Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

398 vulnerabilities reference this CWE, most recent first.

GHSA-87RM-WVWV-5R67

Vulnerability from github – Published: 2024-04-25 18:30 – Updated: 2024-04-25 18:30
VLAI
Details

A flaw was found in Quay, where Quay's database is stored in plain text in mirror-registry on Jinja's config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay's Redis instance.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-25T18:15:10Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Quay, where Quay\u0027s database is stored in plain text in mirror-registry on Jinja\u0027s config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay\u0027s Redis instance.",
  "id": "GHSA-87rm-wvwv-5r67",
  "modified": "2024-04-25T18:30:40Z",
  "published": "2024-04-25T18:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3625"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-3625"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-884F-P57J-F258

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 19:59
VLAI
Summary
Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials
Details

Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:soapui-pro-functional-testing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T21:08:00Z",
    "nvd_published_at": "2025-07-09T16:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-884f-p57j-f258",
  "modified": "2025-11-05T19:59:34Z",
  "published": "2025-07-09T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53656"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/soapui-pro-functional-testing-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3556"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials"
}

GHSA-8F5F-WP2V-WG57

Vulnerability from github – Published: 2025-07-16 18:32 – Updated: 2025-07-16 18:32
VLAI
Details

LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7357"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-16T16:15:29Z",
    "severity": "HIGH"
  },
  "details": "LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs.",
  "id": "GHSA-8f5f-wp2v-wg57",
  "modified": "2025-07-16T18:32:38Z",
  "published": "2025-07-16T18:32:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7357"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-196-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8G6V-G8QC-5W7J

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-09 19:42
VLAI
Summary
Token stored in plain text by DigitalOcean Plugin
Details

Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.dubture.jenkins:digitalocean-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T19:42:06Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.",
  "id": "GHSA-8g6v-g8qc-5w7j",
  "modified": "2023-01-09T19:42:06Z",
  "published": "2022-05-24T17:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2126"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/digitalocean-plugin/commit/ca1112c5c52a842c6340401f02f536fc07c6620a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/digitalocean-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1559"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Token stored in plain text by DigitalOcean Plugin"
}

GHSA-8G9W-5JV6-7M4X

Vulnerability from github – Published: 2022-03-16 00:00 – Updated: 2022-11-30 18:45
VLAI
Summary
Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin
Details

Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.incapptic.plugins:incapptic-connect-uploader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-27218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T18:45:18Z",
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.",
  "id": "GHSA-8g9w-5jv6-7m4x",
  "modified": "2022-11-30T18:45:18Z",
  "published": "2022-03-16T00:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27218"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/incapptic-connect-uploader-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2273"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/15/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Personal tokens stored in plain text by Jenkins incapptic connect uploader Plugin"
}

GHSA-8GP3-M447-GW2V

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:13
VLAI
Summary
Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form
Details

Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:vaddy-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T21:46:57Z",
    "nvd_published_at": "2025-07-09T16:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.",
  "id": "GHSA-8gp3-m447-gw2v",
  "modified": "2025-11-05T20:13:09Z",
  "published": "2025-07-09T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53669"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/vaddy-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3527"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form"
}

GHSA-8MJ3-MJ87-CF2H

Vulnerability from github – Published: 2024-01-25 15:31 – Updated: 2024-01-25 15:31
VLAI
Details

Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-25T15:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nNetworker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker Client system could potentially exploit this vulnerability, leading to the disclosure of configured MySQL Database user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application Database with privileges of the compromised account.\n\n",
  "id": "GHSA-8mj3-mj87-cf2h",
  "modified": "2024-01-25T15:31:53Z",
  "published": "2024-01-25T15:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22432"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000221474/dsa-2024-059-security-update-for-dell-networker-multiple-components-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8PM7-8J9R-GR39

Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30
VLAI
Details

A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA1) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA1) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA1) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA1) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA1) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA1) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA1) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1) (All versions). Affected devices store user passwords in plaintext without proper protection. This could allow a physical attacker to retrieve them from the embedded storage ICs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39922"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T08:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All versions), LOGO! 12/24RCEo (6ED1052-2MD08-0BA1) (All versions), LOGO! 230RCE (6ED1052-1FB08-0BA1) (All versions), LOGO! 230RCEo (6ED1052-2FB08-0BA1) (All versions), LOGO! 24CE (6ED1052-1CC08-0BA1) (All versions), LOGO! 24CEo (6ED1052-2CC08-0BA1) (All versions), LOGO! 24RCE (6ED1052-1HB08-0BA1) (All versions), LOGO! 24RCEo (6ED1052-2HB08-0BA1) (All versions), SIPLUS LOGO! 12/24RCE (6AG1052-1MD08-7BA1) (All versions), SIPLUS LOGO! 12/24RCEo (6AG1052-2MD08-7BA1) (All versions), SIPLUS LOGO! 230RCE (6AG1052-1FB08-7BA1) (All versions), SIPLUS LOGO! 230RCEo (6AG1052-2FB08-7BA1) (All versions), SIPLUS LOGO! 24CE (6AG1052-1CC08-7BA1) (All versions), SIPLUS LOGO! 24CEo (6AG1052-2CC08-7BA1) (All versions), SIPLUS LOGO! 24RCE (6AG1052-1HB08-7BA1) (All versions), SIPLUS LOGO! 24RCEo (6AG1052-2HB08-7BA1) (All versions). Affected devices store user passwords in plaintext without proper protection. This could allow a physical attacker to retrieve them from the embedded storage ICs.",
  "id": "GHSA-8pm7-8j9r-gr39",
  "modified": "2024-08-13T09:30:52Z",
  "published": "2024-08-13T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39922"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-921449.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8X2H-C9MX-CX2J

Vulnerability from github – Published: 2024-09-26 15:30 – Updated: 2024-09-26 15:30
VLAI
Details

IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-31899"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Command Center 10.2.4.1 and 10.2.5 could disclose highly sensitive user information to an authenticated user with physical access to the device.",
  "id": "GHSA-8x2h-c9mx-cx2j",
  "modified": "2024-09-26T15:30:43Z",
  "published": "2024-09-26T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31899"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7149734"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9387-XRFR-3WFR

Vulnerability from github – Published: 2024-09-18 18:30 – Updated: 2024-09-19 03:30
VLAI
Details

Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-18T18:15:05Z",
    "severity": "HIGH"
  },
  "details": "Victure PC420 1.1.39 was discovered to contain a hardcoded root password which is stored in plaintext.",
  "id": "GHSA-9387-xrfr-3wfr",
  "modified": "2024-09-19T03:30:31Z",
  "published": "2024-09-18T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41610"
    },
    {
      "type": "WEB",
      "url": "https://www.trevorkems.com/operation-big-brother-iot-camera"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.