Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2025-0252 HCL IEM is affected by a password in cleartext vulnerability — IEM 2.6 Low2025-07-25
CVE-2025-0250 HCL IEM is affected by an authorization token sent in cookie vulnerability — IEM 2.2 Low2025-07-24
CVE-2025-53703 DuraComm DP-10iN-100-MU Cleartext Transmission of Sensitive Information — SPM-500 DP-10iN-100-MU 7.5 High2025-07-22
CVE-2025-36107 IBM Cognos Analytics Mobile (iOS) information disclosure — Cognos Analytics Mobile 5.9 Medium2025-07-21
CVE-2025-2818 Motorola Smart Connect Android Application 安全漏洞 — Smart Connect Android Application 3.5 Low2025-07-17
CVE-2025-53756 Cleartext Transmission Vulnerability in Digisol DG-GR6821AC Router — XPON ONU Wi-Fi Router (DG-GR6821AC) 9.8AICriticalAI2025-07-16
CVE-2025-53861 Aap: sensitive cookie(s) set without security flags — Red Hat Ansible Automation Platform 2 3.1 Low2025-07-11
CVE-2025-27457 CVE-2025-27457 — Endress+Hauser MEAC300-FNADE4 6.5 Medium2025-07-03
CVE-2025-36034 IBM InfoSphere DataStage Flow Designer information disclosure — InfoSphere Information Server 5.3 Medium2025-06-26
CVE-2025-5087 Cleartext Transmission of Sensitive Information in Kaleris Navis N4 — Navis N4 9.1AICriticalAI2025-06-24
CVE-2025-4378 Hardcoded Credentials in Ataturk University's ATA-AOF Mobile Application — ATA-AOF Mobile Application 10.0 Critical2025-06-24
CVE-2025-4227 GlobalProtect App: Interception in Endpoint Traffic Policy Enforcement — GlobalProtect App 4.6AIMediumAI2025-06-13
CVE-2025-49194 Unencrypted communication — SICK Media Server 7.5 High2025-06-12
CVE-2025-49183 Unencrypted communication (HTTP) — SICK Media Server 7.5 High2025-06-12
CVE-2025-0136 PAN-OS: Unencrypted Data Transfer when using AES-128-CCM on Intel-based hardware devices — Cloud NGFW 7.5AIHighAI2025-05-14
CVE-2025-40583 Siemens SCALANCE LPE9403 安全漏洞 — SCALANCE LPE9403 4.4 Medium2025-05-13
CVE-2025-27720 Pixmeo OsiriX MD Cleartext Transmission of Sensitive Information — OsiriX MD 7.4 High2025-05-08
CVE-2024-12378 On affected platforms running Arista EOS with secure Vxlan configured, restarting the Tunnelsec agent will result in packets being sent over the secure Vxlan tunnels in the clear. — CloudVision Portal 9.1 Critical2025-05-08
CVE-2025-47419 Non-Secure Access — Automate VX 7.5AIHighAI2025-05-06
CVE-2025-25046 IBM InfoSphere Information Server information disclosure — InfoSphere Information Server 3.7 Low2025-04-23
CVE-2025-42603 Information Disclosure Vulnerability in Meon KYC solutions — KYC solutions 8.8 -2025-04-23
CVE-2025-32793 Cilium packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters — cilium 4.0 Medium2025-04-21
CVE-2025-43013 JetBrains Toolbox App 安全漏洞 — Toolbox App 6.9 Medium2025-04-17
CVE-2025-43704 Veritas Data Insight 安全漏洞 — Data Insight 4.7 Medium2025-04-16
CVE-2025-27722 Inaba Denki Sangyo Wi-Fi AP UNIT 安全漏洞 — AC-WPS-11ac 5.9 Medium2025-04-09
CVE-2025-26654 Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud) — SAP Commerce Cloud (Public Cloud) 6.8 Medium2025-04-08
CVE-2025-3329 Consumer Comanda Mobile Restaurant Order cleartext transmission — Comanda Mobile 3.1 Low2025-04-07
CVE-2025-2861 Cleartext Transmission of Sensitive Information vulnerability in saTECH BCU — saTECH BCU 9.8 -2025-03-28
CVE-2024-45361 Mi Connect Service APP protocol flaws lead to leaking sensitive user information — Xiaomi Mi Connect Service 6.5 Medium2025-03-27
CVE-2025-27594 Unencrypted transmission of password hash — SICK DL100-2xxxxxxx 7.5 High2025-03-14

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.