Common Weakness Enumeration

CWE-312

Allowed

Cleartext Storage of Sensitive Information

Abstraction: Base · Status: Draft

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

1017 vulnerabilities reference this CWE, most recent first.

GHSA-RXMP-X6CW-79XV

Vulnerability from github – Published: 2024-10-29 15:32 – Updated: 2024-10-29 15:32
VLAI
Details

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-29T13:15:10Z",
    "severity": "MODERATE"
  },
  "details": "mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.",
  "id": "GHSA-rxmp-x6cw-79xv",
  "modified": "2024-10-29T15:32:05Z",
  "published": "2024-10-29T15:32:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7783"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RXRH-4J9H-XGG9

Vulnerability from github – Published: 2026-07-02 20:32 – Updated: 2026-07-02 20:32
VLAI
Summary
Steeltoe: TLS private keys written to /tmp with default permissions, never deleted
Details

Summary

When MySQL or PostgreSQL service bindings from VCAP_SERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath() using File.CreateText. On Linux, File.CreateText creates files with mode 0644 (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode 0400 in /proc/<pid>/environ.

Impact

Any process co-located in the container that runs as a different UID can read the TLS client private key from /tmp and use it to impersonate the application when connecting to the backing database over mutual TLS.

Affected configuration

  • Application is deployed on Cloud Foundry or another environment that populates VCAP_SERVICES with a MySQL or PostgreSQL service binding that includes sslKey credentials.
  • A process running as a different UID shares the container's filesystem.

Mitigations

If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to /tmp.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Configuration.Abstractions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:32:09Z",
    "nvd_published_at": "2026-06-17T23:17:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nWhen MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode `0400` in `/proc/\u003cpid\u003e/environ`.\n\n### Impact\n\nAny process co-located in the container that runs as a different UID can read the TLS client private key from `/tmp` and use it to impersonate the application when connecting to the backing database over mutual TLS.\n\n### Affected configuration\n\n- Application is deployed on Cloud Foundry or another environment that populates `VCAP_SERVICES` with a MySQL or PostgreSQL service binding that includes `sslKey` credentials.\n- A process running as a different UID shares the container\u0027s filesystem.\n\n### Mitigations\n\nIf an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`.",
  "id": "GHSA-rxrh-4j9h-xgg9",
  "modified": "2026-07-02T20:32:09Z",
  "published": "2026-07-02T20:32:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-rxrh-4j9h-xgg9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/8dd97cc6c4b184121a4bd1f92f9ac16918433471"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Steeltoe: TLS private keys written to /tmp with default permissions, never deleted"
}

GHSA-V36P-6RF8-WX94

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-8276"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The implementation of Brave Desktop\u0027s privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave\u0027s server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.",
  "id": "GHSA-v36p-6rf8-wx94",
  "modified": "2022-05-24T17:34:09Z",
  "published": "2022-05-24T17:34:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8276"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1024668"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V427-C49J-8W6X

Vulnerability from github – Published: 2023-11-23 00:28 – Updated: 2023-11-27 21:44
VLAI
Summary
Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication
Details

Impact

secretKey, an important key for HMAC SHA256 authentication, was stored in the database in raw form.

If a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person.

Patches

Upgrade to Shield v1.0.0-beta.8 or later.

After upgrading, all existing secret keys must be encrypted. See https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details.

Workarounds

None.

References

  • https://codeigniter4.github.io/shield/references/authentication/hmac/

For more information

If you have any questions or comments about this advisory: * Open an issue or discussion in codeigniter4/shield * Email us at security@codeigniter.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "codeigniter4/shield"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-beta.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48707"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-23T00:28:14Z",
    "nvd_published_at": "2023-11-24T18:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n**secretKey**, an important key for HMAC SHA256 authentication, was stored in the database in raw form.\n\nIf a malicious person somehow had access to the data in the database, they could use the key and secretKey for HMAC SHA256 authentication to send requests impersonating that person.\n\n### Patches\nUpgrade to Shield v1.0.0-beta.8 or later.\n\nAfter upgrading, all existing secret keys must be encrypted.\nSee https://github.com/codeigniter4/shield/blob/develop/UPGRADING.md for details.\n\n### Workarounds\nNone.\n\n### References\n- https://codeigniter4.github.io/shield/references/authentication/hmac/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue or discussion in [codeigniter4/shield](https://github.com/codeigniter4/shield)\n* Email us at [security@codeigniter.com](mailto:security@codeigniter.com)\n",
  "id": "GHSA-v427-c49j-8w6x",
  "modified": "2023-11-27T21:44:37Z",
  "published": "2023-11-23T00:28:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/shield/security/advisories/GHSA-v427-c49j-8w6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48707"
    },
    {
      "type": "WEB",
      "url": "https://github.com/codeigniter4/shield/commit/f77c6ae20275ac1245330a2b9a523bf7e6f6202f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/codeigniter4/shield"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cleartext Storage of Sensitive Information in HMAC SHA256 Authentication"
}

GHSA-V4H2-X5V2-FCQ7

Vulnerability from github – Published: 2022-06-25 00:01 – Updated: 2022-07-02 00:00
VLAI
Details

MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41639"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-24T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.",
  "id": "GHSA-v4h2-x5v2-fcq7",
  "modified": "2022-07-02T00:00:22Z",
  "published": "2022-06-25T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41639"
    },
    {
      "type": "WEB",
      "url": "https://www.securesystems.de/blog/advisory-and-exploitation-the-melag-ftp-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V4PR-W7X8-M4MG

Vulnerability from github – Published: 2023-03-27 21:30 – Updated: 2026-07-05 03:31
VLAI
Details

In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25263"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-27T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Stimulsoft Designer (Desktop) 2023.1.5, and 2023.1.4, once an attacker decompiles the Stimulsoft.report.dll the attacker is able to decrypt any connectionstring stored in .mrt files since a static secret is used. The secret does not differ between the tested versions and different operating systems.",
  "id": "GHSA-v4pr-w7x8-m4mg",
  "modified": "2026-07-05T03:31:03Z",
  "published": "2023-03-27T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25263"
    },
    {
      "type": "WEB",
      "url": "https://cloud-trustit.spp.at/s/Db8ZfNq2WYiNCHa"
    },
    {
      "type": "WEB",
      "url": "https://cves.at/posts/cve-2023-25263/writeup"
    },
    {
      "type": "WEB",
      "url": "http://stimulsoft.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V63C-6QF8-QQ2C

Vulnerability from github – Published: 2022-06-18 00:00 – Updated: 2022-06-28 00:00
VLAI
Details

ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-17T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.",
  "id": "GHSA-v63c-6qf8-qq2c",
  "modified": "2022-06-28T00:00:43Z",
  "published": "2022-06-18T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45025"
    },
    {
      "type": "WEB",
      "url": "https://docs.rocketsoftware.com/bundle/ven1649700711249/page/ayk1652945111726.html"
    },
    {
      "type": "WEB",
      "url": "http://asg-zena.com"
    },
    {
      "type": "WEB",
      "url": "http://asg.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V697-947H-Q7WW

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 190908.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-4884"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-30T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM UrbanCode Deploy (UCD) 6.2.7.9, 7.0.5.4, and 7.1.1.1 stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 190908.",
  "id": "GHSA-v697-947h-q7ww",
  "modified": "2022-05-24T17:45:42Z",
  "published": "2022-05-24T17:45:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4884"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/190908"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6437565"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V766-F6MM-CQPP

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-25T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log (that can only be viewed by an administrator). This affects use of any of the following protocols: SCEP, CMP, or EST.",
  "id": "GHSA-v766-f6mm-cqpp",
  "modified": "2022-05-24T19:12:13Z",
  "published": "2022-05-24T19:12:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40087"
    },
    {
      "type": "WEB",
      "url": "https://support.primekey.com/news/posts/53"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V8QM-C69G-X57Q

Vulnerability from github – Published: 2022-01-22 00:00 – Updated: 2022-01-28 00:03
VLAI
Details

Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-23129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-21T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Plaintext Storage of a Password vulnerability in Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior and ICONICS GENESIS64 versions 10.90 to 10.97 allows a local authenticated attacker to gain authentication information and to access the database illegally. This is because when configuration information of GridWorX, a database linkage function of GENESIS64 and MC Works64, is exported to a CSV file, the authentication information is saved in plaintext, and an attacker who can access this CSV file can gain the authentication information.",
  "id": "GHSA-v8qm-c69g-x57q",
  "modified": "2022-01-28T00:03:11Z",
  "published": "2022-01-22T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23129"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU95403720/index.html"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-027_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation System Configuration Operation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

Mitigation
Implementation System Configuration Operation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

CAPEC-37: Retrieve Embedded Sensitive Data

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.