Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-Q6J3-9P27-59XC

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31
VLAI
Details

A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-25T10:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions.",
  "id": "GHSA-q6j3-9p27-59xc",
  "modified": "2025-06-26T21:31:10Z",
  "published": "2025-06-26T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41647"
    },
    {
      "type": "WEB",
      "url": "https://certvde.com/en/advisories/VDE-2025-043"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q736-RGCP-Q443

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2023-10-26 22:48
VLAI
Summary
Jenkins Gogs Plugin stored credentials in plain text
Details

Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Gogs Plugin now stores credentials encrypted.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.14"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:gogs-webhook"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10348"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-26T22:48:25Z",
    "nvd_published_at": "2019-07-11T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Gogs Plugin stored credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\n\nGogs Plugin now stores credentials encrypted.",
  "id": "GHSA-q736-rgcp-q443",
  "modified": "2023-10-26T22:48:25Z",
  "published": "2022-05-24T16:50:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10348"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/gogs-webhook-plugin/commit/34de11fe0822864c4c340b395dadebca8cb11844"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Gogs Plugin stored credentials in plain text"
}

GHSA-Q7MH-G4JF-H3RV

Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-07-13 00:01
VLAI
Details

IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM X-Force ID: 198190.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-12T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Verify Information Queue 1.0.6 and 1.0.7 sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques. IBM X-Force ID: 198190.",
  "id": "GHSA-q7mh-g4jf-h3rv",
  "modified": "2022-07-13T00:01:04Z",
  "published": "2022-05-24T17:42:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20410"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196190"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6414773"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q7W7-VVPC-6QMP

Vulnerability from github – Published: 2023-02-11 03:32 – Updated: 2023-02-21 18:30
VLAI
Details

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-11T01:23:00Z",
    "severity": "HIGH"
  },
  "details": "Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.",
  "id": "GHSA-q7w7-vvpc-6qmp",
  "modified": "2023-02-21T18:30:24Z",
  "published": "2023-02-11T03:32:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34388"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000204114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q84X-3476-8FF2

Vulnerability from github – Published: 2023-01-06 12:31 – Updated: 2023-01-12 16:49
VLAI
Summary
Apache James MIME4J vulnerable to information disclosure to local users
Details

Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.james:apache-mime4j-storage"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-45787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:15:28Z",
    "nvd_published_at": "2023-01-06T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.",
  "id": "GHSA-q84x-3476-8ff2",
  "modified": "2023-01-12T16:49:59Z",
  "published": "2023-01-06T12:31:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45787"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/james-mime4j/commit/021eb79ba312fe5a7f99fa867ee5350aa5533069"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/james-mime4j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/james-mime4j/blob/master/CHANGELOG.md#089---2022-12-30"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/MIME4J-322"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/26s8p9stl1z261c4qw15bsq03tt7t0rj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache James MIME4J vulnerable to information disclosure to local users"
}

GHSA-Q92V-3F4W-5XG8

Vulnerability from github – Published: 2025-07-09 18:30 – Updated: 2025-11-05 20:14
VLAI
Summary
Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users
Details

Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:applitools-eyes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.16.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T22:37:55Z",
    "nvd_published_at": "2025-07-09T16:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.",
  "id": "GHSA-q92v-3f4w-5xg8",
  "modified": "2025-11-05T20:14:09Z",
  "published": "2025-07-09T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53742"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/applitools-eyes-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2025-07-09/#SECURITY-3510"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/07/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users"
}

GHSA-Q989-5JJ4-3G9Q

Vulnerability from github – Published: 2026-04-05 03:30 – Updated: 2026-04-05 03:30
VLAI
Details

A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-05T02:16:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-q989-5jj4-3g9q",
  "modified": "2026-04-05T03:30:23Z",
  "published": "2026-04-05T03:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5531"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1moQEev6skJoIe7UlL6YyR2xGgX5smeXb/view?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/782157"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355284"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355284/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.sourcecodester.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q9CJ-QF3M-4WRV

Vulnerability from github – Published: 2024-04-19 00:30 – Updated: 2024-04-19 00:30
VLAI
Details

Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-18T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nElectrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system.\n\n",
  "id": "GHSA-q9cj-qf3m-4wrv",
  "modified": "2024-04-19T00:30:54Z",
  "published": "2024-04-19T00:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3742"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9G8-9HPP-XC82

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2026-07-07 13:11
VLAI
Summary
ActiveMQ Artemis has Insufficiently Protected Credentials
Details

A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the resetUsers operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.activemq:artemis-commons"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T01:26:20Z",
    "nvd_published_at": "2020-06-26T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file (etc/artemis-users.properties file) when executing the `resetUsers` operation. A local attacker can use this flaw to read the contents of the Artemis shadow file.",
  "id": "GHSA-q9g8-9hpp-xc82",
  "modified": "2026-07-07T13:11:30Z",
  "published": "2022-05-24T17:21:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10727"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1827200"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/artemis"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/ENTMQBR-3435"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210827-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ActiveMQ Artemis has Insufficiently Protected Credentials"
}

GHSA-Q9HM-HR89-HGM7

Vulnerability from github – Published: 2023-04-12 18:30 – Updated: 2023-04-12 22:19
VLAI
Summary
Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form
Details

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:wso2id-oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30528"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T22:19:08Z",
    "nvd_published_at": "2023-04-12T18:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.\n\nThis client secret can be viewed by users with access to the Jenkins controller file system.\n\nAdditionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.",
  "id": "GHSA-q9hm-hr89-hgm7",
  "modified": "2023-04-12T22:19:08Z",
  "published": "2023-04-12T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30528"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form"
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.