CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-X29X-MQ6W-9Q67
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2023-02-02 21:33A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.
{
"affected": [],
"aliases": [
"CVE-2020-10706"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in OpenShift Container Platform where OAuth tokens are not encrypted when the encryption of data at rest is enabled. This flaw allows an attacker with access to a backup to obtain OAuth tokens and then use them to log into the cluster as any user who logged into the cluster via the WebUI or via the command line in the last 24 hours. Once the backup is older than 24 hours the OAuth tokens are no longer valid.",
"id": "GHSA-x29x-mq6w-9q67",
"modified": "2023-02-02T21:33:42Z",
"published": "2022-05-24T17:17:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10706"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2020:4196"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2020-10706"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819011"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10706"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X2H8-3VCP-JMGR
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. IBM X-Force ID: 203172.
{
"affected": [],
"aliases": [
"CVE-2021-29786"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-27T16:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Team Server products stores user credentials in clear text which can be read by an authenticated user. IBM X-Force ID: 203172.",
"id": "GHSA-x2h8-3vcp-jmgr",
"modified": "2022-05-24T19:18:56Z",
"published": "2022-05-24T19:18:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29786"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/203172"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6508583"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X328-GFW7-CR8V
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2023-09-27 15:30Sensitive information disclosure due to cleartext storage of sensitive information in memory. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.
{
"affected": [],
"aliases": [
"CVE-2023-44153"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-316"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:37Z",
"severity": "LOW"
},
"details": "Sensitive information disclosure due to cleartext storage of sensitive information in memory. The following products are affected: Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 35979.",
"id": "GHSA-x328-gfw7-cr8v",
"modified": "2023-09-27T15:30:39Z",
"published": "2023-09-27T15:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44153"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-1994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X3V2-M57V-7M9W
Vulnerability from github – Published: 2023-08-09 00:31 – Updated: 2024-04-04 06:43Cleartext storage of sensitive information in Zoom Client SDK for Windows before 5.15.0 may allow an authenticated user to enable an information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-39210"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T22:15:10Z",
"severity": "MODERATE"
},
"details": "Cleartext storage of sensitive information in Zoom Client SDK for Windows before 5.15.0 may allow an authenticated user to enable an information disclosure via local access.",
"id": "GHSA-x3v2-m57v-7m9w",
"modified": "2024-04-04T06:43:09Z",
"published": "2023-08-09T00:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39210"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X46J-FG45-FQP8
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-08-31 00:00Cleartext Storage of Sensitive Information in Memory vulnerability in Gallagher Command Centre Server allows Cloud end-to-end encryption key to be discoverable in server memory dumps. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3).
{
"affected": [],
"aliases": [
"CVE-2021-23211"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T16:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Gallagher Command Centre Server allows Cloud end-to-end encryption key to be discoverable in server memory dumps. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 (MR3).",
"id": "GHSA-x46j-fg45-fqp8",
"modified": "2022-08-31T00:00:21Z",
"published": "2022-05-24T19:05:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23211"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/Security-Advisories/CVE-2021-23211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X6G3-WGPM-QHCQ
Vulnerability from github – Published: 2023-08-31 03:30 – Updated: 2025-02-13 18:31Possible information exposure through log file vulnerability where sensitive fields are recorded in the configuration log without masking on Brocade SANnav before v2.3.0 and 2.2.2a. Notes: To access the logs, the local attacker must have access to an already collected Brocade SANnav "supportsave" outputs.
{
"affected": [],
"aliases": [
"CVE-2023-31423"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T01:15:07Z",
"severity": "MODERATE"
},
"details": "Possible\n information exposure through log file vulnerability where sensitive \nfields are recorded in the configuration log without masking on Brocade \nSANnav before v2.3.0 and 2.2.2a. Notes:\n To access the logs, the local attacker must have access to an already collected Brocade SANnav \"supportsave\" \noutputs.",
"id": "GHSA-x6g3-wgpm-qhcq",
"modified": "2025-02-13T18:31:51Z",
"published": "2023-08-31T03:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31423"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240229-0003"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22508"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7HF-RFV2-7QQQ
Vulnerability from github – Published: 2022-05-01 02:02 – Updated: 2024-02-13 18:38D-Link DSL-504T stores usernames and passwords in cleartext in the router configuration file, which allows remote attackers to obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2005-1828"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-05-26T04:00:00Z",
"severity": "HIGH"
},
"details": "D-Link DSL-504T stores usernames and passwords in cleartext in the router configuration file, which allows remote attackers to obtain sensitive information.",
"id": "GHSA-x7hf-rfv2-7qqq",
"modified": "2024-02-13T18:38:20Z",
"published": "2022-05-01T02:02:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1828"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=111722515805478\u0026w=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7JQ-PPP9-85CF
Vulnerability from github – Published: 2023-08-08 15:33 – Updated: 2024-04-04 06:39PHPJabbers Class Scheduling System 1.0 lacks encryption on the password when editing a user account (update user page) allowing an attacker to capture all user names and passwords in clear text.
{
"affected": [],
"aliases": [
"CVE-2023-36136"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T15:15:10Z",
"severity": "MODERATE"
},
"details": "PHPJabbers Class Scheduling System 1.0 lacks encryption on the password when editing a user account (update user page) allowing an attacker to capture all user names and passwords in clear text.",
"id": "GHSA-x7jq-ppp9-85cf",
"modified": "2024-04-04T06:39:59Z",
"published": "2023-08-08T15:33:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36136"
},
{
"type": "WEB",
"url": "https://medium.com/%40blakehodder/additional-vulnerabilities-in-php-jabbers-scripts-c6bbd89b24bb"
},
{
"type": "WEB",
"url": "https://medium.com/@blakehodder/additional-vulnerabilities-in-php-jabbers-scripts-c6bbd89b24bb"
},
{
"type": "WEB",
"url": "https://www.phpjabbers.com/class-scheduling-system"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7V8-768Q-2M8H
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-07-28 00:00Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.
{
"affected": [],
"aliases": [
"CVE-2021-30183"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T11:15:00Z",
"severity": "HIGH"
},
"details": "Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt sensitive values would be written to the logs in plaintext.",
"id": "GHSA-x7v8-768q-2m8h",
"modified": "2022-07-28T00:00:45Z",
"published": "2022-05-24T19:02:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30183"
},
{
"type": "WEB",
"url": "https://advisories.octopus.com/adv/2021-03---Cleartext-Storage-of-Sensitive-Information-(CVE-2021-30183).1817083941.html"
},
{
"type": "WEB",
"url": "https://github.com/OctopusDeploy/Issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7WP-8FF2-7844
Vulnerability from github – Published: 2022-04-03 00:00 – Updated: 2022-04-09 00:00Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions and Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user's system.
{
"affected": [],
"aliases": [
"CVE-2022-25160"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions and Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user\u0027s product by using previously eavesdropped cleartext information and to counterfeit a legitimate user\u0027s system.",
"id": "GHSA-x7wp-8ff2-7844",
"modified": "2022-04-09T00:00:38Z",
"published": "2022-04-03T00:00:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25160"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU96577897/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.