Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2023-39245 Dell ESI for SAP LaMa 安全漏洞 — ESI (Enterprise Storage Integrator) for SAP LAMA 9.8 Critical2024-02-15
CVE-2024-21406 Windows Printing Service Spoofing Vulnerability — Windows 10 Version 1809 7.5 High2024-02-13
CVE-2023-32328 IBM Security Verify Access information disclosure — Security Verify Access Appliance 7.5 High2024-02-07
CVE-2023-40544 Westermo Lynx Cleartext Transmission of Sensitive Information — Lynx 5.7 Medium2024-02-06
CVE-2023-50962 IBM PowerSC information disclosure — PowerSC 5.9 Medium2024-02-02
CVE-2023-51741 Cleartext Submission of Password vulnerability in Skyworth Router — Skyworth Router CM5100 7.5 High2024-01-17
CVE-2023-51740 Cleartext Submission of Password vulnerability in Skyworth Router — Skyworth Router CM5100 7.5 High2024-01-17
CVE-2024-0056 Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability — Microsoft SQL Server 2022 (GDR) 8.7 High2024-01-09
CVE-2023-6094 OnCell G3150A-LTE Series: Web Server Transmits Cleartext Credentials — OnCell G3150A-LTE Series 5.3 Medium2023-12-31
CVE-2023-50703 Cleartext Transmission of Sensitive Information in EFACEC UC 500E — UC 500E 6.3 Medium2023-12-19
CVE-2023-39172 SENEC: Storage Box V1,V2 and V3 transmitting sensitive data unencrypted — Storage Box V1 9.1 Critical2023-12-07
CVE-2023-43503 Siemens Comos 安全漏洞 — COMOS 3.5 Low2023-11-14
CVE-2023-45321 Bosch ctrlX HMI Web Panel WR21 安全漏洞 — ctrlX HMI Web Panel - WR21 (WR2107) 8.3 High2023-10-25
CVE-2023-33837 IBM Security Verify Governance information disclosure — Security Verify Governance 4.1 Medium2023-10-23
CVE-2023-38276 IBM Cognos Dashboards information disclosure — Cognos Dashboards on Cloud Pak for Data 5.9 Medium2023-10-22
CVE-2023-38275 IBM Cognos Dashboards information disclosure — Cognos Dashboards on Cloud Pak for Data 5.9 Medium2023-10-22
CVE-2023-41088 Cleartext Transmission of Sensitive Information in DEXMA DEXGate — DexGate 6.3 Medium2023-10-19
CVE-2023-34441 Baker Hughes Bently Nevada 3500 System Cleartext Transmission of Sensitive Information — Bently Nevada 3500 System 6.8 Medium2023-10-18
CVE-2022-22385 IBM Security Verify Privilege information disclosure — Security Verify Privilege 5.9 Medium2023-10-17
CVE-2023-5461 Delta Electronics WPLSoft Modbus cleartext transmission — WPLSoft 3.7 Low2023-10-09
CVE-2023-5100 SICK APU 安全漏洞 — APU0200 5.9 Medium2023-10-09
CVE-2023-43125 BIG-IP APM Clients TunnelCrack vulnerability — BIG-IP Edge Client 6.8 Medium2023-09-27
CVE-2023-43124 BIG-IP APM Clients TunnelCrack vulnerability — BIG-IP Edge Client 5.3 Medium2023-09-27
CVE-2022-47560 Cleartext Transmission of Sensitive Information in Ormazabal products — ekorCCP 5.7 Medium2023-09-20
CVE-2023-40729 Siemens QMS Automotive 安全漏洞 — QMS Automotive 7.3 High2023-09-12
CVE-2023-34998 Open Automation Software OAS Platform 授权问题漏洞 — OAS Platform 8.1 High2023-09-05
CVE-2023-22870 IBM Aspera Faspex information disclosure — Aspera Faspex 5.9 Medium2023-09-05
CVE-2023-25848 BUG-000158039 - There is an information disclosure issue in ArcGIS Server. — ArcGIS Enterprise Server 5.3 Medium2023-08-25
CVE-2023-34972 QTS, QuTS hero and QuTScloud — QTS 3.5 Low2023-08-24
CVE-2023-2754 Plaintext transmission of DNS requests in Windows 1.1.1.1 WARP client — WARP 7.4 High2023-08-03

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.