CWE-256
AllowedPlaintext Storage of a Password
Abstraction: Base · Status: Incomplete
The product stores a password in plaintext within resources such as memory or files.
397 vulnerabilities reference this CWE, most recent first.
GHSA-XFXV-HQVJ-FPFC
Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X & T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
{
"affected": [],
"aliases": [
"CVE-2022-22557"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-287",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-02T21:15:00Z",
"severity": "HIGH"
},
"details": "PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X \u0026 T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
"id": "GHSA-xfxv-hqvj-fpfc",
"modified": "2022-06-14T00:00:29Z",
"published": "2022-06-03T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22557"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000196367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XG8P-CP7F-CPHX
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2023-12-14 18:09Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9"
},
"package": {
"ecosystem": "Maven",
"name": "io.jenkins.plugins:dingding-notifications"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10433"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-14T18:09:56Z",
"nvd_published_at": "2019-10-01T14:15:00Z",
"severity": "LOW"
},
"details": "Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.",
"id": "GHSA-xg8p-cp7f-cphx",
"modified": "2023-12-14T18:09:56Z",
"published": "2022-05-24T16:57:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10433"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/dingtalk-plugin/commit/b2d4b3ecd2f467ae344eef55d8b51ae765d054a0"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/dingtalk-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-862"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "DingTalk Plugin stores credentials in plain text"
}
GHSA-XGM5-HF6V-855X
Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-04-16 21:31OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2026-35556"
],
"database_specific": {
"cwe_ids": [
"CWE-256"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T19:16:25Z",
"severity": "CRITICAL"
},
"details": "OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.",
"id": "GHSA-xgm5-hf6v-855x",
"modified": "2026-04-16T21:31:10Z",
"published": "2026-04-09T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35556"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XPWG-9VRV-HQ2J
Vulnerability from github – Published: 2024-08-05 06:30 – Updated: 2024-08-30 18:30A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users’ credentials and gain access to the product via an XML file.
{
"affected": [],
"aliases": [
"CVE-2024-6118"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T05:15:39Z",
"severity": "CRITICAL"
},
"details": "A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users\u2019 credentials and gain access to the product via an XML file.",
"id": "GHSA-xpwg-9vrv-hq2j",
"modified": "2024-08-30T18:30:37Z",
"published": "2024-08-05T06:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6118"
},
{
"type": "WEB",
"url": "https://zuso.ai/advisory/za-2024-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XR26-QPHW-JCG8
Vulnerability from github – Published: 2023-04-19 12:30 – Updated: 2024-04-04 03:35Plaintext Storage of a Password vulnerability in Secomea GateManager (USB wizard) allows Authentication abuse on SiteManager, if the generated file is leaked.
{
"affected": [],
"aliases": [
"CVE-2022-4308"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-19T12:15:07Z",
"severity": "HIGH"
},
"details": "Plaintext Storage of a Password vulnerability in Secomea GateManager (USB wizard) allows Authentication abuse on SiteManager, if the generated file is leaked.",
"id": "GHSA-xr26-qphw-jcg8",
"modified": "2024-04-04T03:35:08Z",
"published": "2023-04-19T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4308"
},
{
"type": "WEB",
"url": "https://www.secomea.com/support/cybersecurity-advisory"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XR37-PJFH-QWWC
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-12-19 21:15Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job config.xml files. This password could be read by users with the Extended Read permission.
Fortify Plugin 19.2.30 now encrypts the proxy server password.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 19.1.29"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:fortify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.2.30"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2107"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-19T21:15:04Z",
"nvd_published_at": "2020-01-29T16:15:00Z",
"severity": "MODERATE"
},
"details": "Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job `config.xml` files. This password could be read by users with the Extended Read permission.\n\nFortify Plugin 19.2.30 now encrypts the proxy server password.",
"id": "GHSA-xr37-pjfh-qwwc",
"modified": "2022-12-19T21:15:04Z",
"published": "2022-05-24T17:07:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2107"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/fortify-plugin"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1565"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/01/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fortify Plugin stored credentials in plain text"
}
GHSA-XV58-GP43-6M76
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-14 05:23Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.
Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:zephyr-enterprise-test-management"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2145"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-14T05:23:40Z",
"nvd_published_at": "2020-03-09T16:15:00Z",
"severity": "LOW"
},
"details": "Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file `com.thed.zephyr.jenkins.reporter.ZeeReporter.xml`. This password can be viewed by users with access to the Jenkins controller file system.\n\nZephyr Enterprise Test Management Plugin 1.10 integrates with [Credentials Plugin](https://plugins.jenkins.io/credentials).",
"id": "GHSA-xv58-gp43-6m76",
"modified": "2023-01-14T05:23:40Z",
"published": "2022-05-24T17:10:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2145"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1596"
},
{
"type": "PACKAGE",
"url": "https://plugins.jenkins.io/zephyr-enterprise-test-management"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Credentials stored in plain text by Zephyr Enterprise Test Management Plugin"
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Mitigation
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
No CAPEC attack patterns related to this CWE.