Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-256 (明文存储口令) — Vulnerability Class 160

160 vulnerabilities classified as CWE-256 (明文存储口令). AI Chinese analysis included.

CWE-256 represents a critical data exposure weakness where sensitive authentication credentials are stored in an unencrypted, readable format within system memory, configuration files, or databases. This vulnerability is typically exploited by attackers who gain unauthorized access to the underlying storage medium, allowing them to directly retrieve user passwords without needing to bypass complex cryptographic defenses. Once obtained, these plaintext credentials can be used for immediate account takeover, lateral movement within a network, or credential stuffing attacks against other services. To mitigate this risk, developers must never store raw passwords. Instead, they should implement robust hashing algorithms, such as bcrypt or Argon2, with unique salts for each user. Additionally, employing secure key management systems and ensuring strict access controls over storage resources further reduces the likelihood of accidental exposure or malicious extraction.

MITRE CWE Description
The product stores a password in plaintext within resources such as memory or files.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
Mitigations (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
Examples (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2019-0072 SBR Carrier: A vulnerability in the identity and access management certificate generation procedure allows a local attacker to gain access to confidential information. — SBR Carrier 5.6 Medium2019-10-09
CVE-2019-10921 Siemens LOGO!8 BM 信任管理问题漏洞 — LOGO! 8 BM (incl. SIPLUS variants) 7.5 -2019-05-14
CVE-2019-0032 Junos Space Service Now and Service Insight: Organization username and password stored in plaintext in log files. — Service Insight 7.8 -2019-04-10
CVE-2017-6049 Detcon SiteWatch Gateway 授权问题漏洞 — Sitewatch Gateway 5.3 -2019-04-02
CVE-2019-6518 多款Moxa产品信息泄露漏洞 — Moxa IKS, EDS 7.5 -2019-03-05
CVE-2017-16714 Ice Qube Thermal Management Center 安全漏洞 — Thermal Management Center 9.8 -2018-09-06
CVE-2018-8851 多款Echelon产品安全漏洞 — SmartServer 1 9.8 -2018-07-24
CVE-2018-7510 BeaconMedaes TotalAlert Scroll Medical Air Systems Web应用程序安全漏洞 — BeaconMedaes TotalAlert Scroll Medical Air Systems web application 9.8 -2018-06-06
CVE-2018-7515 Omron CX-Supervisor 缓冲区错误漏洞 — BeaconMedæs TotalAlert Scroll Medical Air Systems web application 5.3 -2018-03-21
CVE-2017-7913 多款摩莎产品安全漏洞 — Moxa OnCell 9.8 -2017-05-29

Vulnerabilities classified as CWE-256 (明文存储口令) represent 160 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.