CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-3WG5-X88W-52FJ
Vulnerability from github – Published: 2024-10-09 18:31 – Updated: 2024-10-17 06:30A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.
{
"affected": [],
"aliases": [
"CVE-2024-9466"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-09T17:15:20Z",
"severity": "HIGH"
},
"details": "A cleartext storage of sensitive information vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials.",
"id": "GHSA-3wg5-x88w-52fj",
"modified": "2024-10-17T06:30:32Z",
"published": "2024-10-09T18:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9466"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/PAN-SA-2024-0010"
},
{
"type": "WEB",
"url": "https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red",
"type": "CVSS_V4"
}
]
}
GHSA-3X9H-3P7M-33M7
Vulnerability from github – Published: 2022-05-17 04:56 – Updated: 2025-03-13 19:18The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:sonar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-5676"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-13T19:18:38Z",
"nvd_published_at": "2013-12-13T18:55:00Z",
"severity": "MODERATE"
},
"details": "The Jenkins Plugin for SonarQube 3.7 and earlier allows remote authenticated users to obtain sensitive information (cleartext passwords) by reading the value in the sonar.sonarPassword parameter from jenkins/configure.",
"id": "GHSA-3x9h-3p7m-33m7",
"modified": "2025-03-13T19:18:38Z",
"published": "2022-05-17T04:56:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5676"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/sonarqube-plugin"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2013/Dec/37"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jenkins SonarQube Plugin Stores Passwords in Cleartext"
}
GHSA-3X9J-7F53-54F5
Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2024-12-05 15:31This vulnerability exists in the Tinxy mobile app due to storage of logged-in user information in plaintext on the device database. An attacker with physical access to the rooted device could exploit this vulnerability by accessing its database leading to unauthorized access of user information such as username, email address and mobile number.
{
"affected": [],
"aliases": [
"CVE-2024-12094"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T13:15:05Z",
"severity": "MODERATE"
},
"details": "This vulnerability exists in the Tinxy mobile app due to storage of logged-in user information in plaintext on the device database. An attacker with physical access to the rooted device could exploit this vulnerability by accessing its database leading to unauthorized access of user information such as username, email address and mobile number.",
"id": "GHSA-3x9j-7f53-54f5",
"modified": "2024-12-05T15:31:01Z",
"published": "2024-12-05T15:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12094"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0355"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-42WF-QRFC-C5M5
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-01-09 12:30A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The FTP service of the SiNVR 3 Central Control Server (CCS) maintains a log file that stores login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.
{
"affected": [],
"aliases": [
"CVE-2019-19291"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-313"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T20:15:00Z",
"severity": "LOW"
},
"details": "A vulnerability has been identified in SiNVR 3 Central Control Server (CCS) (all versions), SiNVR 3 Video Server (all versions). The FTP service of the SiNVR 3 Central Control Server (CCS) maintains a log file that stores login credentials in cleartext. In configurations where the FTP service is enabled, authenticated remote attackers could extract login credentials of other users of the service.",
"id": "GHSA-42wf-qrfc-c5m5",
"modified": "2024-01-09T12:30:35Z",
"published": "2022-05-24T17:10:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19291"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-761844.pdf"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-844761.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4328-WGFC-675C
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.
{
"affected": [],
"aliases": [
"CVE-2020-13473"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-28T22:15:00Z",
"severity": "MODERATE"
},
"details": "NCH Express Accounts 8.24 and earlier allows local users to discover the cleartext password by reading the configuration file.",
"id": "GHSA-4328-wgfc-675c",
"modified": "2022-05-24T17:37:22Z",
"published": "2022-05-24T17:37:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13473"
},
{
"type": "WEB",
"url": "https://cvewalkthrough.com/cve-2020-13473-nch-account-clear-text-password-storage"
},
{
"type": "WEB",
"url": "https://tejaspingulkar.blogspot.com/2020/12/cve-2020-13473-nch-account-clear-text.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4332-PV86-8249
Vulnerability from github – Published: 2025-10-10 09:30 – Updated: 2025-10-10 09:30Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-21061"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T07:15:42Z",
"severity": "HIGH"
},
"details": "Cleartext storage of sensitive information in Smart Switch prior to version 3.7.67.2 allows local attackers to access sensitive data. User interaction is required for triggering this vulnerability.",
"id": "GHSA-4332-pv86-8249",
"modified": "2025-10-10T09:30:48Z",
"published": "2025-10-10T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21061"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-433P-QQ24-G8Q3
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering.
{
"affected": [],
"aliases": [
"CVE-2025-48463"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T03:15:33Z",
"severity": "LOW"
},
"details": "Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering.",
"id": "GHSA-433p-qq24-g8q3",
"modified": "2025-06-26T21:31:04Z",
"published": "2025-06-26T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48463"
},
{
"type": "WEB",
"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43CG-C28C-82HQ
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-10-01 00:00IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.
{
"affected": [],
"aliases": [
"CVE-2015-1931"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T03:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Java Security Components in IBM SDK, Java Technology Edition 8 before SR1 FP10, 7 R1 before SR3 FP10, 7 before SR9 FP10, 6 R1 before SR8 FP7, 6 before SR16 FP7, and 5.0 before SR16 FP13 stores plaintext information in memory dumps, which allows local users to obtain sensitive information by reading a file.",
"id": "GHSA-43cg-c28c-82hq",
"modified": "2022-10-01T00:00:26Z",
"published": "2022-09-30T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1931"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00051.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00014.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1485.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1486.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1488.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1544.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-1604.html"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV75182"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21962302"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/75985"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43MV-F787-VP98
Vulnerability from github – Published: 2022-05-01 23:41 – Updated: 2024-02-14 18:30phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information.
{
"affected": [],
"aliases": [
"CVE-2008-1567"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-03-31T22:44:00Z",
"severity": "LOW"
},
"details": "phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information.",
"id": "GHSA-43mv-f787-vp98",
"modified": "2024-02-14T18:30:23Z",
"published": "2022-05-01T23:41:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1567"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41541"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00031.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00080.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29588"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29613"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29964"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/30816"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/32834"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33822"
},
{
"type": "WEB",
"url": "http://sourceforge.net/tracker/index.php?func=detail\u0026aid=1909711\u0026group_id=23067\u0026atid=377408"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2008/dsa-1557"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:131"
},
{
"type": "WEB",
"url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/28560"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2008/1037/references"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45HR-8GQ6-7F7F
Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:02Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:nouvola-divecloud"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.08"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53670"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T21:44:10Z",
"nvd_published_at": "2025-07-09T16:15:26Z",
"severity": "MODERATE"
},
"details": "Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.",
"id": "GHSA-45hr-8gq6-7f7f",
"modified": "2025-11-05T20:02:20Z",
"published": "2025-07-09T18:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53670"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/nouvola-divecloud-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3526"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Nouvola DiveCloud Plugin vulnerability stores unencrypted credentials"
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.