Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-50956 IBM Storage Defender - Resiliency Service information disclosure — Storage Defender - Resiliency Service 4.4 Medium2024-12-18
CVE-2024-53292 Dell VxVerify 安全漏洞 — Dell VxRail HCI 7.2 High2024-12-11
CVE-2024-11982 Billion Electric router - Plaintext Storage of a Password — M100 7.2 High2024-11-29
CVE-2024-36464 Media Types: Office365, SMTP passwords are unencrypted and visible in plaintext when exported — Zabbix 2.7 Low2024-11-27
CVE-2024-29978 Sharp MFP 安全漏洞 — Multiple MFPs (multifunction printers) 5.9 Medium2024-11-26
CVE-2024-49351 IBM Workload Scheduler information disclosure — Workload Scheduler 5.5 Medium2024-11-26
CVE-2024-49370 Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing — pimcore 6.5AIMediumAI2024-10-23
CVE-2024-42496 Smart-tab 安全漏洞 — Smart-tab Android app 6.8 -2024-09-30
CVE-2024-31899 IBM Cognos Command Center information disclosure — Cognos Command Center 4.3 Medium2024-09-26
CVE-2024-5960 Plaintext Storage of a Password in Eliz Software's Panel — Panel 9.8 Critical2024-09-18
CVE-2024-20489 Cisco Routed Passive Optical Network Cleartext Password Vulnerability — Cisco IOS XR Software 8.4 High2024-09-11
CVE-2024-45283 Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) — SAP NetWeaver AS for Java (Destination Service) 6.0 Medium2024-09-10
CVE-2024-43378 calamares-nixos-extensions LUKS keyfile exposure regression on legacy BIOS systems — calamares-nixos-extensions 7.8 High2024-08-15
CVE-2024-39922 Siemens LOGO! 安全漏洞 — LOGO! 12/24RCE 4.6 Medium2024-08-13
CVE-2024-36460 Front-end audit log shows passwords in plaintext — Zabbix 8.1 High2024-08-09
CVE-2024-6118 Hamastar MeetingHub Paperless Meetings - Plaintext Storage of a Password — MeetingHub Paperless Meetings 7.8AIHighAI2024-08-05
CVE-2024-37135 Dell DM5500 安全漏洞 — Data Manager Appliance Software (DMAS) 3.3 Low2024-07-31
CVE-2024-3082 Plug and Track Sensor Net Connect 安全漏洞 — Sensor Net Connect V2 4.2 Medium2024-07-31
CVE-2024-39733 IBM Datacap Navigator information disclosure — Datacap Navigator 5.5 Medium2024-07-14
CVE-2024-25052 IBM Jazz Reporting Service information disclosure — Jazz Reporting Service 4.4 Medium2024-06-13
CVE-2024-4232 Password Storage in Plaintext Vulnerability in Digisol Router — Digisol Router DG-GR1321 3.9 -2024-05-10
CVE-2024-4425 Storing credentials in plaintext in CemiPark — CemiPark 7.5 -2024-05-09
CVE-2024-28971 Dell Update Manager Plugin 安全漏洞 — Update Manager Plugin 3.5 Low2024-05-08
CVE-2024-28961 Dell OpenManage Enterprise 安全漏洞 — Dell OpenManage Enterprise 6.3 Medium2024-04-29
CVE-2024-3624 Mirror-registry: database user and password stored in plain-text 7.3 High2024-04-25
CVE-2024-3625 Mirror-registry: redis password stored in plain-text 7.3 High2024-04-25
CVE-2024-3623 Mirror-registry: default database secret key stored in plain-text on initial configuration file 6.5 Medium2024-04-25
CVE-2024-3622 Mirror-registry: plain-text default csrf secret key 8.8 High2024-04-25
CVE-2024-28782 IBM QRadar Suite Software information disclosure — QRadar Suite Software 6.3 Medium2024-04-03
CVE-2024-25138 AutomationDirect C-MORE EA9 HMI Plaintext Storage of a Password — C-MORE EA9 HMI EA9-T6CL 6.5 Medium2024-03-26

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.