CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-QJ79-PFG8-3Q92
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-19 00:01Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration. This could allow a Windows user (who has sufficient privileges) to access a network file system that they were not authorized to access.
{
"affected": [],
"aliases": [
"CVE-2022-26778"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:47:00Z",
"severity": "MODERATE"
},
"details": "Veritas System Recovery (VSR) 18 and 21 stores a network destination password in the Windows registry during configuration of the backup configuration. This could allow a Windows user (who has sufficient privileges) to access a network file system that they were not authorized to access.",
"id": "GHSA-qj79-pfg8-3q92",
"modified": "2022-03-19T00:01:27Z",
"published": "2022-03-11T00:02:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26778"
},
{
"type": "WEB",
"url": "https://www.veritas.com/content/support/en_US/security/VTS21-002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QJFV-WMRG-M3HX
Vulnerability from github – Published: 2023-04-27 18:30 – Updated: 2024-04-04 03:42Plaintext Password in Registry
vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve
Admin user credentials
This issue affects surelock windows: from 2.3.12 through 2.40.0.
{
"affected": [],
"aliases": [
"CVE-2023-2335"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T18:15:13Z",
"severity": "HIGH"
},
"details": "\nPlaintext Password in Registry\n\n vulnerability in 42gears surelock windows surelockwinsetupv2.40.0.Exe on Windows (Registery modules) allows Retrieve \n\nAdmin user credentials\n\nThis issue affects surelock windows: from 2.3.12 through 2.40.0.\n\n",
"id": "GHSA-qjfv-wmrg-m3hx",
"modified": "2024-04-04T03:42:50Z",
"published": "2023-04-27T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2335"
},
{
"type": "WEB",
"url": "https://www.42gears.com/security-and-compliance"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM29-MF5J-82RG
Vulnerability from github – Published: 2022-04-29 03:01 – Updated: 2024-02-13 18:38The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates.
{
"affected": [],
"aliases": [
"CVE-2004-2397"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "The web-based Management Console in Blue Coat Security Gateway OS 3.0 through 3.1.3.13 and 3.2.1, when importing a private key, stores the key and its passphrase in plaintext in a log file, which allows attackers to steal digital certificates.",
"id": "GHSA-qm29-mf5j-82rg",
"modified": "2024-02-13T18:38:20Z",
"published": "2022-04-29T03:01:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-2397"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16182"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/11627"
},
{
"type": "WEB",
"url": "http://www.bluecoat.com/support/knowledge/advisory_private_key_compromise.html"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/6218"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/10371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM4J-MQQ4-36GX
Vulnerability from github – Published: 2024-09-30 18:31 – Updated: 2024-10-01 00:33An issue was discovered in Infinera hiT 7300 5.60.50. Cleartext storage of sensitive password in firmware update packages allows attackers to access various appliance services via hardcoded credentials.
{
"affected": [],
"aliases": [
"CVE-2024-28809"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-30T18:15:05Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Infinera hiT 7300 5.60.50. Cleartext storage of sensitive password in firmware update packages allows attackers to access various appliance services via hardcoded credentials.",
"id": "GHSA-qm4j-mqq4-36gx",
"modified": "2024-10-01T00:33:40Z",
"published": "2024-09-30T18:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28809"
},
{
"type": "WEB",
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2024-28809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMRW-RV7H-797C
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2024-04-04 02:26Dell ImageAssist versions prior to 8.7.15 contain an information disclosure vulnerability. Dell ImageAssist stores some sensitive encrypted information in the images it creates. A privileged user of a system running an operating system that was deployed with Dell ImageAssist could potentially retrieve this sensitive information to then compromise the system and related systems.
{
"affected": [],
"aliases": [
"CVE-2019-3767"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-14T18:15:00Z",
"severity": "HIGH"
},
"details": "Dell ImageAssist versions prior to 8.7.15 contain an information disclosure vulnerability. Dell ImageAssist stores some sensitive encrypted information in the images it creates. A privileged user of a system running an operating system that was deployed with Dell ImageAssist could potentially retrieve this sensitive information to then compromise the system and related systems.",
"id": "GHSA-qmrw-rv7h-797c",
"modified": "2024-04-04T02:26:12Z",
"published": "2022-05-24T16:58:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3767"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/article/us/en/19/sln318831/dsa-2019-139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMW7-QMMV-F8VJ
Vulnerability from github – Published: 2023-07-26 21:30 – Updated: 2024-04-04 06:22mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
{
"affected": [],
"aliases": [
"CVE-2023-30367"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-26T21:15:09Z",
"severity": "HIGH"
},
"details": "mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version \u003c= v1.76.20 and \u003c= 1.77.3-dev loads configuration files in plain text into memory at application start-up, even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.",
"id": "GHSA-qmw7-qmmv-f8vj",
"modified": "2024-04-04T06:22:18Z",
"published": "2023-07-26T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30367"
},
{
"type": "WEB",
"url": "https://github.com/mRemoteNG/mRemoteNG/issues/2420"
},
{
"type": "WEB",
"url": "https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper"
},
{
"type": "WEB",
"url": "https://www.secuvera.de/advisories/secuvera-SA-2023-01.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/173829/mRemoteNG-1.77.3.1784-NB-Sensitive-Information-Extraction.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP33-R3Q7-6XC4
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-06-16 00:00A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and below may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the "diag sys ha checksum show" command.
{
"affected": [],
"aliases": [
"CVE-2020-6648"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-21T14:15:00Z",
"severity": "MODERATE"
},
"details": "A cleartext storage of sensitive information vulnerability in FortiOS command line interface in versions 6.2.4 and below may allow an authenticated attacker to obtain sensitive information such as users passwords by connecting to FortiGate CLI and executing the \"diag sys ha checksum show\" command.",
"id": "GHSA-qp33-r3q7-6xc4",
"modified": "2022-06-16T00:00:28Z",
"published": "2022-05-24T17:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6648"
},
{
"type": "WEB",
"url": "https://www.fortiguard.com/psirt/FG-IR-20-009"
},
{
"type": "WEB",
"url": "https://www.fortiguard.com/psirt/FG-IR-20-236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQJR-HF5H-JX3Q
Vulnerability from github – Published: 2026-03-18 18:31 – Updated: 2026-03-19 12:47Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:loadninja"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33003"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:47:11Z",
"nvd_published_at": "2026-03-18T16:16:28Z",
"severity": "MODERATE"
},
"details": "Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.",
"id": "GHSA-qqjr-hf5h-jx3q",
"modified": "2026-03-19T12:47:11Z",
"published": "2026-03-18T18:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33003"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/loadninja-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2026-03-18/#SECURITY-3642"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files"
}
GHSA-QQMJ-RRH7-547Q
Vulnerability from github – Published: 2025-01-23 18:31 – Updated: 2025-01-29 12:31Clear text secrets returned & Remote system secrets in clear text
{
"affected": [],
"aliases": [
"CVE-2024-55928"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T18:15:32Z",
"severity": "MODERATE"
},
"details": "Clear text secrets returned \u0026 Remote system secrets in clear text",
"id": "GHSA-qqmj-rrh7-547q",
"modified": "2025-01-29T12:31:45Z",
"published": "2025-01-23T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55928"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-Workplace-Suite%C2%AE.pdf"
},
{
"type": "WEB",
"url": "https://securitydocs.business.xerox.com/wp-content/uploads/2025/01/Xerox-Security-Bulletin-XRX25-002-for-Xerox%C2%AE-WorkplaceSuite%C2%AE.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRCF-C92M-949R
Vulnerability from github – Published: 2025-01-23 18:31 – Updated: 2025-01-23 18:31ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
{
"affected": [],
"aliases": [
"CVE-2024-12079"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T17:15:13Z",
"severity": "MODERATE"
},
"details": "ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.",
"id": "GHSA-qrcf-c92m-949r",
"modified": "2025-01-23T18:31:20Z",
"published": "2025-01-23T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12079"
},
{
"type": "WEB",
"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.