Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability — Visual Studio Code 8.8 High2024-03-12
CVE-2023-5775 BackWPup <= 4.0.2 - Plaintext Storage of Backup Destination Password — BackWPup – WordPress Backup & Restore Plugin 2.2 Low2024-02-24
CVE-2024-26133 EventStoreDB Projections Subsystem has potential password leak — EventStore 5.5 Medium2024-02-21
CVE-2024-22312 IBM Storage Defender - Resiliency Service information disclosure — Storage Defender - Resiliency Service 4.4 Medium2024-02-10
CVE-2023-6518 Password Disclosure in Mia Technology's Mia-Med — MİA-MED 7.5 High2024-02-08
CVE-2024-21869 Plaintext Storage of a Password in Rapid SCADA — Rapid SCADA 6.2 Medium2024-02-01
CVE-2024-22432 Dell NetWorker 安全漏洞 — NetWorker Module for Databases and Applications - Oracle 7.8 High2024-01-25
CVE-2023-44300 Dell DM5500 安全漏洞 — Dell PowerProtect Data Manager DM5500 Appliance 5.5 Medium2023-12-04
CVE-2023-48700 Clear Text Credentials Exposed via Onboarding Task — nautobot-plugin-device-onboarding 5.7 Medium2023-11-21
CVE-2023-42493 EisBaer Scada - CWE-256: Plaintext Storage of a Password — v3.0.6433.1964 7.1 High2023-10-25
CVE-2023-43777 Insecure storage of password in easySoft — easySoft 5.9 Medium2023-10-17
CVE-2023-27315 Information Disclosure Vulnerability in SnapGathers — SnapGathers 6.5 Medium2023-10-12
CVE-2022-47561 Unprotected Storage of Credentials in Ormazabal products — ekorCCP 7.3 High2023-09-20
CVE-2023-39452 Socomec MOD3GP-SY-120K Plaintext Storage of a Password — MODULYS GP (MOD3GP-SY-120K) 7.5 High2023-09-18
CVE-2022-3261 Plain-text passwords saved in /var/log/messages — openstack 4.4 Medium2023-09-15
CVE-2023-4984 didi KnowSearch 1 credentials storage — KnowSearch 4.3 Medium2023-09-15
CVE-2023-4400 McAfee Skyhigh Secure Web Gateway 安全漏洞 — Skyhigh Secure Web Gateway (SWG) 6.2 Medium2023-09-13
CVE-2023-4918 Plaintext storage of user password — keycloak 8.8 High2023-09-12
CVE-2023-39227 ​Softneta MedDream PACS Plaintext Storage of a Password — MedDream PACS 6.1 Medium2023-09-11
CVE-2023-35067 Plaintext Storage of a Password in Infodrom Sofwares E-Invoice Approval System — E-Invoice Approval System 7.5 High2023-07-25
CVE-2023-35765 PiiGAB M-Bus Plaintext Storage of a Password — M-Bus SoftwarePack 6.5 Medium2023-07-06
CVE-2023-3395 Ovarro TBox RTUs 安全漏洞 — TBox MS-CPU32 6.5 Medium2023-07-03
CVE-2023-26204 Fortinet FortiSIEM 安全漏洞 — FortiSIEM 3.6 Low2023-06-13
CVE-2023-2633 API keys stored and displayed in plain text by Code Dx Plugin — Jenkins Code Dx Plugin 4.3 Medium2023-05-16
CVE-2023-2632 API keys stored and displayed in plain text by Code Dx Plugin — Jenkins Code Dx Plugin 4.3 Medium2023-05-16
CVE-2022-4308 Clear-text passwords in configuration files — GateManager 6.1 Medium2023-04-19
CVE-2023-0457 Information Disclosure Vulnerability in MELSEC Series — MELSEC iQ-F Series FX5U-32MT/ES 7.5 High2023-03-03
CVE-2023-22389 Snap One Wattbox 安全漏洞 — Wattbox WB-300-IP-3 5.7 Medium2023-01-30
CVE-2022-22458 IBM Security Verify Governance, Identity Manager information disclosure — Security Verify Governance, Identity Manager 6.3 Medium2022-12-22
CVE-2022-41732 IBM Maximo information disclosure — Maximo Mobile 6.2 Medium2022-11-28

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.