026-05-01 00:31 – Updated: 2026-05-01 00:31
VLAI
Details

IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T22:16:24Z",
    "severity": "MODERATE"
  },
  "details": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.",
  "id": "GHSA-989j-7h35-9p79",
  "modified": "2026-05-01T00:31:27Z",
  "published": "2026-05-01T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36335"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7270923"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-98QC-V8VG-MCX4

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:35
VLAI
Summary
Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin
Details

Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:testquality-updater"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T00:58:21Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-98qc-v8vg-mcx4",
  "modified": "2023-02-03T20:35:16Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24454"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2091"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin"
}

GHSA-9FCX-VCGW-CCC6

Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2026-06-03 15:30
VLAI
Details

Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5960"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T15:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24.",
  "id": "GHSA-9fcx-vcgw-ccc6",
  "modified": "2026-06-03T15:30:35Z",
  "published": "2024-09-18T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5960"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1497"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-1497"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9GF7-444H-6V98

Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-06-02 15:31
VLAI
Details

Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-17T09:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u00a0\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.",
  "id": "GHSA-9gf7-444h-6v98",
  "modified": "2026-06-02T15:31:54Z",
  "published": "2026-04-17T09:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15624"
    },
    {
      "type": "WEB",
      "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9HRM-54HP-FCPJ

Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-03 18:30
VLAI
Details

GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T18:16:11Z",
    "severity": "HIGH"
  },
  "details": "GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users\u0027 usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.",
  "id": "GHSA-9hrm-54hp-fcpj",
  "modified": "2026-02-03T18:30:45Z",
  "published": "2026-02-03T18:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37115"
    },
    {
      "type": "WEB",
      "url": "https://download.openeclass.org/files/docs/1.7/CHANGES.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48163"
    },
    {
      "type": "WEB",
      "url": "https://www.openeclass.org"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/gunet-openeclass-e-learning-platform-plaintext-password-storage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9R2G-27GF-RM9W

Vulnerability from github – Published: 2024-08-15 03:30 – Updated: 2024-08-15 03:30
VLAI
Details

IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 281430.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-15T03:15:04Z",
    "severity": "MODERATE"
  },
  "details": "IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by a local user.  IBM X-Force ID:  281430.",
  "id": "GHSA-9r2g-27gf-rm9w",
  "modified": "2024-08-15T03:30:28Z",
  "published": "2024-08-15T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25024"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/281430"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7165488"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9VQF-Q6G6-HPJ7

Vulnerability from github – Published: 2025-03-29 00:31 – Updated: 2025-03-29 00:31
VLAI
Details

IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-29T00:15:23Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.",
  "id": "GHSA-9vqf-q6g6-hpj7",
  "modified": "2025-03-29T00:31:35Z",
  "published": "2025-03-29T00:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43186"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7184980"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C7JC-3J2X-59X8

Vulnerability from github – Published: 2024-12-18 18:30 – Updated: 2024-12-18 18:30
VLAI
Details

IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.9

stores user credentials in plain text which can be read by an authenticated user with access to the pod.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-18T16:15:13Z",
    "severity": "MODERATE"
  },
  "details": "IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.9 \n\n\n\n\u00a0stores user credentials in plain text which can be read by an authenticated user with access to the pod.",
  "id": "GHSA-c7jc-3j2x-59x8",
  "modified": "2024-12-18T18:30:52Z",
  "published": "2024-12-18T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52361"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7178587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8MF-MC3F-2WVC

Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 21:55
VLAI
Summary
Plaintext Storage of a Password in Jenkins Convertigo Mobile Platform Plugin
Details

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.convertigo.jenkins.plugins:convertigo-mobile-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:55:56Z",
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job `config.xml` files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
  "id": "GHSA-c8mf-mc3f-2wvc",
  "modified": "2022-12-05T21:55:06Z",
  "published": "2022-06-24T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34199"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/convertigo-mobile-platform-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2064"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins Convertigo Mobile Platform Plugin "
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.