Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2020-8356 联想 Lenovo XClarity Orchestrator 安全漏洞 — XClarity Orchestrator 4.9 Medium2021-03-09
CVE-2021-26564 Synology DiskStation Manager 安全漏洞 — Synology DiskStation Manager (DSM) 8.3 High2021-02-26
CVE-2021-26565 Synology DiskStation Manager 安全漏洞 — Synology DiskStation Manager (DSM) 8.3 High2021-02-26
CVE-2021-26560 Synology DiskStation Manager 安全漏洞 — Synology DiskStation Manager (DSM) 9.0 Critical2021-02-26
CVE-2021-22703 Schneider PowerLogic 产品信息泄露漏洞 — PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions) 7.5 -2021-02-19
CVE-2021-22702 Schneider PowerLogic 产品信息泄露漏洞 — PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions) 7.5 -2021-02-19
CVE-2021-20335 SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager — MongoDB Ops Manager 6.7 Medium2021-02-11
CVE-2020-8355 联想 Lenovo XClarity Administrator 信息泄露漏洞 — XClarity Administrator 4.9 Medium2021-02-10
CVE-2020-25169 Reolink P2P Cameras — RLC-4XX series 7.5 -2021-01-26
CVE-2021-21270 Cleartext Storage of Sensitive Information — OctopusDSC 6.2 Medium2021-01-22
CVE-2020-25190 MOXA NPort IAW5000A-I/O Series — NPort IAW5000A-I/O 7.5 High2020-12-23
CVE-2020-13528 Lantronix Xport Edge 安全漏洞 — Lantronix 5.9 -2020-12-17
CVE-2020-25155 NEXCOM NIO 50 输入验证错误 — NIO 50 7.5 -2020-11-13
CVE-2020-5426 Scheduler for TAS can transmit privileged UAA token in plaintext — Pivotal Scheduler 9.8 -2020-11-11
CVE-2020-27656 Synology DiskStation Manager 信息泄露漏洞 — DiskStation Manager (DSM) 6.5 Medium2020-10-29
CVE-2020-27657 Synology Router Manager 安全漏洞 — Synology Router Manager (SRM) 6.5 Medium2020-10-29
CVE-2020-25645 Linux kernel 加密问题漏洞 — kernel 7.5 -2020-10-13
CVE-2020-15785 Siemens Siveillance Video Client 加密问题漏洞 — Siveillance Video Client 5.3 -2020-09-09
CVE-2020-1749 Linux kernel 安全漏洞 — kernel 7.5 High2020-09-09
CVE-2020-3442 DuoConnect SSH Connection Vulnerability — DUO Connect 4.8 Medium2020-07-20
CVE-2020-7592 多款Siemens产品安全漏洞 — SIMATIC HMI Basic Panels 1st Generation (incl. SIPLUS variants) 8.1 -2020-07-14
CVE-2020-10281 RVD#3315: Cleartext transmission of sensitive information in MAVLink protocol version 1.0 and 2.0 — MAVLink 7.5 -2020-07-03
CVE-2019-18248 Biotronik CardioMessenger II-S 安全漏洞 — BIOTRONIK CardioMessenger II-S T-Line, CardioMessenger II-S GSM 7.1 -2020-06-29
CVE-2020-12008 Baxter ExactaMix EM2400和ExactaMix EM1200 安全漏洞 — Baxter ExactaMix EM 2400 & EM 1200 7.5 -2020-06-29
CVE-2020-12036 Baxter PrismaFlex和PrisMax 安全漏洞 — Baxter PrismaFlex and PrisMax 7.5 -2020-06-29
CVE-2020-12048 Baxter Phoenix Hemodialysis Delivery System 安全漏洞 — Baxter Phoenix Hemodialysis Delivery System 7.5 -2020-06-29
CVE-2020-12040 Baxter Sigma Spectrum Infusion System和Baxter Spectrum Infusion System 安全漏洞 — Baxter Sigma Spectrum Infusion Pumps 7.1 -2020-06-29
CVE-2020-10624 Honeywell ControlEdge PLC和ControlEdge RTU 安全漏洞 — ControlEdge PLC 7.5 -2020-06-26
CVE-2020-10628 Honeywell ControlEdge PLC和ControlEdge RTU 安全漏洞 — ControlEdge PLC 7.5 -2020-06-26
CVE-2020-2013 PAN-OS: Panorama context switch session cookie disclosure — PAN-OS 8.3 High2020-05-13

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.