Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-999W-Q4XC-9WCC

Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-04 03:30
VLAI
Details

Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48073"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-27T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.",
  "id": "GHSA-999w-q4xc-9wcc",
  "modified": "2023-02-04T03:30:26Z",
  "published": "2023-01-27T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48073"
    },
    {
      "type": "WEB",
      "url": "https://befitting-vinca-933.notion.site/Phicomm-K2-v22-6-534-263-Sensitive-Information-Disclosure-Vulnerability-530d2415593a400099451d9f0dd7371a"
    },
    {
      "type": "WEB",
      "url": "https://befitting-vinca-933.notion.site/Phicomm-K2G-v22-6-3-20-Sensitive-Information-Disclosure-Vulnerability-8649a75a7ea7455583294e7447145cc6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99GR-Q2P8-X55M

Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2026-03-27 21:31
VLAI
Details

Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files.

This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-24T07:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. \n\nThis issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025",
  "id": "GHSA-99gr-q2p8-x55m",
  "modified": "2026-03-27T21:31:31Z",
  "published": "2025-07-25T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4394"
    },
    {
      "type": "WEB",
      "url": "https://global.medtronic.com/xg-en/product-security/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01"
    },
    {
      "type": "WEB",
      "url": "https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99RV-GQRG-P5FC

Vulnerability from github – Published: 2024-07-26 12:35 – Updated: 2024-08-05 21:31
VLAI
Details

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router's firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.

Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41688"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-26T12:15:03Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due lack of encryption in storing of usernames and passwords within the router\u0027s firmware/ database. An attacker with physical access could exploit this by extracting the firmware and reverse engineer the binary data to access the plaintext credentials on the vulnerable system.\n\nSuccessful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted system.",
  "id": "GHSA-99rv-gqrg-p5fc",
  "modified": "2024-08-05T21:31:19Z",
  "published": "2024-07-26T12:35:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41688"
    },
    {
      "type": "WEB",
      "url": "https://cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9C4X-5HGQ-Q3WH

Vulnerability from github – Published: 2021-12-08 19:52 – Updated: 2021-12-14 15:32
VLAI
Summary
Instance config inline secret exposure in Grafana
Details

Impact

Some inline secrets are exposed in plaintext over the Grafana Agent HTTP server:

  • Inline secrets for metrics instance configs in the base YAML file are exposed at /-/config
  • Inline secrets for integrations are exposed at /-/config
  • Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at /-/config.
  • Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at /-/config.
  • Inline secrets for metrics instance configs loaded from the scraping service are exposed at /agent/api/v1/configs/{name}.

Inline secrets will be exposed to anyone being able to reach these endpoints.

Secrets found in these sections are used for:

  • Delivering metrics to a Prometheus Remote Write system
  • Authenticating against a system for discovering Prometheus targets
  • Authenticating against a system for collecting metrics (scrape_configs and integrations)
  • Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode
  • Authenticating against Kafka for receiving traces

Non-inlined secrets, such as *_file-based secrets, are not impacted by this vulnerability.

Patches

Download v0.20.1 or any version past v0.21.2 to patch Grafana Agent. These patches obfuscate the listed impacted secrets from the vulnerable endpoints.

The patches also disable the endpoints by default. Pass the command-line flag --config.enable-read-api to opt-in and re-enable the endpoints.

Workarounds

If for some reason you cannot upgrade, use non-inline secrets where possible. Not all configuration options may have a non-inline equivalent.

You also may desire to restrict API access to Grafana Agent, with some combination of:

  • Restrict network interfaces Grafana Agent listens on through http_listen_address in the server block. 127.0.0.1 is the most restrictive, 0.0.0.0 is the default.
  • Configure Grafana Agent to use HTTPS with client authentication.
  • Use firewall rules to restrict external access to Grafana Agent's API.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/agent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.14.0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-08T19:32:31Z",
    "nvd_published_at": "2021-12-08T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nSome inline secrets are exposed in plaintext over the Grafana Agent HTTP server:\n\n* Inline secrets for metrics instance configs in the base YAML file are exposed at `/-/config` \n* Inline secrets for integrations are exposed at `/-/config`\n* Inline secrets for Consul ACL tokens and ETCD basic auth when configured for the scraping service at `/-/config`.\n* Inline secrets for the Kafka receiver for OpenTelemetry-Collector tracing at `/-/config`.\n* Inline secrets for metrics instance configs loaded from the scraping service are exposed at `/agent/api/v1/configs/{name}`.\n\nInline secrets will be exposed to anyone being able to reach these endpoints.\n\nSecrets found in these sections are used for:\n\n* Delivering metrics to a Prometheus Remote Write system \n* Authenticating against a system for discovering Prometheus targets \n* Authenticating against a system for collecting metrics (scrape_configs and integrations)\n* Authenticating against a Consul or ETCD for storing configurations to distribute in scraping service mode \n* Authenticating against Kafka for receiving traces\n\nNon-inlined secrets, such as `*_file`-based secrets, are not impacted by this vulnerability. \n\n### Patches\n\nDownload [v0.20.1](https://github.com/grafana/agent/releases/tag/v0.20.1) or any version past [v0.21.2](https://github.com/grafana/agent/releases/tag/v0.21.2) to patch Grafana Agent. These patches obfuscate the listed impacted secrets from the vulnerable endpoints.\n\nThe patches also disable the endpoints by default. Pass the command-line flag `--config.enable-read-api` to opt-in and re-enable the endpoints.  \n \n### Workarounds\nIf for some reason you cannot upgrade, use non-inline secrets where possible. Not all configuration options may have a non-inline equivalent.\n\nYou also may desire to restrict API access to Grafana Agent, with some combination of:\n\n* Restrict network interfaces Grafana Agent listens on through `http_listen_address` in the `server` block. `127.0.0.1` is the most restrictive, `0.0.0.0` is the default. \n* Configure Grafana Agent to use HTTPS with client authentication. \n* Use firewall rules to restrict external access to Grafana Agent\u0027s API.",
  "id": "GHSA-9c4x-5hgq-q3wh",
  "modified": "2021-12-14T15:32:21Z",
  "published": "2021-12-08T19:52:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/security/advisories/GHSA-9c4x-5hgq-q3wh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/pull/1152"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/commit/a5479755e946e5c7cddb793ee9adda8f5692ba11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/commit/af7fb01e31fe2d389e5f1c36b399ddc46b412b21"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/agent"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/releases/tag/v0.20.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/agent/releases/tag/v0.21.2"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211229-0004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Instance config inline secret exposure in Grafana"
}

GHSA-9F3X-2884-FFF7

Vulnerability from github – Published: 2023-01-27 15:30 – Updated: 2023-02-04 03:30
VLAI
Details

Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-48071"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-27T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Phicomm K2 v22.6.534.263 was discovered to store the root and admin passwords in plaintext.",
  "id": "GHSA-9f3x-2884-fff7",
  "modified": "2023-02-04T03:30:26Z",
  "published": "2023-01-27T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48071"
    },
    {
      "type": "WEB",
      "url": "https://befitting-vinca-933.notion.site/Phicomm-K2-v22-6-534-263-Sensitive-Information-Disclosure-Vulnerability-530d2415593a400099451d9f0dd7371a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9G94-M2HG-VJ88

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to access an administrative account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-18238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-26T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to access an administrative account.",
  "id": "GHSA-9g94-m2hg-vj88",
  "modified": "2022-05-24T17:09:40Z",
  "published": "2022-05-24T17:09:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18238"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-056-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9GGF-9PGF-QPQ9

Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48
VLAI
Details

In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31791"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-23T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Hardware Sentry KM before 10.0.01 for BMC PATROL, a cleartext password may be discovered after a failure or timeout of a command.",
  "id": "GHSA-9ggf-9pgf-qpq9",
  "modified": "2022-05-24T17:48:44Z",
  "published": "2022-05-24T17:48:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31791"
    },
    {
      "type": "WEB",
      "url": "https://www.sentrysoftware.com/library/releaseNotes/index.html?hardwaresentrykmforpatrol10_0_01releasenotes.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9GGG-37FJ-XC96

Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-03-01 00:01
VLAI
Details

A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-3551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-16T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threat from this vulnerability is to confidentiality.",
  "id": "GHSA-9ggg-37fj-xc96",
  "modified": "2022-03-01T00:01:08Z",
  "published": "2022-02-17T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3551"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1959971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-9GXG-3RJH-XV63

Vulnerability from github – Published: 2024-09-26 18:31 – Updated: 2024-09-26 18:31
VLAI
Details

A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in oVirt. A user with administrator privileges, including users with the ReadOnlyAdmin permission, may be able to use browser developer tools to view Provider passwords in cleartext.",
  "id": "GHSA-9gxg-3rjh-xv63",
  "modified": "2024-09-26T18:31:44Z",
  "published": "2024-09-26T18:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7259"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7259"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9H64-8G5H-R7HM

Vulnerability from github – Published: 2025-12-02 15:30 – Updated: 2025-12-02 18:30
VLAI
Details

Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59701"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T15:15:55Z",
    "severity": "MODERATE"
  },
  "details": "Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker (with elevated privileges) to read and modify the Appliance SSD contents (because they are unencrypted).",
  "id": "GHSA-9h64-8g5h-r7hm",
  "modified": "2025-12-02T18:30:35Z",
  "published": "2025-12-02T15:30:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/security-research/security/advisories/GHSA-6q4x-m86j-gfwj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59701"
    },
    {
      "type": "WEB",
      "url": "https://www.entrust.com/use-case/why-use-an-hsm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.