CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-962Q-84V8-HXHJ
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:00QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.
As of publication of this advisory, there is no fix.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:qmetry-test-management"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53660"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:04:35Z",
"nvd_published_at": "2025-07-09T16:15:25Z",
"severity": "MODERATE"
},
"details": "QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
"id": "GHSA-962q-84v8-hxhj",
"modified": "2025-11-05T20:00:38Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53660"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/qmetry-test-management-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3532"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins QMetry Test Management Plugin vulnerability exposes API keys"
}
GHSA-989J-7H35-9P79
Vulnerability from github – Published: 2026-05-01 00:31 – Updated: 2026-05-01 00:31IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-36335"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-30T22:16:24Z",
"severity": "MODERATE"
},
"details": "IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.",
"id": "GHSA-989j-7h35-9p79",
"modified": "2026-05-01T00:31:27Z",
"published": "2026-05-01T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36335"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7270923"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-98QC-V8VG-MCX4
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:35Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:testquality-updater"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24454"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-27T00:58:21Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "MODERATE"
},
"details": "Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-98qc-v8vg-mcx4",
"modified": "2023-02-03T20:35:16Z",
"published": "2023-01-26T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24454"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2091"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins TestQuality Updater Plugin"
}
GHSA-9FCX-VCGW-CCC6
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2026-06-03 15:30Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24.
{
"affected": [],
"aliases": [
"CVE-2024-5960"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T15:15:18Z",
"severity": "CRITICAL"
},
"details": "Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials.This issue affects Panel: before v2.3.24.",
"id": "GHSA-9fcx-vcgw-ccc6",
"modified": "2026-06-03T15:30:35Z",
"published": "2024-09-18T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5960"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1497"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1497"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9GF7-444H-6V98
Vulnerability from github – Published: 2026-04-17 09:31 – Updated: 2026-06-02 15:31Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
{
"affected": [],
"aliases": [
"CVE-2025-15624"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-17T09:16:04Z",
"severity": "CRITICAL"
},
"details": "Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u00a0\nIn a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.",
"id": "GHSA-9gf7-444h-6v98",
"modified": "2026-06-02T15:31:54Z",
"published": "2026-04-17T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15624"
},
{
"type": "WEB",
"url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-9HRM-54HP-FCPJ
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-03 18:30GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2020-37115"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T18:16:11Z",
"severity": "HIGH"
},
"details": "GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users\u0027 usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.",
"id": "GHSA-9hrm-54hp-fcpj",
"modified": "2026-02-03T18:30:45Z",
"published": "2026-02-03T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37115"
},
{
"type": "WEB",
"url": "https://download.openeclass.org/files/docs/1.7/CHANGES.txt"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48163"
},
{
"type": "WEB",
"url": "https://www.openeclass.org"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/gunet-openeclass-e-learning-platform-plaintext-password-storage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9R2G-27GF-RM9W
Vulnerability from github – Published: 2024-08-15 03:30 – Updated: 2024-08-15 03:30IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 281430.
{
"affected": [],
"aliases": [
"CVE-2024-25024"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T03:15:04Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 281430.",
"id": "GHSA-9r2g-27gf-rm9w",
"modified": "2024-08-15T03:30:28Z",
"published": "2024-08-15T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25024"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/281430"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7165488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9VQF-Q6G6-HPJ7
Vulnerability from github – Published: 2025-03-29 00:31 – Updated: 2025-03-29 00:31IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.
{
"affected": [],
"aliases": [
"CVE-2024-43186"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-29T00:15:23Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.",
"id": "GHSA-9vqf-q6g6-hpj7",
"modified": "2025-03-29T00:31:35Z",
"published": "2025-03-29T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43186"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7184980"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C7JC-3J2X-59X8
Vulnerability from github – Published: 2024-12-18 18:30 – Updated: 2024-12-18 18:30IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.9
stores user credentials in plain text which can be read by an authenticated user with access to the pod.
{
"affected": [],
"aliases": [
"CVE-2024-52361"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-18T16:15:13Z",
"severity": "MODERATE"
},
"details": "IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.9 \n\n\n\n\u00a0stores user credentials in plain text which can be read by an authenticated user with access to the pod.",
"id": "GHSA-c7jc-3j2x-59x8",
"modified": "2024-12-18T18:30:52Z",
"published": "2024-12-18T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52361"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7178587"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C8MF-MC3F-2WVC
Vulnerability from github – Published: 2022-06-24 00:00 – Updated: 2022-12-05 21:55Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.convertigo.jenkins.plugins:convertigo-mobile-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34199"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-05T22:55:56Z",
"nvd_published_at": "2022-06-23T17:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job `config.xml` files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
"id": "GHSA-c8mf-mc3f-2wvc",
"modified": "2022-12-05T21:55:06Z",
"published": "2022-06-24T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34199"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/convertigo-mobile-platform-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2064"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Convertigo Mobile Platform Plugin "
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.