Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-312 (敏感数据的明文存储) — Vulnerability Class 243

243 vulnerabilities classified as CWE-312 (敏感数据的明文存储). AI Chinese analysis included.

CWE-312 represents a critical data protection weakness where sensitive information is stored in an unencrypted, readable format within a resource accessible to unauthorized entities. This flaw typically arises when developers fail to apply adequate cryptographic safeguards to data at rest, such as configuration files, logs, or local databases. Attackers exploit this vulnerability by gaining direct access to the storage medium, allowing them to easily extract credentials, personal identifiable information, or financial data without needing to bypass complex encryption algorithms. To mitigate this risk, developers must implement robust encryption standards, such as AES-256, for all sensitive data stored locally. Additionally, utilizing secure key management systems and ensuring that storage resources are strictly isolated from other control spheres helps prevent unauthorized access, thereby maintaining data confidentiality and integrity throughout its lifecycle.

MITRE CWE Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Common Consequences (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Mitigations (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Examples (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2020-29500 Dell EMC PowerStore 信息泄露漏洞 — PowerStore 7.5 High2021-01-05
CVE-2020-26288 Parse Server stores password in plain text — parse-server 7.7 High2020-12-30
CVE-2020-25677 Red Hat ceph-ansible 安全漏洞 — ceph-ansible 5.5 -2020-12-08
CVE-2020-26228 Cleartext storage of session identifier — TYPO3.CMS 8.1 High2020-11-23
CVE-2020-8276 Brave Desktop Privacy-preserving analytics system 安全漏洞 — https://github.com/brave/brave-core 5.5 -2020-11-09
CVE-2020-8225 Nextcloud Desktop Client 安全漏洞 — Desktop Client 6.5 -2020-09-18
CVE-2020-15784 SUSE Linux Enterprise Server 安全漏洞 — Spectrum Power 4 5.3 -2020-09-09
CVE-2020-7517 Schneider Electric Easergy Builder 安全漏洞 — Easergy Builder (Version 1.4.7.2 and older) 5.5 -2020-07-23
CVE-2020-7516 Schneider Electric Easergy Builder 安全漏洞 — Easergy Builder V1.4.7.2 and prior 7.8 -2020-07-23
CVE-2020-15105 In Django Two-Factor Authentication, user passwords are stored in clear text in the Django session — django-two-factor-auth 5.4 Medium2020-07-10
CVE-2020-15085 Client caching login operation with plaintext password in Saleor Storefront — saleor-storefront 6.9 Medium2020-06-30
CVE-2020-7513 Schneider Electric Easergy T300 信息泄露漏洞 — Easergy T300 (Firmware version 1.5.2 and older) 7.5 -2020-06-16
CVE-2020-9045 C•CURE 9000 and victor Video Management System - Cleartext storage of user credentials upon installation or upgrade of software. — Software House C•CURE 9000 v2.70 9.9 Critical2020-05-21
CVE-2020-10706 Red Hat OpenShift Container Platform 安全漏洞 — openshift/openshift-apiserver 6.3 Medium2020-05-12
CVE-2020-5723 Grandstream UCM6200 安全漏洞 — Grandstream UCM6200 series 9.8 -2020-03-30
CVE-2020-6980 多款Rockwell Automation产品安全漏洞 — Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior 3.3 -2020-03-16
CVE-2019-14886 Business-central 安全漏洞 — Business-central 6.5 -2020-03-05
CVE-2019-18238 Moxa IOxpress Configuration Utility和ioLogik 2500 安全漏洞 — Moxa ioLogik 2500 series firmware, Version 3.0 or lower, IOxpress configuration utility, Version 2.3.0 or lower 7.5 -2020-02-26
CVE-2019-14890 Ansible Tower 安全漏洞 — Tower 6.5 -2019-11-26
CVE-2019-14825 Katello 安全漏洞 — katello 4.9 -2019-11-25
CVE-2019-3753 多款Dell EMC PowerConnect模块信任管理问题漏洞 — PowerConnect 8024 6.5 -2019-08-20
CVE-2019-3937 Crestron Electronics AM-100和Crestron Electronics AM-101 信任管理问题漏洞 — Crestron AirMedia 7.8 -2019-04-30
CVE-2014-5433 Baxter Wireless Battery Module 安全漏洞 — SIGMA Spectrum Infusion System 9.8 -2019-03-26
CVE-2015-1012 Hospira Lifecare PCA Infusion Pump 信息泄露漏洞 — LifeCare PCA Infusion System 7.5 -2019-03-25
CVE-2015-3952 多款Hospira产品信息泄露漏洞 — Plum A+ Infusion System 7.5 -2019-03-25
CVE-2019-6549 Kunbus PR100088 Modbus 信任管理问题漏洞 — PR100088 Modbus gateway 6.5 -2019-02-12
CVE-2018-19009 Pilz PNOZmulti Configurator 信任管理问题漏洞 — Pilz PNOZmulti Configurator 7.8 -2019-01-25
CVE-2018-10871 Red Hat 389-ds-base 安全漏洞 — 389-ds-base 6.5 -2018-07-18
CVE-2017-2672 Foreman 信息泄露漏洞 — foreman 8.8 -2018-06-21
CVE-2017-9654 Philips DoseWise Portal 信任管理漏洞 — DoseWise Portal 9.8 -2018-04-24

Vulnerabilities classified as CWE-312 (敏感数据的明文存储) represent 243 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.