Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2022-39364 Exception logging in Sharepoint app reveals clear-text connection details — security-advisories 4.0 Medium2022-10-27
CVE-2022-39351 Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions — dependency-track 4.4 Medium2022-10-25
CVE-2022-2805 ovirt-engine 信息泄露漏洞 — ovirt-engine 5.5 -2022-10-19
CVE-2022-32217 Rocket.Chat 日志信息泄露漏洞 — Rocket.chat 5.3 -2022-09-23
CVE-2021-36782 Rancher: Plaintext storage and exposure of credentials in Rancher API and cluster.management.cattle.io object — Rancher 9.9 Critical2022-09-07
CVE-2022-2569 ARC Informatique PcVue — PcVue 12 OAuth web service configuration 5.5 Medium2022-08-24
CVE-2022-2813 SourceCodester Guest Management System cleartext storage — Guest Management System 4.3 Medium2022-08-14
CVE-2017-20040 SICUNET Access Controller Password Storage cleartext storage — Access Controller 5.9 Medium2022-06-11
CVE-2022-28214 SAP Business Objects 安全漏洞 — SAP BusinessObjects Enterprise (Central Management Server) 7.8 -2022-05-11
CVE-2021-35036 Zyxel NWA-1100-NH 命令注入漏洞 — VMG3625-T50B firmware 6.5 Medium2022-03-01
CVE-2020-14480 Rockwell Automation FactoryTalk View SE 安全漏洞 — FactoryTalk View SE 7.1 -2022-02-24
CVE-2021-3551 PKI-server 安全漏洞 — pki-server 7.8 -2022-02-16
CVE-2022-21818 Nvidia License System 安全漏洞 — NVIDIA License System 5.4 Medium2022-02-14
CVE-2022-20660 Cisco IP Phones Information Disclosure Vulnerability — Cisco Session Initiation Protocol (SIP) Software 4.6 Medium2022-01-14
CVE-2021-35035 Zyxel NBG6604 信息泄露漏洞 — NBG6604 series firmware 4.9 Medium2021-12-29
CVE-2021-42066 SAP Business One 安全漏洞 — SAP Business One 4.4 -2021-12-14
CVE-2020-10053 SIMATIC RTLS 安全漏洞 — SIMATIC RTLS Locating Manager 5.5 -2021-11-09
CVE-2021-38422 Delta Electronics DIALink — DIALink 7.8 High2021-11-03
CVE-2021-33716 Siemens SIMATIC CP 1543-1和SIMATIC CP 1545-1 安全漏洞 — SIMATIC CP 1543-1 (incl. SIPLUS variants) 6.5 -2021-09-14
CVE-2021-22929 Brave 日志信息泄露漏洞 — https://github.com/brave/brave-core 2.8 -2021-08-31
CVE-2021-29481 Client side sessions should not allow unencrypted storage — ratpack 6.5 Medium2021-06-29
CVE-2021-27487 ZOLL Defibrillator Dashboard 安全漏洞 — ZOLL Defibrillator Dashboard 5.5 -2021-06-16
CVE-2018-16498 Versa Networks Versa Director 安全漏洞 — Versa Director 8.1 -2021-05-26
CVE-2021-20995 WAGO: Managed Switches: Storage of user credentials in a cookie — 0852-0303 5.3 Medium2021-05-13
CVE-2021-21339 Cleartext storage of session identifier — TYPO3.CMS 5.9 Medium2021-03-23
CVE-2021-23878 Clear text storage of sensitive Information in ENS — Endpoint Security (ENS) for Windows 7.3 High2021-02-10
CVE-2021-1265 Cisco DNA Center Information Disclosure Vulnerability — Cisco Digital Network Architecture Center (DNA Center) 6.5 -2021-01-20
CVE-2020-25678 部分Red Hat产品 安全漏洞 — ceph 5.5 -2021-01-08
CVE-2020-29502 Dell EMC PowerStore 访问控制错误漏洞 — PowerStore 7.5 High2021-01-05
CVE-2020-29501 Dell EMC PowerStore 安全漏洞 — PowerStore 6.4 Medium2021-01-05

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.