Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-319 (敏感数据的明文传输) — Vulnerability Class 356

356 vulnerabilities classified as CWE-319 (敏感数据的明文传输). AI Chinese analysis included.

CWE-319 represents a critical security weakness where applications transmit sensitive or security-critical data in cleartext over communication channels susceptible to interception. Attackers typically exploit this vulnerability by employing network sniffing tools to capture unencrypted packets, thereby gaining unauthorized access to confidential information such as login credentials, personal identifiable information, or financial data. This exposure occurs because the data lacks encryption during transit, allowing malicious actors to read the contents without authentication. To prevent this, developers must implement robust encryption protocols, such as TLS or SSL, for all data in transit. Additionally, enforcing strict security policies that mandate encrypted connections for all sensitive communications ensures that data remains protected against eavesdropping and man-in-the-middle attacks, maintaining confidentiality and integrity throughout the transmission process.

MITRE CWE Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Common Consequences (2)
Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination…
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that i…
Mitigations (5)
Architecture and DesignBefore transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
ImplementationWhen using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
ImplementationWhen designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
TestingUse tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
OperationConfigure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
Examples (2)
The following code attempts to establish a connection to a site to communicate sensitive information.
try { URL u = new URL("http://www.secret.example.org/"); HttpURLConnection hu = (HttpURLConnection) u.openConnection(); hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); hu.disconnect(); } catch (IOException e) { //... }
Bad · Java
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2023-3763 Intergard SGS SQL Query cleartext transmission — SGS 3.7 Low2023-07-19
CVE-2023-3761 Intergard SGS Password Change cleartext transmission — SGS 3.7 Low2023-07-19
CVE-2023-34142 Cleartext Transmission Vulnerability in Hitachi Device Manager — Hitachi Device Manager 9.0 Critical2023-07-18
CVE-2023-3272 SICK ICR890-4 安全漏洞 — ICR890-4 7.5 High2023-07-10
CVE-2023-23841 SolarWinds Serv-U Exposure of Sensitive Information Vulnerability — ServU 7.5 High2023-06-15
CVE-2022-41327 Fortinet FortiOS 安全漏洞 — FortiOS 7.6 High2023-06-13
CVE-2023-27861 IBM Maximo Application Suite information disclosure — Maximo Application Suite 5.9 Medium2023-06-05
CVE-2023-30602 Hitron Technologies Inc. CODA-5310 - Insecure service Telnet — Hitron CODA-5310 7.5 High2023-06-02
CVE-2023-3028 Improper backend communication allows access and manipulation of the telemetry data — HQT401 8.6 High2023-06-01
CVE-2023-33187 highlight vulnerable to cleartext transmission of sensitive information — highlight 5.4 Medium2023-05-26
CVE-2023-31193 Snap One OvrC Pro 安全漏洞 — OvrC Cloud 7.5 High2023-05-22
CVE-2022-46680 Schneider Electric PowerLogic 安全漏洞 — PowerLogic ION9000 8.8 High2023-05-22
CVE-2023-0864 Configuration data is exchanged in plaintext and could be available to a nearby attacker if present during configuration or usage of the device via Bluetooth Low Energy (BLE). — Terra AC wallbox (UL40/80A) 7.1 High2023-05-17
CVE-2023-1802 In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed — Docker Desktop 5.9 Medium2023-04-06
CVE-2023-0922 samba 安全漏洞 — Samba 7.4 -2023-04-03
CVE-2023-1656 When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection. — OpenIDM and Java Remote Connector Server (RCS) 7.5 High2023-03-29
CVE-2023-0053 SAUTER Controls Nova 200–220 Series Cleartext Transmission of Sensitive Information — Nova 220 (EYK220F001) DDC with BACnet connection 7.5 High2023-03-02
CVE-2023-23914 curl 安全漏洞 — https://github.com/curl/curl 9.1 -2023-02-23
CVE-2023-23915 curl 安全漏洞 — https://github.com/curl/curl 8.2 -2023-02-23
CVE-2023-22806 CVE-2023-22806 — XBC-DN32U 7.5 High2023-02-15
CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password — Cortex XDR agent 6.0 Medium2023-02-08
CVE-2022-40693 MOXA SDS-3008 安全漏洞 — SDS-3008 Series Industrial Ethernet Switch 7.5 -2023-02-07
CVE-2023-22863 IBM Robotic Process Automation information disclosure — Robotic Process Automation 5.9 Medium2023-01-18
CVE-2023-22597 InHand Networks InRouter302 安全漏洞 — InRouter 302 6.5 Medium2023-01-12
CVE-2022-3929 Communication between the client and server partially using CORBA over TCP/IP — FOXMAN-UN 8.3 High2023-01-05
CVE-2022-43551 curl 安全漏洞 — https://github.com/curl/curl 7.5 -2022-12-23
CVE-2022-22457 IBM Security Verify Governance, Identity Manager information disclosure — Security Verify Governance, Identity Manager 5.3 Medium2022-12-22
CVE-2022-47895 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 4.7 Medium2022-12-22
CVE-2020-4497 IBM Spectrum Protect Plus information disclosure — Spectrum Protect Plus 6.8 Medium2022-12-14
CVE-2022-43724 Siemens SICAM PAS/PQS 安全漏洞 — SICAM PAS/PQS 9.8 -2022-12-13

Vulnerabilities classified as CWE-319 (敏感数据的明文传输) represent 356 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.