CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-RJ2X-CQ83-R6R3
Vulnerability from github – Published: 2024-05-19 21:30 – Updated: 2024-05-19 21:30Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.
{
"affected": [],
"aliases": [
"CVE-2024-36081"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-19T20:15:08Z",
"severity": "CRITICAL"
},
"details": "Westermo EDW-100 devices through 2024-05-03 allow an unauthenticated user to download a configuration file containing a cleartext password. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network.",
"id": "GHSA-rj2x-cq83-r6r3",
"modified": "2024-05-19T21:30:23Z",
"published": "2024-05-19T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36081"
},
{
"type": "WEB",
"url": "https://www.westermo.com/-/media/Files/Cyber-security/westermo_sa_EDW-100_24-05.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RJ72-J8C2-FWX3
Vulnerability from github – Published: 2024-11-27 15:31 – Updated: 2025-11-04 00:32When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.
{
"affected": [],
"aliases": [
"CVE-2024-36464"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-27T14:15:17Z",
"severity": "LOW"
},
"details": "When exporting media types, the password is exported in the YAML in plain text. This appears to be a best practices type issue and may have no actual impact. The user would need to have permissions to access the media types and therefore would be expected to have access to these passwords.",
"id": "GHSA-rj72-j8c2-fwx3",
"modified": "2025-11-04T00:32:08Z",
"published": "2024-11-27T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36464"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00005.html"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-25630"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RM4J-XW99-X97H
Vulnerability from github – Published: 2024-02-08 12:30 – Updated: 2026-05-20 12:30Plaintext Storage of a Password vulnerability in Mia Technology Inc. MİA-MED allows Read Sensitive Strings Within an Executable.This issue affects MİA-MED: before 1.0.7.
{
"affected": [],
"aliases": [
"CVE-2023-6518"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-08T12:15:55Z",
"severity": "HIGH"
},
"details": "Plaintext Storage of a Password vulnerability in Mia Technology Inc. M\u0130A-MED allows Read Sensitive Strings Within an Executable.This issue affects M\u0130A-MED: before 1.0.7.",
"id": "GHSA-rm4j-xw99-x97h",
"modified": "2026-05-20T12:30:35Z",
"published": "2024-02-08T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6518"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0087"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-0087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RM7R-XV53-XWC3
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-12-22 13:41AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.rapid7:jenkinsci-appspider-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2314"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-22T13:41:28Z",
"nvd_published_at": "2020-11-04T15:15:00Z",
"severity": "LOW"
},
"details": "AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file `com.rapid7.jenkinspider.PostBuildScan.xml` on the Jenkins controller as part of its configuration.\n\nThis password can be viewed by users with access to the Jenkins controller file system.\n\nAppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.",
"id": "GHSA-rm7r-xv53-xwc3",
"modified": "2022-12-22T13:41:28Z",
"published": "2022-05-24T17:33:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2314"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/appspider-build-scanner-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Password stored in plain text by Jenkins AppSpider Plugin"
}
GHSA-RV97-R8F7-8WMG
Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-10-26 16:15Jenkins InfluxDB Plugin Prior to 1.22 stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:influxdb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10329"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-09T00:56:25Z",
"nvd_published_at": "2019-05-31T15:29:00Z",
"severity": "HIGH"
},
"details": "Jenkins InfluxDB Plugin Prior to 1.22 stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
"id": "GHSA-rv97-r8f7-8wmg",
"modified": "2023-10-26T16:15:42Z",
"published": "2022-05-24T22:00:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10329"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/influxdb-plugin/commit/bfc2fcc0d8e6fb6f2dff5a45353abac5cefc0573"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/influxdb-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1403"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/05/31/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108540"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Plaintext password storage in Jenkins InfluxDB Plugin"
}
GHSA-RWPX-F8QJ-4H9H
Vulnerability from github – Published: 2025-02-28 00:30 – Updated: 2025-03-19 21:30Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext.
{
"affected": [],
"aliases": [
"CVE-2025-25727"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T00:15:36Z",
"severity": "MODERATE"
},
"details": "Bosscomm IF740 Firmware versions:11001.7078 \u0026 v11001.0000 and System versions: 6.25 \u0026 6.00 were discovered to store passwords in cleartext.",
"id": "GHSA-rwpx-f8qj-4h9h",
"modified": "2025-03-19T21:30:45Z",
"published": "2025-02-28T00:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25727"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/02/27/cve-2025-25727cve-2025-25728cve-2025-25729-multiple-vulnerabilities-found-in-bosscomm-obd2-tablet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RWV8-HFHP-FJ52
Vulnerability from github – Published: 2024-11-29 12:31 – Updated: 2024-11-29 12:31Certain models of routers from Billion Electric has a Plaintext Storage of a Password vulnerability. Remote attackers with administrator privileges can access the user settings page to retrieve plaintext passwords.
{
"affected": [],
"aliases": [
"CVE-2024-11982"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-29T08:15:04Z",
"severity": "HIGH"
},
"details": "Certain models of routers from Billion Electric has a Plaintext Storage of a Password vulnerability. Remote attackers with administrator privileges can access the user settings page to retrieve plaintext passwords.",
"id": "GHSA-rwv8-hfhp-fj52",
"modified": "2024-11-29T12:31:48Z",
"published": "2024-11-29T12:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11982"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-8278-cb581-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-8277-88b20-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V3R8-6VFJ-PPPF
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 04:58Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:- Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml\n- Slack Bot Token in tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml\n- Telegram Bot Token in tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "tools.devnull:build-notifications"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34800"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-12T21:25:42Z",
"nvd_published_at": "2022-06-30T18:15:00Z",
"severity": "LOW"
},
"details": "Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:- Pushover Application Token in `tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml`\\n- Slack Bot Token in `tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml`\\n- Telegram Bot Token in `tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml`",
"id": "GHSA-v3r8-6vfj-pppf",
"modified": "2022-12-09T04:58:56Z",
"published": "2022-07-01T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34800"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/build-notifications-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Build Notifications Plugin"
}
GHSA-V722-JCV5-W7MC
Vulnerability from github – Published: 2026-03-24 21:42 – Updated: 2026-03-27 22:09Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.12.0-RC.1"
},
{
"fixed": "2.12.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/nats-io/nats-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33216"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T21:42:10Z",
"nvd_published_at": "2026-03-25T20:16:32Z",
"severity": "HIGH"
},
"details": "### Background\n\nNATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.\n\nThe nats-server provides an MQTT client interface.\n\n### Problem Description\n\nFor MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.\n\n### Affected Versions\n\nAny version before v2.12.6 or v2.11.15\n\n### Workarounds\n\nEnsure monitoring end-points are adequately secured.\n\nBest practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.",
"id": "GHSA-v722-jcv5-w7mc",
"modified": "2026-03-27T22:09:29Z",
"published": "2026-03-24T21:42:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33216"
},
{
"type": "WEB",
"url": "https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099"
},
{
"type": "WEB",
"url": "https://advisories.nats.io/CVE/secnote-2026-05.txt"
},
{
"type": "PACKAGE",
"url": "https://github.com/nats-io/nats-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "NATS has MQTT plaintext password disclosure"
}
GHSA-V8V2-FHGV-3VQ2
Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-12-29 00:50White Source Plugin prior to version 20.8.1 stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system. Version 20.8.1 contains a patch for the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:whitesource"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2213"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-29T00:50:08Z",
"nvd_published_at": "2020-07-02T15:15:00Z",
"severity": "MODERATE"
},
"details": "White Source Plugin prior to version 20.8.1 stores credentials in plain text as part of its global configuration file `org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml` and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system. Version 20.8.1 contains a patch for the issue.",
"id": "GHSA-v8v2-fhgv-3vq2",
"modified": "2022-12-29T00:50:08Z",
"published": "2022-05-24T17:22:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2213"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/whitesource-plugin/commit/4a9ee37246848c65cd41c5cf17d84992ffc6d21d"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/whitesource-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1630"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/07/02/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credentials stored in plain text by Jenkins White Source Plugin"
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.