Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

398 vulnerabilities reference this CWE, most recent first.

GHSA-GGMX-PQ89-7MCR

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-06-28 23:07
VLAI
Summary
Plaintext Storage of a Password in Jenkins Configuration as Code Plugin
Details

Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins:configuration-as-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T23:07:38Z",
    "nvd_published_at": "2019-07-31T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Configuration as Code Plugin prior to version 1.25 did not treat the proxy password as a secret to be masked when logging or encrypted for export.",
  "id": "GHSA-ggmx-pq89-7mcr",
  "modified": "2022-06-28T23:07:38Z",
  "published": "2022-05-24T16:51:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin/commit/73afe3cb10a723cb06e29c2e5499206aadae3a0d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/configuration-as-code-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1303"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins Configuration as Code Plugin"
}

GHSA-GH9J-F3P4-FWF2

Vulnerability from github – Published: 2024-06-13 15:30 – Updated: 2024-06-13 15:30
VLAI
Details

IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user. IBM X-Force ID: 283363.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T14:15:11Z",
    "severity": "MODERATE"
  },
  "details": "IBM Jazz Reporting Service 7.0.3 stores user credentials in plain clear text which can be read by an admin user. IBM X-Force ID:  283363.",
  "id": "GHSA-gh9j-f3p4-fwf2",
  "modified": "2024-06-13T15:30:36Z",
  "published": "2024-06-13T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25052"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/283363"
    },
    {
      "type": "WEB",
      "url": "https://https://www.ibm.com/support/pages/node/7157232"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GHGQ-X6WC-6JR5

Vulnerability from github – Published: 2024-07-17 15:30 – Updated: 2024-07-17 19:30
VLAI
Summary
Zowe CLI allows storage of previously entered secure credentials in a plaintext file
Details

A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@zowe/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.18.0"
            },
            {
              "fixed": "7.23.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6833"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T19:30:05Z",
    "nvd_published_at": "2024-07-17T15:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Zowe CLI allows local, privileged actors to store previously entered secure credentials in a plaintext file as part of an auto-init operation.",
  "id": "GHSA-ghgq-x6wc-6jr5",
  "modified": "2024-07-17T19:30:05Z",
  "published": "2024-07-17T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6833"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zowe/zowe-cli/commit/6778da5e03c65dfcd3e6e4b4097b94d9fbd5d01b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zowe/zowe-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zowe CLI allows storage of previously entered secure credentials in a plaintext file"
}

GHSA-GMG2-3W6V-945P

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-05 21:45
VLAI
Summary
Password stored in plain text by Parasoft Environment Manager Plugin
Details

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.parasoft:environment-manager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-05T21:45:44Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-gmg2-3w6v-945p",
  "modified": "2023-01-05T21:45:44Z",
  "published": "2022-05-24T17:08:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/environment-manager-tools-plugin/commit/a2511b9d3dfbd3778471c6840ae6026076f11134"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/environment-manager-tools-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1562"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password stored in plain text by Parasoft Environment Manager Plugin"
}

GHSA-GPC2-F62M-C6H6

Vulnerability from github – Published: 2023-05-16 18:30 – Updated: 2023-05-17 03:40
VLAI
Summary
Jenkins Code Dx Plugin stores API keys in plain text
Details

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:codedx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:40:21Z",
    "nvd_published_at": "2023-05-16T18:15:17Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nCode Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.",
  "id": "GHSA-gpc2-f62m-c6h6",
  "modified": "2023-05-17T03:40:21Z",
  "published": "2023-05-16T18:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/codedx-plugin/commit/a971a75da3eaf0ab5344c2b60942e7c8809ec913"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Code Dx Plugin stores API keys in plain text"
}

GHSA-GPMF-HWM2-X2MQ

Vulnerability from github – Published: 2025-05-08 00:31 – Updated: 2025-05-08 00:31
VLAI
Details

On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0936"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T23:15:53Z",
    "severity": "MODERATE"
  },
  "details": "On affected platforms running Arista EOS with a gNMI transport enabled, running the gNOI File TransferToRemote RPC with credentials for a remote server may cause these remote-server credentials to be logged or accounted on the local EOS device or possibly on other remote accounting servers (i.e. TACACS, RADIUS, etc).",
  "id": "GHSA-gpmf-hwm2-x2mq",
  "modified": "2025-05-08T00:31:12Z",
  "published": "2025-05-08T00:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0936"
    },
    {
      "type": "WEB",
      "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/21394-security-advisory-0117"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GVMR-MP5Q-9WVW

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 04:54
VLAI
Summary
Plaintext Storage of a Password in Jenkins Skype notifier Plugin
Details

Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:skype-notifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34805"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T15:42:18Z",
    "nvd_published_at": "2022-06-30T18:15:00Z",
    "severity": "LOW"
  },
  "details": "Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file `hudson.plugins.skype.im.transport.SkypePublisher.xml` on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-gvmr-mp5q-9wvw",
  "modified": "2022-12-09T04:54:35Z",
  "published": "2022-07-01T00:01:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34805"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/skype-im-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2160"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins Skype notifier Plugin"
}

GHSA-GX4C-QRX5-9W6F

Vulnerability from github – Published: 2023-05-23 00:30 – Updated: 2024-04-04 04:16
VLAI
Details

The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. Any user able to read this specific file from the device could compromise other devices connected to the user's cloud.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4945"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-22T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The Dataprobe cloud usernames and passwords are stored in plain text in a specific file. Any user able to read this specific file from the device could compromise other devices connected to the user\u0027s cloud.",
  "id": "GHSA-gx4c-qrx5-9w6f",
  "modified": "2024-04-04T04:16:56Z",
  "published": "2023-05-23T00:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4945"
    },
    {
      "type": "WEB",
      "url": "https://dataprobe.com/support/iboot-pdu/local_upgrade_pdu_procedure.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-263-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H3M5-P59H-X88P

Vulnerability from github – Published: 2026-03-31 23:42 – Updated: 2026-03-31 23:42
VLAI
Summary
openssl-encrypt has visible password in process list via --password CLI argument
Details

Summary

Passwords passed via the --password / -p CLI argument in openssl_encrypt/modules/crypt_cli_subparser.py at lines 150-154 are visible to any user on the system via ps aux or /proc/[pid]/cmdline.

Affected Code

subparser.add_argument(
    "--password", "-p",
    help="Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)",
)

Similarly, --keystore-password exposes the keystore password.

Impact

On multi-user systems, any user can observe the encryption password by listing processes. The CRYPT_PASSWORD environment variable alternative is also visible via /proc/[pid]/environ (though with slightly restricted access).

Recommended Fix

  • Document the security implications prominently
  • Recommend interactive prompting (already supported) as the secure default
  • Consider supporting password file descriptors (--password-fd) or reading from stdin
  • Consider marking the argument as deprecated in favor of interactive prompting

Fix

Fixed in commit e78a366 on branch releases/1.4.x — added --password-file and --password-fd arguments; added OPENSSL_ENCRYPT_PASSWORD env var support; --password now emits deprecation warning.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "openssl-encrypt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:42:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nPasswords passed via the `--password` / `-p` CLI argument in `openssl_encrypt/modules/crypt_cli_subparser.py` at **lines 150-154** are visible to any user on the system via `ps aux` or `/proc/[pid]/cmdline`.\n\n### Affected Code\n\n```python\nsubparser.add_argument(\n    \"--password\", \"-p\",\n    help=\"Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)\",\n)\n```\n\nSimilarly, `--keystore-password` exposes the keystore password.\n\n### Impact\n\nOn multi-user systems, any user can observe the encryption password by listing processes. The `CRYPT_PASSWORD` environment variable alternative is also visible via `/proc/[pid]/environ` (though with slightly restricted access).\n\n### Recommended Fix\n\n- Document the security implications prominently\n- Recommend interactive prompting (already supported) as the secure default\n- Consider supporting password file descriptors (`--password-fd`) or reading from stdin\n- Consider marking the argument as deprecated in favor of interactive prompting\n\n### Fix\n\nFixed in commit `e78a366` on branch `releases/1.4.x` \u2014 added --password-file and --password-fd arguments; added OPENSSL_ENCRYPT_PASSWORD env var support; --password now emits deprecation warning.",
  "id": "GHSA-h3m5-p59h-x88p",
  "modified": "2026-03-31T23:42:17Z",
  "published": "2026-03-31T23:42:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-h3m5-p59h-x88p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jahlives/openssl_encrypt/commit/e78a3666e4592f3538adaaa6be8f5f04356174db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jahlives/openssl_encrypt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "openssl-encrypt has visible password in process list via --password CLI argument"
}

GHSA-H4X7-365Q-3RM3

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

In version 0.0.14 of transformeroptimus/superagi, the API endpoint /api/users/get/{id} returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9418"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:48Z",
    "severity": "MODERATE"
  },
  "details": "In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user\u0027s password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.",
  "id": "GHSA-h4x7-365q-3rm3",
  "modified": "2025-03-20T12:32:51Z",
  "published": "2025-03-20T12:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9418"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/9a8118a2-ea32-41f5-b501-fef4f31d8213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.