CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-85Q4-JRG3-8HQC
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past.
{
"affected": [],
"aliases": [
"CVE-2021-25645"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-10T13:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past.",
"id": "GHSA-85q4-jrg3-8hqc",
"modified": "2022-05-24T19:01:55Z",
"published": "2022-05-24T19:01:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25645"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/downloads"
},
{
"type": "WEB",
"url": "https://www.couchbase.com/resources/security#SecurityAlerts"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-85V8-MQQR-6QH5
Vulnerability from github – Published: 2025-07-18 00:30 – Updated: 2026-02-02 15:30A vulnerability in the ascgshell, of Brocade ASCG before 3.3.0 stores any command executed in the Command Line Interface (CLI) in plain text within the command history. A local authenticated user that can access sensitive information like passwords within the CLI history leading to unauthorized access and potential data breaches.
{
"affected": [],
"aliases": [
"CVE-2025-7397"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-17T22:15:27Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the ascgshell, of \nBrocade ASCG before 3.3.0 stores any command executed in the Command \nLine Interface (CLI) in plain text within the command history. A local \nauthenticated user that can access sensitive information like passwords \nwithin the CLI history leading to unauthorized access and potential data\n breaches.",
"id": "GHSA-85v8-mqqr-6qh5",
"modified": "2026-02-02T15:30:32Z",
"published": "2025-07-18T00:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7397"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35949"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-86R4-GCFX-WV72
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 12:00An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses
{
"affected": [],
"aliases": [
"CVE-2022-3540"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses",
"id": "GHSA-86r4-gcfx-wv72",
"modified": "2022-10-20T12:00:17Z",
"published": "2022-10-17T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3540"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3540.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/hunter2.app/hunter2/-/issues/529"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8733-RHX2-3GXR
Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-04-04 07:39A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.
{
"affected": [],
"aliases": [
"CVE-2023-40715"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-13T13:15:09Z",
"severity": "MODERATE"
},
"details": "A cleartext storage of sensitive information vulnerability [CWE-312] in\u00a0FortiTester\u00a02.3.0 through 7.2.3 may allow\u00a0an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.",
"id": "GHSA-8733-rhx2-3gxr",
"modified": "2024-04-04T07:39:14Z",
"published": "2023-09-13T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40715"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-465"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8772-675X-8FVX
Vulnerability from github – Published: 2022-05-02 03:26 – Updated: 2025-04-09 04:09src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted.
{
"affected": [],
"aliases": [
"CVE-2009-1603"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-05-11T16:30:00Z",
"severity": "MODERATE"
},
"details": "src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted.",
"id": "GHSA-8772-675x-8fvx",
"modified": "2025-04-09T04:09:40Z",
"published": "2022-05-02T03:26:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1603"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00095.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00097.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01420.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01432.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35035"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35293"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/35309"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36074"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200908-01.xml"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:123"
},
{
"type": "WEB",
"url": "http://www.opensc-project.org/pipermail/opensc-announce/2009-May/000025.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2009/05/08/1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/1295"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8886-48WG-HX3V
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.
{
"affected": [],
"aliases": [
"CVE-2020-28917"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-18T09:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.",
"id": "GHSA-8886-48wg-hx3v",
"modified": "2022-05-24T17:34:34Z",
"published": "2022-05-24T17:34:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28917"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2020-019"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-899F-9GPG-R429
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195
{
"affected": [],
"aliases": [
"CVE-2021-0337"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-10T17:15:00Z",
"severity": "HIGH"
},
"details": "In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195",
"id": "GHSA-899f-9gpg-r429",
"modified": "2022-05-24T17:41:44Z",
"published": "2022-05-24T17:41:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0337"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2021-02-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-89FF-5HGP-6W8J
Vulnerability from github – Published: 2023-12-26 09:30 – Updated: 2024-01-02 21:30The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.
{
"affected": [],
"aliases": [
"CVE-2023-50294"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-26T08:15:11Z",
"severity": "MODERATE"
},
"details": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.",
"id": "GHSA-89ff-5hgp-6w8j",
"modified": "2024-01-02T21:30:25Z",
"published": "2023-12-26T09:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN18715935"
},
{
"type": "WEB",
"url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8CMP-CRM3-JRH4
Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-09-30 00:00Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.
{
"affected": [],
"aliases": [
"CVE-2020-15332"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-29T03:15:00Z",
"severity": "CRITICAL"
},
"details": "Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.",
"id": "GHSA-8cmp-crm3-jrh4",
"modified": "2022-09-30T00:00:33Z",
"published": "2022-09-30T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15332"
},
{
"type": "WEB",
"url": "https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/support/vulnerabilities-of-CloudCNM-SecuManager.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8CXR-CQ5C-VWMW
Vulnerability from github – Published: 2023-01-13 03:30 – Updated: 2023-01-24 18:30NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host. This may lead to a credentials exposure.
{
"affected": [],
"aliases": [
"CVE-2022-42284"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-13T02:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host. This may lead to a credentials exposure.",
"id": "GHSA-8cxr-cq5c-vwmw",
"modified": "2023-01-24T18:30:32Z",
"published": "2023-01-13T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42284"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5435"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.