Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-FQ2F-69MJ-R56V

Vulnerability from github – Published: 2023-06-09 21:30 – Updated: 2023-11-08 18:30
VLAI
Details

Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-09T19:15:09Z",
    "severity": "HIGH"
  },
  "details": "Bitwarden Desktop v1.20.0 and above stores the biometric key in plaintext which allows a local attacker to decrypt the entire local vault.",
  "id": "GHSA-fq2f-69mj-r56v",
  "modified": "2023-11-08T18:30:30Z",
  "published": "2023-06-09T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27706"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1874155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitwarden/clients"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/biometric/windows.rs#L19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bitwarden/clients/blob/8b5a223ad4ca0f89b6c9bcdbddef464d1755d2c0/apps/desktop/desktop_native/src/password/windows.rs#L16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ7J-MJ26-W42X

Vulnerability from github – Published: 2023-07-10 18:30 – Updated: 2026-06-01 15:30
VLAI
Details

Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35699"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-313"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T16:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext Storage on Disk in the SICK ICR890-4 could allow an unauthenticated attacker with local access to the device to disclose sensitive information by accessing a SD card.",
  "id": "GHSA-fq7j-mj26-w42x",
  "modified": "2026-06-01T15:30:31Z",
  "published": "2023-07-10T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35699"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.json"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/.well-known/csaf/white/2023/sca-2023-0006.pdf"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV54-C959-7HF7

Vulnerability from github – Published: 2023-07-20 12:30 – Updated: 2024-04-04 06:17
VLAI
Details

Wyse Management Suite versions prior to 4.0 contain a sensitive information disclosure vulnerability. An authenticated malicious user having local access to the system running the application could exploit this vulnerability to read sensitive information written to log files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "\nWyse Management Suite versions prior to 4.0 contain a sensitive information disclosure vulnerability. An authenticated malicious user having local access to the system running the application could exploit this vulnerability to read sensitive information written to log files.\n\n",
  "id": "GHSA-fv54-c959-7hf7",
  "modified": "2024-04-04T06:17:41Z",
  "published": "2023-07-20T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32483"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000215351/dsa-2023-240-dell-wyse-management-suite"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FV9Q-FQ62-C6QG

Vulnerability from github – Published: 2025-04-02 15:31 – Updated: 2025-04-02 22:48
VLAI
Summary
Jenkins AsakusaSatellite Plugin Stores API Keys Unencrypted in Job `config.xml` Files
Details

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

As of publication of this advisory, there is no fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.codefirst.jenkins.asakusasatellite:asakusa-satellite-plugin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-31727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-02T22:48:54Z",
    "nvd_published_at": "2025-04-02T15:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.\n\nThese API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
  "id": "GHSA-fv9q-fq62-c6qg",
  "modified": "2025-04-02T22:48:54Z",
  "published": "2025-04-02T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31727"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/asakusa-satellite-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-04-02/#SECURITY-3523"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins AsakusaSatellite Plugin Stores API Keys Unencrypted in Job `config.xml` Files"
}

GHSA-FVJ3-9FPR-FF7M

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-10T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered on FiberHome HG6245D devices through RP2613. wifictl_5g.cfg has cleartext passwords and 0644 permissions.",
  "id": "GHSA-fvj3-9fpr-ff7m",
  "modified": "2022-05-24T17:41:52Z",
  "published": "2022-05-24T17:41:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27176"
    },
    {
      "type": "WEB",
      "url": "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#system-credentials-clear-text-files"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FVJ6-V4W6-MMFP

Vulnerability from github – Published: 2025-07-28 18:31 – Updated: 2025-07-28 18:31
VLAI
Details

In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the "hg pull" command

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T17:15:34Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the \"hg pull\" command",
  "id": "GHSA-fvj6-v4w6-mmfp",
  "modified": "2025-07-28T18:31:29Z",
  "published": "2025-07-28T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54538"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVX8-V524-8579

Vulnerability from github – Published: 2021-06-04 21:46 – Updated: 2024-09-13 20:13
VLAI
Summary
django-celery-results Stores Sensitive Information In Cleartext
Details

django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.

In version 2.4.0 this is no longer the default behaviour but can be re-enabled with the result_extended flag in which case care should be taken to ensure any sensitive variables are scrubbed - see here for an example.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-celery-results"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-17495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T21:40:19Z",
    "nvd_published_at": "2020-08-11T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "django-celery-results prior to 2.4.0 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.\n\nIn version 2.4.0 this is no longer the default behaviour but can be re-enabled with the `result_extended` flag in which case care should be taken to ensure any sensitive variables are scrubbed - see [here](https://github.com/celery/django-celery-results/issues/154#issuecomment-734706270) for an example.",
  "id": "GHSA-fvx8-v524-8579",
  "modified": "2024-09-13T20:13:25Z",
  "published": "2021-06-04T21:46:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/celery/django-celery-results/issues/142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/celery/django-celery-results/issues/154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/celery/django-celery-results/pull/316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/celery/django-celery-results/commit/ad508fe3433499e5fc94645412d911e174863f28"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fvx8-v524-8579"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/celery/django-celery-results"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-celery-results/PYSEC-2020-38.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "django-celery-results Stores Sensitive Information In Cleartext"
}

GHSA-FWPR-86Q7-7GMV

Vulnerability from github – Published: 2022-04-22 00:24 – Updated: 2024-04-03 23:04
VLAI
Details

qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-2916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-15T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.",
  "id": "GHSA-fwpr-86q7-7gmv",
  "modified": "2024-04-03T23:04:53Z",
  "published": "2022-04-22T00:24:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2916"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2011-2916"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2916"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2011-2916"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FX3V-3576-98M4

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2024-04-04 01:43
VLAI
Details

Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K running firmware versions prior to 5.1.15.2 contain a plain-text password storage vulnerability. TACACS\Radius credentials are stored in plain text in the system settings menu. An authenticated malicious user with access to the system settings menu may obtain the exposed password to use it in further attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-3753"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-20T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K running firmware versions prior to 5.1.15.2 contain a plain-text password storage vulnerability. TACACS\\Radius credentials are stored in plain text in the system settings menu. An authenticated malicious user with access to the system settings menu may obtain the exposed password to use it in further attacks.",
  "id": "GHSA-fx3v-3576-98m4",
  "modified": "2024-04-04T01:43:31Z",
  "published": "2022-05-24T16:54:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3753"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/article/sln318359"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FXJ7-6V9W-XC76

Vulnerability from github – Published: 2025-12-10 18:30 – Updated: 2025-12-10 20:11
VLAI
Summary
Jenkins's build authorization token is stored and displayed in plain text
Details

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.529"
            },
            {
              "fixed": "2.541"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.528.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-10T20:11:07Z",
    "nvd_published_at": "2025-12-10T17:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.",
  "id": "GHSA-fxj7-6v9w-xc76",
  "modified": "2025-12-10T20:11:07Z",
  "published": "2025-12-10T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/4710d65339251aaf1d1599f19545db99be24d981"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-12-10/#SECURITY-783"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins\u0027s build authorization token is stored and displayed in plain text"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.