Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2024-39674 Huawei EMUI和Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2 Medium2024-07-25
CVE-2024-25023 IBM QRadar Suite Software information disclosure — QRadar Suite Software 5.5 Medium2024-07-09
CVE-2024-29954 password management API prints sensitive information in log files — Fabric OS 5.9 Medium2024-06-25
CVE-2024-36497 Unhashed Storage of Password — WINSelect (Standard + Enterprise) 7.7AIHighAI2024-06-24
CVE-2023-49113 Sensitive Data Stored Insecurely in Kiuwan SAST Local Analyzer — SAST Local Analyzer 7.5 -2024-06-20
CVE-2024-28024 Hitachi FOXMAN-UN 安全漏洞 — FOXMAN-UN 4.1 Medium2024-06-11
CVE-2024-4540 Keycloak: exposure of sensitive information in pushed authorization requests (par) kc_restart cookie 7.5 High2024-06-03
CVE-2024-36119 Password confirmation stored in plain text via registration form in statamic/cms — cms 1.8 Low2024-05-30
CVE-2024-31486 Siemens OPUPI0 安全漏洞 — OPUPI0 AMQP/MQTT 5.3 Medium2024-05-14
CVE-2024-4840 Rhosp-director: cleartext passwords exposed in logs 5.5 Medium2024-05-13
CVE-2023-27370 NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability — RAX30 5.7 -2024-05-03
CVE-2024-4235 Netgear DG834Gv5 Web Management Interface cleartext storage — DG834Gv5 2.7 Low2024-04-26
CVE-2024-3742 Electrolink FM/DAB/TV Transmitter Cleartext Storage of Sensitive Information — Compact DAB Transmitter 7.5 High2024-04-18
CVE-2024-32474 Sentry's superuser cleartext password leaked in logs — sentry 7.3 High2024-04-18
CVE-2024-29956 cleartext password in supportsave logs when a user schedules a switch Supportsave from Brocade SANnav — Brocade SANnav 6.5 Medium2024-04-18
CVE-2024-29952 Clear text storage of sensistive information by manipulating command variables — Brocade SANnav 5.5 Medium2024-04-17
CVE-2023-50957 IBM Storage Defender - Resiliency Service privilege escalation — Storage Defender - Resiliency Service 8.0 High2024-02-10
CVE-2023-6874 Zigbee Unauthenticated DoS via NWK Sequence number manipulation — GSDK 7.5 High2024-02-05
CVE-2023-5384 Infinispan: credentials returned from configuration as clear text — Red Hat Data Grid 8.4.6 7.2 High2023-12-18
CVE-2023-48707 Cleartext Storage of Sensitive Information in codeigniter4/shield — shield 5.0 Medium2023-11-24
CVE-2023-48305 Nextcloud Server user_ldap app logs user passwords in the log file on level debug — security-advisories 4.2 Medium2023-11-21
CVE-2023-41096 Keys Stored in Plaintext on Secure Vault High for Silabs Ember ZNet devices — Ember ZNet SDK 6.8 Medium2023-10-26
CVE-2023-41095 Keys Stored in Plaintext on Secure Vault High for Silabs OpenThread devices — OpenThread SDK 6.8 Medium2023-10-26
CVE-2023-45151 OAuth2 client_secret stored in plain text in the Nextcloud database — security-advisories 6.5 Medium2023-10-16
CVE-2023-41964 BIG-IP and BIG-IQ Database Variable vulnerability — BIG-IP 4.3 Medium2023-10-10
CVE-2023-2809 Use of Cleartext credentials in Sage 200 Spain — Sage 200 Spain 7.8 High2023-10-04
CVE-2023-44159 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 7.5 -2023-09-27
CVE-2023-41335 Temporary storage of plaintext passwords during password changes in matrix synapse — synapse 3.7 Low2023-09-26
CVE-2023-40715 FortiTester 安全漏洞 — FortiTester 5.2 Medium2023-09-13
CVE-2023-3950 Cleartext Storage of Sensitive Information in GitLab — GitLab 5.5 Medium2023-09-01

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.