CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-R7JQ-2WVX-J3G6
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to login credentials.
{
"affected": [],
"aliases": [
"CVE-2020-7516"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-23T21:15:00Z",
"severity": "LOW"
},
"details": "A CWE-316: Cleartext Storage of Sensitive Information in Memory vulnerability exists in Easergy Builder (Version 1.4.7.2 and older) which could allow an attacker access to login credentials.",
"id": "GHSA-r7jq-2wvx-j3g6",
"modified": "2022-05-24T17:24:17Z",
"published": "2022-05-24T17:24:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7516"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-161-05"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-161-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R84C-86VG-4C66
Vulnerability from github – Published: 2024-03-07 03:30 – Updated: 2024-08-29 21:31SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attacker to obtain sensitive information via /admin/admin name parameter.
{
"affected": [],
"aliases": [
"CVE-2024-24375"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-89"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-07T01:15:52Z",
"severity": "HIGH"
},
"details": "SQL injection vulnerability in Jfinalcms v.5.0.0 allows a remote attacker to obtain sensitive information via /admin/admin name parameter.",
"id": "GHSA-r84c-86vg-4c66",
"modified": "2024-08-29T21:31:02Z",
"published": "2024-03-07T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24375"
},
{
"type": "WEB",
"url": "https://github.com/RiverGone/records/blob/main/JFinalcms-admin-admin-name.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R85R-2583-Q5CQ
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2024-07-30 03:30An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.
{
"affected": [],
"aliases": [
"CVE-2020-11924"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.",
"id": "GHSA-r85r-2583-q5cq",
"modified": "2024-07-30T03:30:50Z",
"published": "2022-05-24T17:46:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11924"
},
{
"type": "WEB",
"url": "https://www.eurofins-cybersecurity.com/news/connected-devices-wiz-smart-lightbulbs"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Jul/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9W4-5F8X-9RMM
Vulnerability from github – Published: 2023-07-13 15:30 – Updated: 2024-04-04 06:07An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function.
{
"affected": [],
"aliases": [
"CVE-2023-31821"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T15:15:09Z",
"severity": "HIGH"
},
"details": "An issue found in ALBIS Co. ALBIS v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp ALBIS function.",
"id": "GHSA-r9w4-5f8x-9rmm",
"modified": "2024-04-04T06:07:24Z",
"published": "2023-07-13T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31821"
},
{
"type": "WEB",
"url": "https://github.com/syz913/CVE-reports/blob/main/CVE-2023-31821.md"
},
{
"type": "WEB",
"url": "http://albis.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9XC-54CQ-99R7
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-11-02 00:05Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.elasticbox.jenkins-ci.plugins:elasticbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10450"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-02T00:05:16Z",
"nvd_published_at": "2019-10-16T14:15:00Z",
"severity": "LOW"
},
"details": "Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.",
"id": "GHSA-r9xc-54cq-99r7",
"modified": "2022-11-02T00:05:16Z",
"published": "2022-05-24T16:58:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10450"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cleartext Storage of Sensitive Information in Jenkins ElasticBox CI Plugin"
}
GHSA-RC78-PC2Q-79XC
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users' private key after obtaining the partial signature in multisignature.
{
"affected": [],
"aliases": [
"CVE-2020-22741"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-19T19:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Xuperchain 3.6.0 that allows for attackers to recover any arbitrary users\u0027 private key after obtaining the partial signature in multisignature.",
"id": "GHSA-rc78-pc2q-79xc",
"modified": "2022-05-24T19:08:25Z",
"published": "2022-05-24T19:08:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22741"
},
{
"type": "WEB",
"url": "https://github.com/xuperchain/xuperchain/issues/782"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RCQQ-FM3C-9R79
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the 'Edit MySQL Configuration' command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).
{
"affected": [],
"aliases": [
"CVE-2021-31581"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-22T19:15:00Z",
"severity": "MODERATE"
},
"details": "The restricted shell provided by Akkadian Provisioning Manager Engine (PME) can be escaped by abusing the \u0027Edit MySQL Configuration\u0027 command. This command launches a standard vi editor interface which can then be escaped. This issue was resolved in Akkadian OVA appliance version 3.0 (and later), Akkadian Provisioning Manager 5.0.2 (and later), and Akkadian Appliance Manager 3.3.0.314-4a349e0 (and later).",
"id": "GHSA-rcqq-fm3c-9r79",
"modified": "2022-05-24T19:08:55Z",
"published": "2022-05-24T19:08:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31581"
},
{
"type": "WEB",
"url": "https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RFH6-9R2Q-98VF
Vulnerability from github – Published: 2025-03-06 00:31 – Updated: 2025-03-06 22:29Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.
This allows attackers with View/Read permission to view encrypted values of secrets.
Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.492.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.main:jenkins-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.493"
},
{
"fixed": "2.500"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27623"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-06T22:29:49Z",
"nvd_published_at": "2025-03-05T23:15:14Z",
"severity": "MODERATE"
},
"details": "Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or CLI.\n\nThis allows attackers with View/Read permission to view encrypted values of secrets.\n\nJenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission.",
"id": "GHSA-rfh6-9r2q-98vf",
"modified": "2025-03-06T22:29:49Z",
"published": "2025-03-06T00:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27623"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/jenkins/commit/923cdbc165e8b8523ae960dfee5f7354878532d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/jenkins"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission"
}
GHSA-RH7M-R3XM-V5XG
Vulnerability from github – Published: 2026-07-03 09:31 – Updated: 2026-07-03 09:31Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent's local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api 1.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 & PE 2025.11.0.
{
"affected": [],
"aliases": [
"CVE-2026-8804"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-03T08:16:25Z",
"severity": "MODERATE"
},
"details": "Puppet resource_api (shipped in Puppet Core 8.x and Puppet Enterprise 2023.8.x and 2025.x) does not preserve the sensitive flag on parameters defined via the resource-api, causing values such as passwords to be stored in cleartext in the agent\u0027s local transaction state cache. Affected versions of the resource_api module include all versions between 1.5.0 - 1.9.1 and 2.0.0 The issue was fixed in puppet resource_api\u00a01.9.2 and 2.0.1 released with Puppet Core 8.20.0 and PE 2023.8.10 \u0026 PE 2025.11.0.",
"id": "GHSA-rh7m-r3xm-v5xg",
"modified": "2026-07-03T09:31:28Z",
"published": "2026-07-03T09:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8804"
},
{
"type": "WEB",
"url": "https://portal.perforce.com/s/cve/a91Qi000003511lIAA/cve20268804-cleartext-storage-of-sensitive-information-for-puppet-resource-api"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RHH2-F22C-XH7F
Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-08 15:31This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device.
{
"affected": [],
"aliases": [
"CVE-2024-10523"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T12:16:09Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in TP-Link IoT Smart Hub due to storage of Wi-Fi credentials in plain text within the device firmware. An attacker with physical access could exploit this by extracting the firmware and analyzing the binary data to obtain the Wi-Fi credentials stored on the vulnerable device.",
"id": "GHSA-rhh2-f22c-xh7f",
"modified": "2024-11-08T15:31:12Z",
"published": "2024-11-04T12:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10523"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0331"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.