Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-XFXV-HQVJ-FPFC

Vulnerability from github – Published: 2022-06-03 00:00 – Updated: 2022-06-14 00:00
VLAI
Details

PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X & T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22557"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-287",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-02T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "PowerStore contains Plain-Text Password Storage Vulnerability in PowerStore X \u0026 T environments running versions 2.0.0.x and 2.0.1.x A locally authenticated attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.",
  "id": "GHSA-xfxv-hqvj-fpfc",
  "modified": "2022-06-14T00:00:29Z",
  "published": "2022-06-03T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22557"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000196367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XG8P-CP7F-CPHX

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2023-12-14 18:09
VLAI
Summary
DingTalk Plugin stores credentials in plain text
Details

Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.jenkins.plugins:dingding-notifications"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-14T18:09:56Z",
    "nvd_published_at": "2019-10-01T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Dingding notifications Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-xg8p-cp7f-cphx",
  "modified": "2023-12-14T18:09:56Z",
  "published": "2022-05-24T16:57:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/dingtalk-plugin/commit/b2d4b3ecd2f467ae344eef55d8b51ae765d054a0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/dingtalk-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-862"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DingTalk Plugin stores credentials in plain text"
}

GHSA-XGM5-HF6V-855X

Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-04-16 21:31
VLAI
Details

OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-35556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T19:16:25Z",
    "severity": "CRITICAL"
  },
  "details": "OpenPLC_V3 is vulnerable to a Plaintext Storage of a Password vulnerability that could allow an attacker to retrieve credentials and access sensitive information.",
  "id": "GHSA-xgm5-hf6v-855x",
  "modified": "2026-04-16T21:31:10Z",
  "published": "2026-04-09T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35556"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XPWG-9VRV-HQ2J

Vulnerability from github – Published: 2024-08-05 06:30 – Updated: 2024-08-30 18:30
VLAI
Details

A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users’ credentials and gain access to the product via an XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T05:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "A Plaintext Storage of a Password vulnerability in ebooknote function in Hamastar MeetingHub Paperless Meetings 2021 allows remote attackers to obtain the other users\u2019 credentials and gain access to the product via an XML file.",
  "id": "GHSA-xpwg-9vrv-hq2j",
  "modified": "2024-08-30T18:30:37Z",
  "published": "2024-08-05T06:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6118"
    },
    {
      "type": "WEB",
      "url": "https://zuso.ai/advisory/za-2024-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XR26-QPHW-JCG8

Vulnerability from github – Published: 2023-04-19 12:30 – Updated: 2024-04-04 03:35
VLAI
Details

Plaintext Storage of a Password vulnerability in Secomea GateManager (USB wizard) allows Authentication abuse on SiteManager, if the generated file is leaked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4308"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T12:15:07Z",
    "severity": "HIGH"
  },
  "details": "Plaintext Storage of a Password vulnerability in Secomea GateManager (USB wizard) allows Authentication abuse on SiteManager, if the generated file is leaked.",
  "id": "GHSA-xr26-qphw-jcg8",
  "modified": "2024-04-04T03:35:08Z",
  "published": "2023-04-19T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4308"
    },
    {
      "type": "WEB",
      "url": "https://www.secomea.com/support/cybersecurity-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR37-PJFH-QWWC

Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2022-12-19 21:15
VLAI
Summary
Fortify Plugin stored credentials in plain text
Details

Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job config.xml files. This password could be read by users with the Extended Read permission.

Fortify Plugin 19.2.30 now encrypts the proxy server password.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 19.1.29"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:fortify"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.2.30"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T21:15:04Z",
    "nvd_published_at": "2020-01-29T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job `config.xml` files. This password could be read by users with the Extended Read permission.\n\nFortify Plugin 19.2.30 now encrypts the proxy server password.",
  "id": "GHSA-xr37-pjfh-qwwc",
  "modified": "2022-12-19T21:15:04Z",
  "published": "2022-05-24T17:07:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2107"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/fortify-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1565"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/01/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fortify Plugin stored credentials in plain text"
}

GHSA-XV58-GP43-6M76

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2023-01-14 05:23
VLAI
Summary
Credentials stored in plain text by Zephyr Enterprise Test Management Plugin
Details

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:zephyr-enterprise-test-management"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-14T05:23:40Z",
    "nvd_published_at": "2020-03-09T16:15:00Z",
    "severity": "LOW"
  },
  "details": "Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file `com.thed.zephyr.jenkins.reporter.ZeeReporter.xml`. This password can be viewed by users with access to the Jenkins controller file system.\n\nZephyr Enterprise Test Management Plugin 1.10 integrates with [Credentials Plugin](https://plugins.jenkins.io/credentials).",
  "id": "GHSA-xv58-gp43-6m76",
  "modified": "2023-01-14T05:23:40Z",
  "published": "2022-05-24T17:10:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2145"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1596"
    },
    {
      "type": "PACKAGE",
      "url": "https://plugins.jenkins.io/zephyr-enterprise-test-management"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credentials stored in plain text by Zephyr Enterprise Test Management Plugin"
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.