Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-921 (在没有访问控制机制中存储敏感数据) — Vulnerability Class 8

8 vulnerabilities classified as CWE-921 (在没有访问控制机制中存储敏感数据). AI Chinese analysis included.

CWE-921 represents a critical storage weakness where sensitive data is persisted in mechanisms lacking inherent access control, such as removable media like USB drives or memory cards. Attackers typically exploit this vulnerability by physically accessing these devices or leveraging local system privileges to read unencrypted files, thereby exposing confidential information like credentials or personal data without needing to bypass complex network defenses. To mitigate this risk, developers must enforce strict access controls on all storage mechanisms, ensuring that only authorized processes or users can read or write sensitive content. Additionally, implementing robust encryption for data at rest and utilizing secure, access-controlled storage solutions rather than removable media can significantly reduce the attack surface. Regular security audits and adherence to least-privilege principles further ensure that sensitive information remains protected against unauthorized access.

MITRE CWE Description
The product stores sensitive information in a file system or device that does not have built-in access control. While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data. On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.
Common Consequences (2)
ConfidentialityRead Application Data, Read Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories
Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.
CVE IDTitleCVSSSeverityPublished
CVE-2025-30016 Authentication Bypass Vulnerability in SAP Financial Consolidation — SAP Financial Consolidation 9.8 Critical2025-04-08
CVE-2025-24843 Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application Storage of Sensitive Data in a Mechanism without Access Control — USB-C Blood Glucose Monitoring System Starter Kit Android Applications 5.1 Medium2025-02-28
CVE-2025-24870 Insecure Key & Secret Management vulnerability in SAP GUI for Windows — SAP GUI for Windows 6.0 Medium2025-02-11
CVE-2024-5206 Sensitive Data Leakage in sklearn.feature_extraction.text.TfidfVectorizer in scikit-learn/scikit-learn — scikit-learn/scikit-learn 7.5AIHighAI2024-06-06
CVE-2023-41818 Motorola Device Help 安全漏洞 — Phones 5.0 Medium2024-05-03
CVE-2023-41965 Socomec MOD3GP-SY-120K Insecure Storage of Sensitive Information — MODULYS GP (MOD3GP-SY-120K) 7.5 High2023-09-18
CVE-2023-2665 Storage of Sensitive Data in a Mechanism without Access Control in francoisjacquet/rosariosis — francoisjacquet/rosariosis 7.5 -2023-05-12
CVE-2021-27456 Philips Gemini PET/CT Storage of Sensitive Data in a Mechanism Without Access Control — Gemini 16 Slice 2.4 Low2022-03-23

Vulnerabilities classified as CWE-921 (在没有访问控制机制中存储敏感数据) represent 8 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.