Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-47789 Credential Leakage Vulnerability — IP Camera D8801 7.5 -2024-10-04
CVE-2024-45838 goTenna Pro ATAK Plugin Cleartext Transmission of Sensitive Information — Pro ATAK Plugin 4.3 Medium2024-09-26
CVE-2024-47124 Cleartext Transmission of Sensitive Information in goTenna Pro — Pro 4.3 Medium2024-09-26
CVE-2024-45101 Lenovo XClarity Administrator 安全漏洞 — XClarity Administrator 6.8 Medium2024-09-13
CVE-2024-8059 Lenovo XClarity Controller 安全漏洞 — HX5530 Appliance (ThinkAgile) XCC 4.3 Medium2024-09-13
CVE-2024-44105 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.2 High2024-09-10
CVE-2024-41927 IDEC PLC多款产品 安全漏洞 — FC6A Series MICROSmart All-in-One CPU module 9.1AICriticalAI2024-09-04
CVE-2024-39746 IBM Sterling Connect:Direct Web Services information disclosure — Sterling Connect:Direct Web Services 5.9 Medium2024-08-22
CVE-2024-31905 IBM QRadar Network Packet Capture information disclosure — QRadar Network Packet Capture 5.9 Medium2024-08-15
CVE-2024-38167 .NET and Visual Studio Information Disclosure Vulnerability — Microsoft Visual Studio 2022 version 17.10 6.5 Medium2024-08-13
CVE-2024-7408 Information Disclosure Vulnerability in Airveda Air Quality Monitor — Air Quality Monitor PM2.5 PM10 5.3AIMediumAI2024-08-09
CVE-2024-32864 exacqVison - HTTPS Session Establishment — exacqVision 6.4 Medium2024-08-01
CVE-2024-41687 Cleartext Transmission of Sensitive Information Vulnerability — SyroTech SY-GPON-1110-WDONT router 9.8 -2024-07-26
CVE-2024-41124 Puncia Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS` — puncia 6.3 Medium2024-07-19
CVE-2024-5631 Longse NVR 安全漏洞 — NVR3608PGE2W 8.1AIHighAI2024-07-09
CVE-2024-37183 Westermo L210-F2G Lynx Cleartext Transmission of Sensitive Information — L210-F2G Lynx 5.7 Medium2024-06-20
CVE-2024-0066 AXIS OS 安全漏洞 — AXIS OS 5.3 Medium2024-06-18
CVE-2024-27163 Leak of admin password and passwords — Toshiba Tec e-Studio multi-function peripheral (MFP) 6.5 Medium2024-06-14
CVE-2024-35210 Siemens SINEC Traffic Analyzer 安全漏洞 — SINEC Traffic Analyzer 5.1 Medium2024-06-11
CVE-2024-37163 SkyScrape Secure API Requests — SkyScraper 6.4 Medium2024-06-07
CVE-2024-30209 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 9.6 Critical2024-05-14
CVE-2024-28134 PHOENIX CONTACT: MitM attack gains privileges of the current logged in user in CHARX Series — CHARX SEC-3000 7.0 High2024-05-14
CVE-2024-0098 CVE — ChatRTX 5.5 Medium2024-05-09
CVE-2024-1657 Platform: insecure websocket used when interacting with eda server 8.1 High2024-04-25
CVE-2024-4161 Syslog traffic sent in clear-text — Brocade SANnav 8.6 High2024-04-25
CVE-2024-25960 Dell PowerScale OneFS 安全漏洞 — PowerScale OneFS 7.3 High2024-03-28
CVE-2024-0860 Cleartext Transmission of Sensitive Information in Softing edgeConnector and edgeAggregator — edgeConnector 8.0 High2024-03-14
CVE-2024-26288 PHOENIX CONTACT: Lack of SSL support in CHARX Series — CHARX SEC-3000 8.7 High2024-03-12
CVE-2023-27291 IBM Watson CP4D Data Stores information disclosure — Watson CP4D Data Stores 4.5 Medium2024-03-03
CVE-2023-47745 IBM MQ Container information disclosure — MQ Operator 6.2 Medium2024-03-03

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.