Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2023-31423 Possible information exposure through log file vulnerability — SANnav 5.7 Medium2023-08-31
CVE-2023-31925 Storage of clear text password in Brocade SANnav — Brocade SANnav 5.4 Medium2023-08-31
CVE-2023-3489 firmwaredownload command could log servers passwords in clear text — Fabric OS 8.6 High2023-08-30
CVE-2023-4392 Control iD Gerencia Web Cookie cleartext storage — Gerencia Web 3.7 Low2023-08-17
CVE-2023-39210 Zoom Client 安全漏洞 — Zoom Client SDK for Windows 5.5 Medium2023-08-08
CVE-2023-39440 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform — SAP BusinessObjects Business Intelligence 4.4 Medium2023-08-08
CVE-2023-32447 Dell Wyse ThinOS 日志信息泄露漏洞 — Wyse Proprietary OS (Modern ThinOS) 5.5 Medium2023-07-20
CVE-2023-32446 Dell Wyse ThinOS 日志信息泄露漏洞 — Wyse Proprietary OS (Modern ThinOS) 5.5 Medium2023-07-20
CVE-2023-32455 Dell Wyse ThinOS 日志信息泄露漏洞 — Wyse Proprietary OS (Modern ThinOS) 5.5 Medium2023-07-20
CVE-2023-32483 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 4.4 Medium2023-07-20
CVE-2023-37468 Storing unencrypted LDAP passwords in feedbacksystem — feedbacksystem 6.0 Medium2023-07-13
CVE-2022-22302 Fortinet FortiOS和FortiAuthenticator 安全漏洞 — FortiAuthenticator 5.3 Medium2023-07-11
CVE-2023-22584 Cleartext credentials in Danfoss AK-EM100 — AK-EM100 7.5 High2023-06-11
CVE-2023-32448 Dell PowerPath Management Appliance 安全漏洞 — PowerPath Windows 5.5 Medium2023-05-30
CVE-2023-31408 SICK FTMg 安全漏洞 — SICK FTMG-ESD15AXX AIR FLOW SENSOR 5.3 Medium2023-05-15
CVE-2023-24964 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 6.2 Medium2023-02-17
CVE-2022-45154 supportconfig does not remove passwords in /etc/iscsi/iscsid.conf and /etc/target/lio_setup.sh — SUSE Linux Enterprise Server 12 4.4 Medium2023-02-15
CVE-2023-0690 Boundary Workers Store Rotated Credentials in Plaintext Even When a Key Management Service Configured — Boundary 5.0 Medium2023-02-08
CVE-2022-43757 Rancher: Exposure of sensitive fields — Rancher 9.9 Critical2023-02-07
CVE-2023-23944 Nexcloud Mail app temporarily stores cleartext password in database — security-advisories 2.0 Low2023-02-06
CVE-2022-38112 Sensitive Information Disclosure Vulnerability — Database Performance Analyzer (DPA) 7.5 High2023-01-20
CVE-2022-45439 Zyxel AX7501-B0 安全漏洞 — AX7501-B0 firmware 6.5 Medium2023-01-17
CVE-2022-42284 NVIDIA BMC 安全漏洞 — NVIDIA DGX servers 6.2 Medium2023-01-13
CVE-2022-45787 Apache James MIME4J: Temporary File Information Disclosure in MIME4J TempFileStorageProvider — Apache James MIME4J 5.5 -2023-01-06
CVE-2022-47512 Sensitive Data Disclosure Vulnerability — Hybrid Cloud Observability (HCO)/ SolarWinds Platform 5.5 Medium2022-12-21
CVE-2022-4312 ARC Informatique PcVue 安全漏洞 — PcVue 5.5 Medium2022-12-12
CVE-2022-29826 Mitsubishi Electric GX Works3 安全漏洞 — GX Works3 6.8 Medium2022-11-24
CVE-2022-25164 Mitsubishi Electric GX Works3 安全漏洞 — GX Works3 8.6 High2022-11-24
CVE-2022-41933 Plaintext storage of password in org.xwiki.platform:xwiki-platform-security-authentication-default — xwiki-platform 6.2 Medium2022-11-23
CVE-2022-2513 Cleartext Credentials Vulnerability on Hitachi Energy’s Multiple IED Connectivity Packages (IED ConnPacks) and PCM600 Products — PCM600 7.1 High2022-11-22

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.