Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-85Q4-JRG3-8HQC

Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01
VLAI
Details

An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-10T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Couchbase Server before 6.0.5, 6.1.x through 6.5.x before 6.5.2, and 6.6.x before 6.6.1. An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files. NOTE: updating the product does not automatically address leaks that occurred in the past.",
  "id": "GHSA-85q4-jrg3-8hqc",
  "modified": "2022-05-24T19:01:55Z",
  "published": "2022-05-24T19:01:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25645"
    },
    {
      "type": "WEB",
      "url": "https://www.couchbase.com/downloads"
    },
    {
      "type": "WEB",
      "url": "https://www.couchbase.com/resources/security#SecurityAlerts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-85V8-MQQR-6QH5

Vulnerability from github – Published: 2025-07-18 00:30 – Updated: 2026-02-02 15:30
VLAI
Details

A vulnerability in the ascgshell, of Brocade ASCG before 3.3.0 stores any command executed in the Command Line Interface (CLI) in plain text within the command history. A local authenticated user that can access sensitive information like passwords within the CLI history leading to unauthorized access and potential data breaches.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-17T22:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the ascgshell, of \nBrocade ASCG before 3.3.0 stores any command executed in the Command \nLine Interface (CLI) in plain text within the command history. A local \nauthenticated user that can access sensitive information like passwords \nwithin the CLI history leading to unauthorized access and potential data\n breaches.",
  "id": "GHSA-85v8-mqqr-6qh5",
  "modified": "2026-02-02T15:30:32Z",
  "published": "2025-07-18T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7397"
    },
    {
      "type": "WEB",
      "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-86R4-GCFX-WV72

Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-20 12:00
VLAI
Details

An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses",
  "id": "GHSA-86r4-gcfx-wv72",
  "modified": "2022-10-20T12:00:17Z",
  "published": "2022-10-17T19:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3540"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3540.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/hunter2.app/hunter2/-/issues/529"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8733-RHX2-3GXR

Vulnerability from github – Published: 2023-09-13 15:31 – Updated: 2024-04-04 07:39
VLAI
Details

A cleartext storage of sensitive information vulnerability [CWE-312] in FortiTester 2.3.0 through 7.2.3 may allow an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40715"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-13T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A cleartext storage of sensitive information vulnerability [CWE-312] in\u00a0FortiTester\u00a02.3.0 through 7.2.3 may allow\u00a0an attacker with access to the DB contents to retrieve the plaintext password of external servers configured in the device.",
  "id": "GHSA-8733-rhx2-3gxr",
  "modified": "2024-04-04T07:39:14Z",
  "published": "2023-09-13T15:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40715"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-465"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8772-675X-8FVX

Vulnerability from github – Published: 2022-05-02 03:26 – Updated: 2025-04-09 04:09
VLAI
Details

src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-1603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-05-11T16:30:00Z",
    "severity": "MODERATE"
  },
  "details": "src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted.",
  "id": "GHSA-8772-675x-8fvx",
  "modified": "2025-04-09T04:09:40Z",
  "published": "2022-05-02T03:26:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1603"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00095.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00097.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01420.html"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01432.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35035"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35293"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/35309"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36074"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200908-01.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:123"
    },
    {
      "type": "WEB",
      "url": "http://www.opensc-project.org/pipermail/opensc-announce/2009-May/000025.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2009/05/08/1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/1295"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8886-48WG-HX3V

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28917"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-18T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.",
  "id": "GHSA-8886-48wg-hx3v",
  "modified": "2022-05-24T17:34:34Z",
  "published": "2022-05-24T17:34:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28917"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2020-019"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-899F-9GPG-R429

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195",
  "id": "GHSA-899f-9gpg-r429",
  "modified": "2022-05-24T17:41:44Z",
  "published": "2022-05-24T17:41:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0337"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2021-02-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-89FF-5HGP-6W8J

Vulnerability from github – Published: 2023-12-26 09:30 – Updated: 2024-01-02 21:30
VLAI
Details

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-26T08:15:11Z",
    "severity": "MODERATE"
  },
  "details": "The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form. As a result, the Secret access key for external service may be obtained by an attacker who can access the App Settings page.",
  "id": "GHSA-89ff-5hgp-6w8j",
  "modified": "2024-01-02T21:30:25Z",
  "published": "2023-12-26T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50294"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN18715935"
    },
    {
      "type": "WEB",
      "url": "https://weseek.co.jp/ja/news/2023/11/21/growi-prevent-xss6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CMP-CRM3-JRH4

Vulnerability from github – Published: 2022-09-30 00:00 – Updated: 2022-09-30 00:00
VLAI
Details

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-15332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-29T03:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has weak /opt/axess/etc/default/axess permissions.",
  "id": "GHSA-8cmp-crm3-jrh4",
  "modified": "2022-09-30T00:00:33Z",
  "published": "2022-09-30T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15332"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zyxel.com/support/vulnerabilities-of-CloudCNM-SecuManager.shtml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8CXR-CQ5C-VWMW

Vulnerability from github – Published: 2023-01-13 03:30 – Updated: 2023-01-24 18:30
VLAI
Details

NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host. This may lead to a credentials exposure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42284"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-13T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA BMC stores user passwords in an obfuscated form in a database accessible by the host. This may lead to a credentials exposure.",
  "id": "GHSA-8cxr-cq5c-vwmw",
  "modified": "2023-01-24T18:30:32Z",
  "published": "2023-01-13T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42284"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5435"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.