Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-311 (敏感数据加密缺失) — Vulnerability Class 257

257 vulnerabilities classified as CWE-311 (敏感数据加密缺失). AI Chinese analysis included.

CWE-311 represents a critical data protection weakness where software fails to encrypt sensitive information before storage or transmission, leaving confidential data exposed in plaintext. Attackers typically exploit this vulnerability by intercepting network traffic through man-in-the-middle attacks or by gaining unauthorized physical or logical access to storage systems, allowing them to read credentials, financial records, or personal identifiable information without obstruction. To mitigate this risk, developers must implement robust cryptographic standards, such as AES-256 for data at rest and TLS 1.3 for data in transit, ensuring that all sensitive payloads are securely encoded. Furthermore, rigorous code reviews and automated static analysis tools should be employed to detect missing encryption calls, while strict key management practices guarantee that cryptographic keys themselves remain protected from compromise, thereby maintaining the confidentiality and integrity of the entire system.

MITRE CWE Description
The product does not encrypt sensitive or critical information before storage or transmission.
Common Consequences (2)
ConfidentialityRead Application Data
If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to…
Confidentiality, IntegrityModify Application Data
Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communica…
Mitigations (5)
RequirementsClearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
Architecture and DesignEnsure that encryption is properly integrated into the system design, including but not necessarily limited to: Encryption that is needed to store or transmit private data of the users of the system Encryption that is needed to protect the system itself from unauthorized disclosure or tampering Identify the separate needs and contexts for encryption: One-way (i.e., only the user or recipient needs…
Architecture and DesignWhen there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 1…
Architecture and DesignCompartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separatio…
Implementation, Architecture and DesignWhen using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Examples (2)
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
The following code attempts to establish a connection, read in a password, then store it to a buffer.
server.sin_family = AF_INET; hp = gethostbyname(argv[1]); if (hp==NULL) error("Unknown host"); memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length); if (argc < 3) port = 80; else port = (unsigned short)atoi(argv[3]); server.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting"); ... while ((n=read(sock,buffer,BUFSIZE-1))!=-1) { write(dfd,password_buffer,n); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2023-33849 IBM CICS TX information disclosure — TXSeries for Multiplatforms 3.7 Low2023-06-07
CVE-2023-28045 Dell CloudIQ 安全漏洞 — CloudIQ Collector 6.3 Medium2023-05-19
CVE-2023-28841 moby/moby's dockerd daemon encrypted overlay network traffic may be unencrypted — moby 6.8 Medium2023-04-04
CVE-2022-38458 NETGEAR RBR750 安全漏洞 — Orbi Router RBR750 6.5 Medium2023-03-21
CVE-2022-3781 Devolutions Remote Desktop Manager 安全漏洞 — Remote Desktop Manager 6.5 -2022-11-01
CVE-2022-41627 AliveCor KardiaMobile 安全漏洞 — KardiaMobile 4.8 Medium2022-10-27
CVE-2022-39014 SAP BusinessObjects Business Intelligence Platform 安全漏洞 — SAP BusinessObjects Business Intelligence Platform (CMC) 7.5 -2022-09-13
CVE-2022-26390 Unencrypted internal storage of security credentials — Baxter Spectrum Wireless Battery Module (WBM) 4.2 Medium2022-09-09
CVE-2022-38194 Portal for ArcGIS system properties are not properly encrypted (10.8.1 only) — Portal for ArcGIS 6.7 Medium2022-08-16
CVE-2020-35168 Dell BSAFE 安全漏洞 — Dell BSAFE Crypto-C Micro Edition 4.7 Medium2022-07-11
CVE-2022-31085 Missing Encryption of Sensitive Data in ldap-account-manager — lam 5.3 -2022-06-27
CVE-2022-30237 Schneider Electric Wiser Smart 安全漏洞 — Wiser Smart 8.2 High2022-06-02
CVE-2021-27783 HCL BigFix Mobile / Modern Client Management is vulnerable to sensitive information exposure — HCL BigFix Mobile / Modern Client Management 6.8 Medium2022-05-25
CVE-2021-27779 A Security Misconfiguration vulnerability affects HCL VersionVault Express — HCL VersionVault Express 9.1 Critical2022-05-25
CVE-2021-21963 Sealevel Systems SeaConnect 370w 安全漏洞 — Sealevel 6.8 -2022-02-04
CVE-2020-9058 Silicon Labs Z-Wave Chipsets 安全漏洞 — LB60Z-1 8.1 -2022-01-07
CVE-2020-9057 Z-Wave 安全漏洞 — WADWAZ-1 8.8 -2022-01-07
CVE-2021-40366 Siemens Climatix POL909 安全漏洞 — Climatix POL909 (AWB module) 7.4 -2021-11-09
CVE-2021-28496 In Arista's EOS software affected releases, the shared secret profiles sensitive configuration might be leaked when displaying output over eAPI or other JSON outputs to authenticated users on the device. — Arista EOS 5.7 Medium2021-10-21
CVE-2021-31386 Junos OS: When using J-Web with HTTP an attacker may retrieve encryption keys via Person-in-the-Middle attacks. — Junos OS 5.3 Medium2021-10-19
CVE-2021-41302 ECOA BAS controller - Missing Encryption of Sensitive Data — ECS Router Controller ECS (FLASH) 7.3 High2021-09-30
CVE-2021-22932 Citrix Systems Citrix ShareFile 处理逻辑错误漏洞 — Citrix ShareFile Storage Zones Controller 8.2 -2021-08-16
CVE-2021-32001 K3s/RKE2 bootstrap data is encrypted with empty string if user does not supply a token — Rancher 6.5 Medium2021-07-28
CVE-2021-33900 StartTLS and SASL confidentiality protection bypass — Apache Directory Studio 7.5 -2021-07-26
CVE-2021-22782 Schneider Electric EcoStruxure Control Expert 安全漏洞 — EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Process Expert (all versions, including all versions of EcoStruxure Hybrid DCS), and SCADAPack RemoteConnect for x70, all versions 5.5 -2021-07-14
CVE-2018-19944 Cleartext Transmission of Sensitive Information in SNMP — QTS 7.5 -2020-12-31
CVE-2020-28217 Schneider Electric Easergy T300 访问控制错误漏洞 — Easergy T300 (firmware 2.7 and older) 7.5 -2020-12-11
CVE-2020-28216 Schneider Electric Easergy T300 安全漏洞 — Easergy T300 (firmware 2.7 and older) 7.5 -2020-12-11
CVE-2020-7567 Schneider Electric Modicon M221 安全漏洞 — Modicon M221, all references, all versions 5.7 -2020-11-19
CVE-2020-10039 Siemens SICAM MMU、SGU和T 安全漏洞 — SICAM MMU 8.1 -2020-07-14

Vulnerabilities classified as CWE-311 (敏感数据加密缺失) represent 257 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.