Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-H932-5CW5-54J3

Vulnerability from github – Published: 2025-11-28 15:30 – Updated: 2025-11-28 18:30
VLAI
Details

Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.

Users are recommended to upgrade to version 2.14.0, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59792"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-28T15:16:03Z",
    "severity": "MODERATE"
  },
  "details": "Reveals plaintext credentials in the MONITOR command vulnerability in Apache Kvrocks.\n\nThis issue affects Apache Kvrocks: from 1.0.0 through 2.13.0.\n\nUsers are recommended to upgrade to version 2.14.0, which fixes the issue.",
  "id": "GHSA-h932-5cw5-54j3",
  "modified": "2025-11-28T18:30:23Z",
  "published": "2025-11-28T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59792"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/h2pcvr5p9otc7dnj2dt2nr4b3omghddw"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/11/28/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCM8-3CV3-G73F

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-06-29 00:00
VLAI
Details

The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-28374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-15T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user\u0027s existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).",
  "id": "GHSA-hcm8-3cv3-g73f",
  "modified": "2022-06-29T00:00:49Z",
  "published": "2022-05-24T17:44:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28374"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/984810"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00011.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCPH-762F-FP48

Vulnerability from github – Published: 2023-10-14 06:30 – Updated: 2024-04-04 08:38
VLAI
Details

An issue in ZPE Systems, Inc Nodegrid OS v.5.8.10 thru v.5.8.13 and v.5.10.3 thru v.5.10.5 allows a remote attacker to obtain sensitive information via the TACACS+ server component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44037"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-14T05:15:55Z",
    "severity": "HIGH"
  },
  "details": "An issue in ZPE Systems, Inc Nodegrid OS v.5.8.10 thru v.5.8.13 and v.5.10.3 thru v.5.10.5 allows a remote attacker to obtain sensitive information via the TACACS+ server component.",
  "id": "GHSA-hcph-762f-fp48",
  "modified": "2024-04-04T08:38:34Z",
  "published": "2023-10-14T06:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44037"
    },
    {
      "type": "WEB",
      "url": "https://psirt.zpesystems.com/portal/en/kb/articles/security-advisory-zpe-ng-2023-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HCR7-GGWP-P696

Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-17 18:31
VLAI
Details

SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-36887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T21:16:01Z",
    "severity": "HIGH"
  },
  "details": "SpinetiX Fusion Digital Signage 3.4.8 contains an unauthenticated information disclosure vulnerability in the database backup directory. Attackers can access the /content/files/backups/ endpoint to download sensitive backup files containing user credentials and system information.",
  "id": "GHSA-hcr7-ggwp-p696",
  "modified": "2025-12-17T18:31:33Z",
  "published": "2025-12-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36887"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/48845"
    },
    {
      "type": "WEB",
      "url": "https://www.spinetix.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/spinetix-fusion-digital-signage-unauthenticated-database-backup-disclosure"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5593.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HF72-J4P7-QJV2

Vulnerability from github – Published: 2022-03-29 00:01 – Updated: 2022-04-01 00:00
VLAI
Details

3CX System through 2022-03-17 stores cleartext passwords in a database.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-28T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "3CX System through 2022-03-17 stores cleartext passwords in a database.",
  "id": "GHSA-hf72-j4p7-qjv2",
  "modified": "2022-04-01T00:00:48Z",
  "published": "2022-03-29T00:01:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45491"
    },
    {
      "type": "WEB",
      "url": "https://www.3cx.com/community/forums/posts-articles-news"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/166386/3CX-Phone-System-Cleartext-Passwords.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HFVJ-W63F-MC9J

Vulnerability from github – Published: 2025-03-28 15:31 – Updated: 2025-03-28 15:31
VLAI
Details

The lack of encryption in the DuoxMe (formerly Blue) application binary in versions prior to 3.3.1 for iOS devices allows an attacker to gain unauthorised access to the application code and discover sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2909"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-28T13:15:41Z",
    "severity": "MODERATE"
  },
  "details": "The lack of encryption in the DuoxMe (formerly Blue) application binary in versions prior to 3.3.1 for iOS devices allows an attacker to gain unauthorised access to the application code and discover sensitive information.",
  "id": "GHSA-hfvj-w63f-mc9j",
  "modified": "2025-03-28T15:31:55Z",
  "published": "2025-03-28T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2909"
    },
    {
      "type": "WEB",
      "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-fermax-mobile-applications"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-HFX7-V8G3-WM7Q

Vulnerability from github – Published: 2023-04-11 09:30 – Updated: 2024-04-04 03:23
VLAI
Details

CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information. If an attacker who can login or access the computer where the affected product is installed tampers the password file stored in the computer, the user privilege which CENTUM managed may be escalated. As a result, the control system may be operated with the escalated user privilege. To exploit this vulnerability, the following prerequisites must be met: (1)An attacker has obtained user credentials where the affected product is installed, (2)CENTUM Authentication Mode is used for user authentication when CENTUM VP is used. The affected products and versions are as follows: CENTUM CS 1000, CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class) R2.01.00 to R3.09.50, CENTUM VP (Including CENTUM VP Entry Class) R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, and R6.01.00 and later, B/M9000 CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R7.04.51 and R8.01.01 and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-26593"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-11T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "CENTUM series provided by Yokogawa Electric Corporation are vulnerable to cleartext storage of sensitive information. If an attacker who can login or access the computer where the affected product is installed tampers the password file stored in the computer, the user privilege which CENTUM managed may be escalated. As a result, the control system may be operated with the escalated user privilege. To exploit this vulnerability, the following prerequisites must be met: (1)An attacker has obtained user credentials where the affected product is installed, (2)CENTUM Authentication Mode is used for user authentication when CENTUM VP is used. The affected products and versions are as follows: CENTUM CS 1000, CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class) R2.01.00 to R3.09.50, CENTUM VP (Including CENTUM VP Entry Class) R4.01.00 to R4.03.00, R5.01.00 to R5.04.20, and R6.01.00 and later, B/M9000 CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R7.04.51 and R8.01.01 and later",
  "id": "GHSA-hfx7-v8g3-wm7q",
  "modified": "2024-04-04T03:23:49Z",
  "published": "2023-04-11T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26593"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU98775218"
    },
    {
      "type": "WEB",
      "url": "https://www.yokogawa.com/library/resources/white-papers/yokogawa-security-advisory-report-list"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHHH-69QP-5P2V

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-10-27 15:45
VLAI
Summary
Jenkins Fortify on Demand Plugin stores credentials in plain text
Details

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:fortify-on-demand-uploader"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-27T15:45:23Z",
    "nvd_published_at": "2019-10-16T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Fortify on Demand Plugin stores credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.",
  "id": "GHSA-hhhh-69qp-5p2v",
  "modified": "2023-10-27T15:45:23Z",
  "published": "2022-05-24T16:58:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10449"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/277642040362bcc64df163bfc1ab48f7763c2853"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/83b23662dc0ce9486b904e282bd8047496730819"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/fortify-on-demand-uploader-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1433"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Fortify on Demand Plugin stores credentials in plain text"
}

GHSA-HM3F-FWMW-7G2J

Vulnerability from github – Published: 2023-01-20 18:30 – Updated: 2023-01-26 21:30
VLAI
Details

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-20T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.",
  "id": "GHSA-hm3f-fwmw-7g2j",
  "modified": "2023-01-26T21:30:31Z",
  "published": "2023-01-20T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38112"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-1_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HMCH-9947-82RJ

Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2023-09-26 18:55
VLAI
Summary
Magento 2 Community Edition Weak Cryptography
Details

Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-8118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-18T17:45:01Z",
    "nvd_published_at": "2019-11-05T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.",
  "id": "GHSA-hmch-9947-82rj",
  "modified": "2023-09-26T18:55:15Z",
  "published": "2022-05-24T17:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8118"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8118.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento 2 Community Edition Weak Cryptography"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.