CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
398 vulnerabilities reference this CWE, most recent first.
GHSA-GGMX-PQ89-7MCR
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-06-28 23:07Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.jenkins:configuration-as-code"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10345"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T23:07:38Z",
"nvd_published_at": "2019-07-31T13:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.",
"id": "GHSA-ggmx-pq89-7mcr",
"modified": "2022-06-28T23:07:38Z",
"published": "2022-05-24T16:51:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10345"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/73afe3cb10a723cb06e29c2e5499206aadae3a0d"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/configuration-as-code-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1303"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Configuration as Code Plugin"
}
GHSA-GH9J-F3P4-FWF2
Vulnerability from github – Published: 2024-06-13 15:30 – Updated: 2024-06-13 15:30IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user. IBM X-Force ID: 283363.
{
"affected": [],
"aliases": [
"CVE-2024-25052"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T14:15:11Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user. IBM X-Force ID: 283363.",
"id": "GHSA-gh9j-f3p4-fwf2",
"modified": "2024-06-13T15:30:36Z",
"published": "2024-06-13T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25052"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/283363"
},
{
"type": "WEB",
"url": "https://https://www.ibm.com/support/pages/node/7157232"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GHGQ-X6WC-6JR5
Vulnerability from github – Published: 2024-07-17 15:30 – Updated: 2024-07-17 19:30A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@zowe/cli"
},
"ranges": [
{
"events": [
{
"introduced": "7.18.0"
},
{
"fixed": "7.23.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6833"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T19:30:05Z",
"nvd_published_at": "2024-07-17T15:15:14Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.",
"id": "GHSA-ghgq-x6wc-6jr5",
"modified": "2024-07-17T19:30:05Z",
"published": "2024-07-17T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6833"
},
{
"type": "WEB",
"url": "https://github.com/zowe/zowe-cli/commit/6778da5e03c65dfcd3e6e4b4097b94d9fbd5d01b"
},
{
"type": "PACKAGE",
"url": "https://github.com/zowe/zowe-cli"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Zowe CLI allows storage of previously entered secure credentials in a plaintext file"
}
GHSA-GMG2-3W6V-945P
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-05 21:45Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.parasoft:environment-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2132"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-05T21:45:44Z",
"nvd_published_at": "2020-02-12T15:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
"id": "GHSA-gmg2-3w6v-945p",
"modified": "2023-01-05T21:45:44Z",
"published": "2022-05-24T17:08:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2132"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/environment-manager-tools-plugin/commit/a2511b9d3dfbd3778471c6840ae6026076f11134"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/environment-manager-tools-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1562"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Password stored in plain text by Parasoft Environment Manager Plugin"
}
GHSA-GPC2-F62M-C6H6
Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:40Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.
Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:codedx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2632"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-17T03:40:21Z",
"nvd_published_at": "2023-05-16T18:15:17Z",
"severity": "MODERATE"
},
"details": "Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nCode Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.",
"id": "GHSA-gpc2-f62m-c6h6",
"modified": "2023-05-17T03:40:21Z",
"published": "2023-05-16T18:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2632"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/codedx-plugin/commit/a971a75da3eaf0ab5344c2b60942e7c8809ec913"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Code Dx Plugin stores API keys in plain text"
}
GHSA-GPMF-HWM2-X2MQ
Vulnerability from github – Published: 2025-05-08 00:31 – Updated: 2025-05-08 00:31On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).
{
"affected": [],
"aliases": [
"CVE-2025-0936"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T23:15:53Z",
"severity": "MODERATE"
},
"details": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).",
"id": "GHSA-gpmf-hwm2-x2mq",
"modified": "2025-05-08T00:31:12Z",
"published": "2025-05-08T00:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0936"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GVMR-MP5Q-9WVW
Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 04:54Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:skype-notifier"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34805"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-13T15:42:18Z",
"nvd_published_at": "2022-06-30T18:15:00Z",
"severity": "LOW"
},
"details": "Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file `hudson.plugins.skype.im.transport.SkypePublisher.xml` on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.",
"id": "GHSA-gvmr-mp5q-9wvw",
"modified": "2022-12-09T04:54:35Z",
"published": "2022-07-01T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34805"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/skype-im-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2160"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Plaintext Storage of a Password in Jenkins Skype notifier Plugin"
}
GHSA-GX4C-QRX5-9W6F
Vulnerability from github – Published: 2023-05-23 00:30 – Updated: 2024-04-04 04:16The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. Any user able to read this specific file from the device could compromise other devices connected to the user's cloud.
{
"affected": [],
"aliases": [
"CVE-2022-4945"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-22T22:15:09Z",
"severity": "MODERATE"
},
"details": "The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. Any user able to read this specific file from the device could compromise other devices connected to the user\u0027s cloud.",
"id": "GHSA-gx4c-qrx5-9w6f",
"modified": "2024-04-04T04:16:56Z",
"published": "2023-05-23T00:30:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4945"
},
{
"type": "WEB",
"url": "https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H3M5-P59H-X88P
Vulnerability from github – Published: 2026-03-31 23:42 – Updated: 2026-03-31 23:42Summary
Passwords passed via the --password / -p CLI argument in openssl_encrypt/modules/crypt_cli_subparser.py at lines 150-154 are visible to any user on the system via ps aux or /proc/[pid]/cmdline.
Affected Code
subparser.add_argument(
"--password", "-p",
help="Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)",
)
Similarly, --keystore-password exposes the keystore password.
Impact
On multi-user systems, any user can observe the encryption password by listing processes. The CRYPT_PASSWORD environment variable alternative is also visible via /proc/[pid]/environ (though with slightly restricted access).
Recommended Fix
- Document the security implications prominently
- Recommend interactive prompting (already supported) as the secure default
- Consider supporting password file descriptors (
--password-fd) or reading from stdin - Consider marking the argument as deprecated in favor of interactive prompting
Fix
Fixed in commit e78a366 on branch releases/1.4.x — added --password-file and --password-fd arguments; added OPENSSL_ENCRYPT_PASSWORD env var support; --password now emits deprecation warning.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "openssl-encrypt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:42:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nPasswords passed via the `--password` / `-p` CLI argument in `openssl_encrypt/modules/crypt_cli_subparser.py` at **lines 150-154** are visible to any user on the system via `ps aux` or `/proc/[pid]/cmdline`.\n\n### Affected Code\n\n```python\nsubparser.add_argument(\n \"--password\", \"-p\",\n help=\"Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)\",\n)\n```\n\nSimilarly, `--keystore-password` exposes the keystore password.\n\n### Impact\n\nOn multi-user systems, any user can observe the encryption password by listing processes. The `CRYPT_PASSWORD` environment variable alternative is also visible via `/proc/[pid]/environ` (though with slightly restricted access).\n\n### Recommended Fix\n\n- Document the security implications prominently\n- Recommend interactive prompting (already supported) as the secure default\n- Consider supporting password file descriptors (`--password-fd`) or reading from stdin\n- Consider marking the argument as deprecated in favor of interactive prompting\n\n### Fix\n\nFixed in commit `e78a366` on branch `releases/1.4.x` \u2014 added --password-file and --password-fd arguments; added OPENSSL_ENCRYPT_PASSWORD env var support; --password now emits deprecation warning.",
"id": "GHSA-h3m5-p59h-x88p",
"modified": "2026-03-31T23:42:17Z",
"published": "2026-03-31T23:42:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p"
},
{
"type": "WEB",
"url": "https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db"
},
{
"type": "PACKAGE",
"url": "https://github.com/jahlives/openssl_encrypt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "openssl-encrypt has visible password in process list via --password CLI argument"
}
GHSA-H4X7-365Q-3RM3
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32In version 0.0.14 of transformeroptimus/superagi, the API endpoint /api/users/get/{id} returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.
{
"affected": [],
"aliases": [
"CVE-2024-9418"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:48Z",
"severity": "MODERATE"
},
"details": "In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user\u0027s password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.",
"id": "GHSA-h4x7-365q-3rm3",
"modified": "2025-03-20T12:32:51Z",
"published": "2025-03-20T12:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9418"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/9a8118a2-ea32-41f5-b501-fef4f31d8213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.