Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2020-7488 多款Schneider Electric产品安全漏洞 — EcoStruxure Machine Expert (all versions)SoMachine, SoMachine Motion (all versions)Modicon M218 Logic Controller (all versions)Modicon M241 Logic Controller (all versions)Modicon M251 Logic Controller (all versions)Modicon M258 Logic Controller (all versions) 7.5 -2020-04-22
CVE-2020-6997 Moxa EDS-G516E和EDS-510E 安全漏洞 — Moxa EDS-G516E Series firmware, Version 5.2 or lower 5.3 -2020-03-24
CVE-2020-7003 Moxa IOxpress configuration utility和ioLogik 2500 安全漏洞 — Moxa ioLogik 2500 series firmware, Version 3.0 or lower, IOxpress configuration utility, Version 2.3.0 or lower 7.5 -2020-03-24
CVE-2020-5399 CredHub does not properly enable TLS for MySQL database connections — CredHub 8.7 -2020-02-12
CVE-2019-18285 Siemens SPPA-T3000 缓冲区错误漏洞 — SPPA-T3000 Application Server 5.9 -2019-12-12
CVE-2012-5562 Rhn-proxy: rhn-satellite: rhn-proxy: information disclosure via clear-text credential transmission when accessing rhn satellite — Red Hat Satellite 6 8.6 High2019-12-02
CVE-2019-6846 多款Schneider产品安全漏洞 — Modicon M580, Modicon M340, Modicon BMxCRA and 140CRA modules (all firmware versions) 6.5 -2019-10-29
CVE-2019-6845 多款Schneider Electric产品安全漏洞 — Modicon M580, Modicon M340, Modicon Premium , Modicon Quantum (all firmware versions) 7.5 -2019-10-29
CVE-2019-9532 The web application portal of the Cobham EXPLORER 710, firmware version 1.07, sends the login password in cleartext — Explorer 710 7.8 -2019-10-10
CVE-2019-5635 Hickory Smart Lock Cleartext Password — Hickory Smart Ethernet Bridge 7.5 -2019-08-22
CVE-2019-11276 Apps Manager sends tokens to Spring apps via HTTP — Pivotal Application Service (PAS) 8.2 -2019-08-19
CVE-2019-10926 Siemens SIMATIC Ident MV420和Siemens SIMATIC Ident MV440 加密问题漏洞 — SIMATIC MV400 family 5.3 -2019-06-12
CVE-2019-6540 Medtronic Conexus Radio Frequency Telemetry Protocol Cleartext Transmission of Sensitive Information — Conexus Radio Frequency Telemetry Protocol 6.5 Medium2019-03-26
CVE-2018-5401 The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors — DCU-210E 5.9 -2018-10-08
CVE-2018-5402 The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN — DCU-210E 8.8 -2018-10-08
CVE-2018-8842 Philips e-Alert 安全漏洞 — e-Alert Unit (non-medical device) 8.8 -2018-09-26
CVE-2018-14627 Red Hat WildFly IIOP OpenJDK子系统安全漏洞 — JBoss/WildFly 5.9 -2018-09-04
CVE-2018-10634 Medtronic MiniMed MMT-500/MMT-503 Remote Controllers Cleartext Transmission of Sensitive Information — MMT- 508 - MiniMed pump 4.8 Medium2018-08-13
CVE-2018-8855 多款Echelon产品安全漏洞 — SmartServer 1 9.8 -2018-07-24
CVE-2016-5638 Netgear WNDR4500 running firmware version V1.0.1.40_1.0.6877 reveals some sensitive information such as 2.4GHz & 5GHz Wireless Network Name (SSID) and Network Key (Password) in clear text — WNDR4500 7.5 -2018-07-24
CVE-2016-5649 Netgear DGN2200 and DGND3700 disclose the administrator password — DGN2200 9.8 -2018-07-24
CVE-2018-0025 Junos OS: SRX Series: Credentials exposed when using HTTP and HTTPS Firewall Pass-through User Authentication — Junos OS 5.9 -2018-07-11
CVE-2018-8929 Synology SSL VPN Client 安全漏洞 — SSL VPN Client 7.4 -2018-07-06
CVE-2017-9637 Schneider Electric Ampla MES 安全漏洞 — Ampla MES 5.9 -2018-05-18
CVE-2018-5471 多款Belden产品安全漏洞 — Hirschmann Automation and Control GmbH Classic Platform Switches 5.9 -2018-03-06
CVE-2017-8444 Elastic Cloud Enterprise 安全漏洞 — Elastic Cloud Enterprise 5.9 -2017-09-28

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.