CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-PJC8-733M-3V23
Vulnerability from github – Published: 2023-02-27 06:30 – Updated: 2023-03-03 21:30MV iDigital Clinic Enterprise (iDCE) 1.0 stores passwords in cleartext.
{
"affected": [],
"aliases": [
"CVE-2022-31405"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-27T06:15:00Z",
"severity": "MODERATE"
},
"details": "MV iDigital Clinic Enterprise (iDCE) 1.0 stores passwords in cleartext.",
"id": "GHSA-pjc8-733m-3v23",
"modified": "2023-03-03T21:30:18Z",
"published": "2023-02-27T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31405"
},
{
"type": "WEB",
"url": "https://github.com/ifmacedo/mconnect/blob/main/IDCE-ClearTextStorage"
},
{
"type": "WEB",
"url": "https://mv.com.br/pt/blog/microdata-integra-novo-modulo-cockpit-ao-ris-idce"
},
{
"type": "WEB",
"url": "https://www.linkedin.com/pulse/armazenamento-inseguro-idce-mv-iran-macedo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJHX-JP78-8PV5
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.
{
"affected": [],
"aliases": [
"CVE-2025-46633"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T20:15:39Z",
"severity": "HIGH"
},
"details": "Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.",
"id": "GHSA-pjhx-jp78-8pv5",
"modified": "2025-05-02T15:31:45Z",
"published": "2025-05-02T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46633"
},
{
"type": "WEB",
"url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46633-transmission-of-plaintext-symmetric-key-in-httpd"
},
{
"type": "WEB",
"url": "https://www.tendacn.com/us/default.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PM2W-VJ7F-H667
Vulnerability from github – Published: 2025-05-02 15:31 – Updated: 2025-05-02 15:31Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.
{
"affected": [],
"aliases": [
"CVE-2025-46634"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T20:15:39Z",
"severity": "HIGH"
},
"details": "Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.",
"id": "GHSA-pm2w-vj7f-h667",
"modified": "2025-05-02T15:31:45Z",
"published": "2025-05-02T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46634"
},
{
"type": "WEB",
"url": "https://blog.uturn.dev/#/writeups/iot-village/tenda-rx2pro/README?id=cve-2025-46634-transmission-of-plaintext-credentials-in-httpd"
},
{
"type": "WEB",
"url": "https://www.tendacn.com/us/default.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP2Q-HF69-VW5G
Vulnerability from github – Published: 2023-09-27 21:30 – Updated: 2024-04-04 07:56A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.
{
"affected": [],
"aliases": [
"CVE-2023-4066"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-313"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T21:15:10Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Red Hat\u0027s AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in the StatefulSet details yaml of AMQ Broker.",
"id": "GHSA-pp2q-hf69-vw5g",
"modified": "2024-04-04T07:56:11Z",
"published": "2023-09-27T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4066"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4720"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4066"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2224677"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP3G-H9W2-V7G4
Vulnerability from github – Published: 2022-03-02 00:00 – Updated: 2022-10-01 00:00A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.
{
"affected": [],
"aliases": [
"CVE-2021-35036"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-01T07:15:00Z",
"severity": "MODERATE"
},
"details": "A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device.",
"id": "GHSA-pp3g-h9w2-v7g4",
"modified": "2022-10-01T00:00:19Z",
"published": "2022-03-02T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35036"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-cleartext-storage-of-information-vulnerability"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP98-W696-5GP2
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.
{
"affected": [],
"aliases": [
"CVE-2021-40527"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-25T11:15:00Z",
"severity": "HIGH"
},
"details": "Exposure of senstive information to an unauthorised actor in the \"com.onepeloton.erlich\" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.",
"id": "GHSA-pp98-w696-5gp2",
"modified": "2022-05-24T19:18:48Z",
"published": "2022-05-24T19:18:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40527"
},
{
"type": "WEB",
"url": "https://twitter.com/ROPsicle/status/1438216078103044107?s=20"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PQ2C-46Q4-QWG3
Vulnerability from github – Published: 2024-09-04 03:30 – Updated: 2024-09-13 21:31Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product's project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.
{
"affected": [],
"aliases": [
"CVE-2024-41716"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-04T01:15:11Z",
"severity": "HIGH"
},
"details": "Cleartext storage of sensitive information vulnerability exists in WindLDR and WindO/I-NV4. If this vulnerability is exploited, an attacker who obtained the product\u0027s project file may obtain user credentials of the PLC or Operator Interfaces. As a result, an attacker may be able to manipulate and/or suspend the PLC and Operator Interfaces by accessing or hijacking them.",
"id": "GHSA-pq2c-46q4-qwg3",
"modified": "2024-09-13T21:31:21Z",
"published": "2024-09-04T03:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41716"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN08342147"
},
{
"type": "WEB",
"url": "https://us.idec.com/media/24-RD-0219-EN.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PQW6-WHQX-5MV6
Vulnerability from github – Published: 2022-11-29 00:30 – Updated: 2022-12-02 00:30The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.
{
"affected": [],
"aliases": [
"CVE-2022-24188"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-28T22:15:00Z",
"severity": "HIGH"
},
"details": "The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.",
"id": "GHSA-pqw6-whqx-5mv6",
"modified": "2022-12-02T00:30:25Z",
"published": "2022-11-29T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24188"
},
{
"type": "WEB",
"url": "https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PRH4-VHFH-24MJ
Vulnerability from github – Published: 2026-03-26 22:25 – Updated: 2026-03-26 22:25Impact
Harbor write configuration payload to audit log when configuration change, the ldap_search_password and oidc_client_secret will be logged in the audit log without redacted
Patches
Harbor v2.15.0, v2.14.3, v2.13.5
Workarounds
Disable audit log configure event in Harbor Web Console: Go to Administration -> Configuration -> Enable Audit Log Event Type -> Uncheck "Update Configuration" and click "Save" Button.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/goharbor/harbor"
},
"ranges": [
{
"events": [
{
"introduced": "2.14.0"
},
{
"fixed": "2.14.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T22:25:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nHarbor write configuration payload to audit log when configuration change, the ldap_search_password and oidc_client_secret will be logged in the audit log without redacted\n\n### Patches\nHarbor v2.15.0, v2.14.3, v2.13.5\n\n### Workarounds\nDisable audit log configure event in Harbor Web Console: Go to Administration -\u003e Configuration -\u003e Enable Audit Log Event Type -\u003e Uncheck \"Update Configuration\" and click \"Save\" Button.",
"id": "GHSA-prh4-vhfh-24mj",
"modified": "2026-03-26T22:25:26Z",
"published": "2026-03-26T22:25:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-prh4-vhfh-24mj"
},
{
"type": "WEB",
"url": "https://github.com/goharbor/harbor/commit/85e756486fc19333c5c300d7ac273e1580dc9350"
},
{
"type": "PACKAGE",
"url": "https://github.com/goharbor/harbor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Harbor: LDAP password and OIDC secret are not redacted in the audit log"
}
GHSA-PV69-PH5F-43VX
Vulnerability from github – Published: 2022-05-24 19:20 – Updated: 2022-05-24 19:20A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)
{
"affected": [],
"aliases": [
"CVE-2021-42370"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-08T05:15:00Z",
"severity": "HIGH"
},
"details": "A password mismanagement situation exists in XoruX LPAR2RRD and STOR2RRD before 7.30 because cleartext information is present in HTML password input fields in the device properties. (Viewing the passwords requires configuring a web browser to display HTML password input fields.)",
"id": "GHSA-pv69-ph5f-43vx",
"modified": "2022-05-24T19:20:03Z",
"published": "2022-05-24T19:20:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-f3qp-4xqq-2wjx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42370"
},
{
"type": "WEB",
"url": "https://lpar2rrd.com/note730.php"
},
{
"type": "WEB",
"url": "https://stor2rrd.com/note730.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.