Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2021-40392 MOXA Moxa MXView 安全漏洞 — MXView Series 7.5 -2022-04-14
CVE-2021-32982 Automation Direct CLICK PLC CPU Modules Cleartext Transmission of Sensitive Information — CLICK PLC CPU Modules: C0-1x CPUs 7.5 High2022-04-04
CVE-2021-33022 Philips Vue PACS Cleartext Transmission of Sensitive Information — Vue PACS 7.5 High2022-04-01
CVE-2003-5002 ISS BlackICE PC Protection Update cleartext transmission — BlackICE PC Protection 3.7 Low2022-03-28
CVE-2022-0988 Delta Electronics DIAEnergie CLEARTEXT Transmission of Sensitive Information — DIAEnergie 7.1 High2022-03-25
CVE-2020-25178 Rockwell Automation ISaGRAF5 Runtime Cleartext Transmission of Sensitive Information — ISaGRAF Runtime 7.5 High2022-03-18
CVE-2022-21798 ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext — Proficy CIMPLICITY 7.5 High2022-02-25
CVE-2022-0162 Vulnerability in TP-LinK TL-WR841N wireless router — TL-WR841N 8.4 High2022-02-09
CVE-2021-4161 ICSA-21-357-01 Moxa MGate Protocol Gateways — MGate MB3180 Series 9.8 Critical2021-12-27
CVE-2021-3792 Binatone Motorola-branded Camera 安全漏洞 — Binatone Hubble Cameras 5.3 Medium2021-11-12
CVE-2021-3774 Meross MSS550X Missing Encryption of Sensitive Data — Meross Smart Wi-Fi 2 Way Wall Switch 7.4 High2021-11-05
CVE-2021-42699 AzeoTech DAQFactory — DAQFactory 5.7 Medium2021-11-05
CVE-2021-38418 Delta Electronics DIALink — DIALink 8.8 High2021-11-03
CVE-2021-0296 CTPView: HSTS not being enforced on CTPView server. — CTPView 7.4 High2021-10-19
CVE-2021-20599 Mitsubishi Electric MELSEC iQ-R series 安全漏洞 — MELSEC iQ-R Series Safety CPU R08SFCPU 9.1 Critical2021-10-14
CVE-2021-39342 Credova_Financial <= 1.4.8 Sensitive Information Disclosure — Credova_Financial 5.3 Medium2021-09-29
CVE-2021-22923 Arch Linux 信任管理问题漏洞 — https://github.com/curl/curl 5.3 -2021-08-05
CVE-2021-23846 B426 Credential Disclosure — B426 Firmware 8.8 High2021-06-18
CVE-2021-23896 Cleartext Transmission of Sensitive Information in McAfee DBSec — McAfee Database Security (DBSec) 3.2 Low2021-06-02
CVE-2021-23018 Nginx 控制器 安全漏洞 — Nginx Controller 5.9 -2021-06-01
CVE-2021-32456 SITEL CAP/PRX cleartext transmission of sensitive information — CAP/PRX 6.5 Medium2021-05-17
CVE-2021-3494 Foreman 安全漏洞 — foreman 5.9 -2021-04-26
CVE-2021-20992 Fibaro Home Center Unencrypted management interface — Fibaro Home Center 8.1 High2021-04-19
CVE-2020-7308 Transmission of data in clear text by McAfee ENS — McAfee Endpoint Security (ENS) for WIndows 4.8 Medium2021-04-15
CVE-2021-23884 Clear text exposure of password in McAfee CSR ePO extension — McAfee Content Security Reporter (CSR) 4.3 Medium2021-04-15
CVE-2021-27251 Netgear NETGEAR 安全漏洞 — R7800 8.8 -2021-04-14
CVE-2021-3473 Lenovo XClarity Controller 安全漏洞 — XClarity Controller (XCC) 4.5 Medium2021-04-13
CVE-2021-21387 Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength — wrongthink 8.1 High2021-03-19
CVE-2019-18231 Advantech Spectre RT ERT351 firmware 安全漏洞 — Advantech Spectre RT ERT351 7.5 -2021-03-17
CVE-2021-3417 Lenovo XClarity Orchestrator 安全漏洞 — XClarity Orchestrator 4.9 Medium2021-03-09

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.