QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-319

Back to CWE list

CWE-319

Cleartext Transmission of Sensitive Information

Base
Draft

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Common Consequences

Scope

Integrity
Confidentiality

Impact

Read Application Data, Modify Files or Directories

Scope

Integrity
Confidentiality

Impact

Read Application Data, Modify Files or Directories, Other

Potential Mitigations

Architecture and Design

Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.

Implementation

When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.

Implementation

When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.

Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

Operation

Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.

CVE-2022-29519

Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.

CVE-2022-30312

Building Controller uses a protocol that transmits authentication credentials in plaintext.

CVE-2022-31204

Programmable Logic Controller (PLC) sends password in plaintext.

CVE-2002-1949

Passwords transmitted in cleartext.

CVE-2008-4122

Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.

CVE-2008-3289

Product sends password hash in cleartext in violation of intended policy.

CVE-2008-4390

Remote management feature sends sensitive information including passwords in cleartext.

CVE-2007-5626

Backup routine sends password in cleartext in email.

CVE-2004-1852

Product transmits Blowfish encryption key in cleartext.

CVE-2008-0374

Printer sends configuration information, including administrative password, in cleartext.

+3 more examples

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now