Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2022-43958 Siemens Quality Management System 安全漏洞 — QMS Automotive 7.6 High2022-11-08
CVE-2022-3644 pulp_ansible 安全漏洞 — pulp_ansible 7.1 -2022-10-25
CVE-2022-3287 fwupd 安全漏洞 — fwupd 6.5 -2022-09-28
CVE-2022-36308 Airspan AirVelocity 1500 安全漏洞 — AirVelocity 9.1 -2022-08-16
CVE-2022-33928 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 6.4 Medium2022-08-10
CVE-2022-1794 Plaintext Storage of a password in CODESYS V3 OPC DA Server — CODESYS OPC DA Server 5.5 Medium2022-07-11
CVE-2022-27548 HCL Launch is vulnerable to information disclosure which can be read by a local user. — HCL Launch 4.9 Medium2022-07-06
CVE-2022-31044 Plaintext Storage of Keys and Passwords in Rundeck and PagerDuty Process Automation — rundeck 7.5 High2022-06-15
CVE-2022-29085 多款Dell产品安全漏洞 — Unity 6.4 Medium2022-06-02
CVE-2022-22557 Dell EMC PowerStore 授权问题漏洞 — PowerStore 7.5 High2022-06-02
CVE-2021-32978 Automation Direct CLICK PLC CPU Modules Plaintext Storage of a Password — CLICK PLC CPU Modules: C0-1x CPUs 7.5 High2022-04-04
CVE-2020-25184 Rockwell Automation ISaGRAF5 Runtime Unprotected Storage of Credentials — ISaGRAF Runtime 7.8 High2022-03-18
CVE-2021-43590 Dell Emc Enterprise Storage Analytics For Vrealize Operations 安全漏洞 — Dell EMC Enterprise Storage Analytics for vRealize Operations 6.0 Medium2022-03-04
CVE-2022-22554 Dell Emc System Update 安全漏洞 — DellEMC System Update - DSU 8.2 High2022-01-24
CVE-2021-23207 Fresenius Kabi Agilia Connect Infusion System plaintext storage of a password — Vigilant Software Suite (Mastermed Dashboard) 6.5 Medium2022-01-21
CVE-2021-36317 DELL Dell EMC Avamar Server 安全漏洞 — Avamar 6.7 Medium2021-12-21
CVE-2021-3787 Binatone Hubble 安全漏洞 — Binatone Hubble Cameras 6.4 Medium2021-11-12
CVE-2021-36309 Dell Enterprise Sonic Os 信息泄露漏洞 — Enterprise SONiC OS 7.1 High2021-10-01
CVE-2021-1589 Cisco SD-WAN vManage Software Disaster Recovery Feature Password Exposure Vulnerability — Cisco SD-WAN vManage 6.5 Medium2021-09-23
CVE-2020-5315 DELL EMC Repository Manager 安全漏洞 — Dell EMC Repository Manager (DRM) 8.8 High2021-07-19
CVE-2021-25358 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2021-04-09
CVE-2021-1126 Cisco Firepower Management Center Information Disclosure Vulnerability — Cisco Firepower Management Center 5.5 -2021-01-13
CVE-2020-26079 Cisco IoT Field Network Director Unprotected Storage of Credentials Vulnerability — Cisco IoT Field Network Director (IoT-FND) 4.9 -2020-11-18
CVE-2020-8183 Nextcloud 安全漏洞 — Nextcloud Server 6.5 -2020-10-30
CVE-2020-1669 Junos OS: NFX350: Password hashes stored in world-readable format — Junos OS 6.3 Medium2020-10-16
CVE-2020-3483 Duo Network Gateway (DNG) Information Disclosure Vulnerability — Duo Network Gateway (DNG) 7.1 High2020-10-14
CVE-2020-10609 Grundfos CIM 500 安全漏洞 — CIM 500 9.8 -2020-07-27
CVE-2020-5374 Dell EMC OpenManage Integration for Microsoft System Center 安全漏洞 — OMIMSSC (OpenManage Integration for Microsoft System Center) 8.8 High2020-07-14
CVE-2019-19105 ABB/Busch-Jaeger Telephone Gateway TG/S 3.2 Plaintext storing of credentials — TG/S 3.2 Telephone Gateway 6.2 Medium2020-04-22
CVE-2020-6961 多款GE产品安全漏洞 — GE CARESCAPE Telemetry Server,ApexPro Telemetry Server,CARESCAPE Central Station,Clinical Information Center,CARESCAPE B450,B650,B850 Monitors 8.6 -2020-01-24

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.