CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-V8RW-4JH7-4CX9
Vulnerability from github – Published: 2024-12-10 21:30 – Updated: 2024-12-11 15:31TP-Link TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to transmit user credentials in plaintext after executing a factory reset.
{
"affected": [],
"aliases": [
"CVE-2024-46340"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-10T20:15:15Z",
"severity": "HIGH"
},
"details": "TP-Link TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 was discovered to transmit user credentials in plaintext after executing a factory reset.",
"id": "GHSA-v8rw-4jh7-4cx9",
"modified": "2024-12-11T15:31:16Z",
"published": "2024-12-10T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46340"
},
{
"type": "WEB",
"url": "https://security.iiita.ac.in/iot/factory-reset.docx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-V933-RRV9-44P3
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2025-03-26 18:30The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.
{
"affected": [],
"aliases": [
"CVE-2020-36248"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-19T08:15:00Z",
"severity": "MODERATE"
},
"details": "The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.",
"id": "GHSA-v933-rrv9-44p3",
"modified": "2025-03-26T18:30:33Z",
"published": "2022-05-24T17:42:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36248"
},
{
"type": "WEB",
"url": "https://owncloud.com/security-advisories/bypassing-app-lock-pattern-passcode-fingerprint-lock-android-oc-sa-2020-003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V9W3-34XQ-HRJG
Vulnerability from github – Published: 2023-12-13 18:31 – Updated: 2023-12-18 21:43Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.cloudtp.jenkins:paaslane-estimate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50777"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-13T23:15:24Z",
"nvd_published_at": "2023-12-13T18:15:44Z",
"severity": "MODERATE"
},
"details": "Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.",
"id": "GHSA-v9w3-34xq-hrjg",
"modified": "2023-12-18T21:43:29Z",
"published": "2023-12-13T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50777"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/paaslane-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3182"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/13/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tokens stored in plain text by PaaSLane Estimate Plugin "
}
GHSA-V9W7-JFHC-2MJ9
Vulnerability from github – Published: 2024-10-10 09:30 – Updated: 2024-10-10 09:30The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.
{
"affected": [],
"aliases": [
"CVE-2024-9802"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-10T08:15:04Z",
"severity": "MODERATE"
},
"details": "The conformance validation endpoint is public so everybody can verify the conformance of onboarded services. The response could contain specific information about the service, including available endpoints, and swagger. It could advise about the running version of a service to an attacker. The attacker could also check if a service is running.",
"id": "GHSA-v9w7-jfhc-2mj9",
"modified": "2024-10-10T09:30:35Z",
"published": "2024-10-10T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9802"
},
{
"type": "WEB",
"url": "https://github.com/zowe/api-layer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCGF-CP2M-H8GW
Vulnerability from github – Published: 2023-07-11 09:30 – Updated: 2024-04-04 05:55A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.
{
"affected": [],
"aliases": [
"CVE-2022-22302"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-11T09:15:09Z",
"severity": "LOW"
},
"details": "A clear text storage of sensitive information (CWE-312) vulnerability in both FortiGate version 6.4.0 through 6.4.1, 6.2.0 through 6.2.9 and 6.0.0 through 6.0.13 and FortiAuthenticator version 5.5.0 and all versions of 6.1 and 6.0 may allow a local unauthorized party to retrieve the Fortinet private keys used to establish secure communication with both Apple Push Notification and Google Cloud Messaging services, via accessing the files on the filesystem.",
"id": "GHSA-vcgf-cp2m-h8gw",
"modified": "2024-04-04T05:55:05Z",
"published": "2023-07-11T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22302"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-20-014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VF32-GCPR-VGFQ
Vulnerability from github – Published: 2022-11-04 12:00 – Updated: 2024-02-12 21:30"IBM Robotic Process Automation 21.0.1 and 21.0.2 could disclose sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 234292."
{
"affected": [],
"aliases": [
"CVE-2022-38710"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312",
"CWE-319",
"CWE-497"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-03T20:15:00Z",
"severity": "MODERATE"
},
"details": "\"IBM Robotic Process Automation 21.0.1 and 21.0.2 could disclose sensitive version information that could aid in further attacks against the system. IBM X-Force ID: 234292.\"",
"id": "GHSA-vf32-gcpr-vgfq",
"modified": "2024-02-12T21:30:54Z",
"published": "2022-11-04T12:00:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38710"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/234292"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6831681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VF9W-8JQ5-G3F2
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2026-06-01 09:31Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote attacker to potentially steal user credentials that are stored in the user’s browsers local storage via cross-site-scripting attacks.
{
"affected": [],
"aliases": [
"CVE-2023-31408"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-15T11:15:09Z",
"severity": "HIGH"
},
"details": "Cleartext Storage of Sensitive Information in SICK FTMg AIR FLOW SENSOR with\nPartnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows a remote\nattacker to potentially steal user credentials that are stored in the user\u2019s browsers local storage via\ncross-site-scripting attacks.",
"id": "GHSA-vf9w-8jq5-g3f2",
"modified": "2026-06-01T09:31:10Z",
"published": "2023-07-06T21:14:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31408"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.json"
},
{
"type": "WEB",
"url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.pdf"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VFC9-93VH-4X8H
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
{
"affected": [],
"aliases": [
"CVE-2017-5249"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-22T16:29:00Z",
"severity": "CRITICAL"
},
"details": "In version 6.1.0.19 and prior of Wink Labs\u0027s Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.",
"id": "GHSA-vfc9-93vh-4x8h",
"modified": "2022-05-13T01:36:38Z",
"published": "2022-05-13T01:36:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5249"
},
{
"type": "WEB",
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFRH-2HH5-C79G
Vulnerability from github – Published: 2022-05-12 00:01 – Updated: 2022-05-20 00:00During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems’ Confidentiality, Integrity, and Availability.
{
"affected": [],
"aliases": [
"CVE-2022-28214"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-11T15:15:00Z",
"severity": "HIGH"
},
"details": "During an update of SAP BusinessObjects Enterprise, Central Management Server (CMS) - versions 420, 430, authentication credentials are being exposed in Sysmon event logs. This Information Disclosure could cause a high impact on systems\u2019 Confidentiality, Integrity, and Availability.",
"id": "GHSA-vfrh-2hh5-c79g",
"modified": "2022-05-20T00:00:52Z",
"published": "2022-05-12T00:01:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28214"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2998510"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VG4W-V23F-W7R7
Vulnerability from github – Published: 2026-05-14 18:32 – Updated: 2026-05-27 21:31CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.
{
"affected": [],
"aliases": [
"CVE-2026-6332"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T18:16:51Z",
"severity": "MODERATE"
},
"details": "CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized attacker accesses the source code for editing or compiling it.",
"id": "GHSA-vg4w-v23f-w7r7",
"modified": "2026-05-27T21:31:18Z",
"published": "2026-05-14T18:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6332"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.