CWE-312
Cleartext Storage of Sensitive Information
Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Read Application Data
Potential Mitigations
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CVE-2022-26390wireless battery product stores credentials and Personal Health Information (PHI) without encryption
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2009-2272password and username stored in cleartext in a cookie
CVE-2009-1466password stored in cleartext in a file with insecure permissions
CVE-2009-0152chat program disables SSL in some circumstances even when the user says to use SSL.
CVE-2009-1603Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
CVE-2009-0964storage of unencrypted passwords in a database
CVE-2008-6157storage of unencrypted passwords in a database
CVE-2008-6828product stores a password in cleartext in memory
CVE-2008-1567storage of a secret key in cleartext in a temporary file
+11 more examples
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now