CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-VWPW-RFX3-GQFW
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2022-12-13 03:30IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores sensitive information in cleartext within a resource that might be accessible to another control sphere. IBM X-Force ID: 1610141.
{
"affected": [],
"aliases": [
"CVE-2019-4314"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T00:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium Big Data Intelligence (SonarG) 4.0 stores sensitive information in cleartext within a resource that might be accessible to another control sphere. IBM X-Force ID: 1610141.",
"id": "GHSA-vwpw-rfx3-gqfw",
"modified": "2022-12-13T03:30:44Z",
"published": "2022-05-24T22:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4314"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161041"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/1096912"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VX3W-MR85-R8VR
Vulnerability from github – Published: 2023-08-14 18:32 – Updated: 2024-04-04 06:55An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a "maxctrl create service" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.
{
"affected": [],
"aliases": [
"CVE-2023-40354"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-14T17:15:10Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in MariaDB MaxScale before 23.02.3. A user enters an encrypted password on a \"maxctrl create service\" command line, but this password is then stored in cleartext in the resulting .cnf file under /var/lib/maxscale/maxscale.cnf.d. The fixed versions are 2.5.28, 6.4.9, 22.08.8, and 23.02.3.",
"id": "GHSA-vx3w-mr85-r8vr",
"modified": "2024-04-04T06:55:08Z",
"published": "2023-08-14T18:32:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40354"
},
{
"type": "WEB",
"url": "https://jira.mariadb.org/browse/MXS-4681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VX6M-H78H-XXCF
Vulnerability from github – Published: 2025-07-21 12:30 – Updated: 2025-07-21 12:30Unencrypted storage in the database in Two App Studio Journey v5.5.9 for iOS allows local attackers to extract sensitive data via direct access to the app’s filesystem.
{
"affected": [],
"aliases": [
"CVE-2025-41458"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T11:15:23Z",
"severity": "MODERATE"
},
"details": "Unencrypted storage in the database in Two App Studio Journey v5.5.9 for iOS allows local attackers to extract sensitive data via direct access to the app\u2019s filesystem.",
"id": "GHSA-vx6m-h78h-xxcf",
"modified": "2025-07-21T12:30:34Z",
"published": "2025-07-21T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41458"
},
{
"type": "WEB",
"url": "https://www.cirosec.de/sa/sa-2025-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VXJM-JCH6-9QR5
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird < 78.10.2.
{
"affected": [],
"aliases": [
"CVE-2021-29956"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user\u0027s local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions. This vulnerability affects Thunderbird \u003c 78.10.2.",
"id": "GHSA-vxjm-jch6-9qr5",
"modified": "2022-05-24T19:06:08Z",
"published": "2022-05-24T19:06:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29956"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1710290"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-22"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VXM7-H9HR-QR3W
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Sensitive smart card data is logged in default INFO logs by Teradici's PCoIP Connection Manager and Security Gateway prior to version 21.01.3.
{
"affected": [],
"aliases": [
"CVE-2021-25692"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-06T20:15:00Z",
"severity": "MODERATE"
},
"details": "Sensitive smart card data is logged in default INFO logs by Teradici\u0027s PCoIP Connection Manager and Security Gateway prior to version 21.01.3.",
"id": "GHSA-vxm7-h9hr-qr3w",
"modified": "2022-05-24T17:46:37Z",
"published": "2022-05-24T17:46:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25692"
},
{
"type": "WEB",
"url": "https://advisory.teradici.com/security-advisories/77"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W345-4XM5-Q2XP
Vulnerability from github – Published: 2024-12-04 03:31 – Updated: 2024-12-04 03:31A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform.
{
"affected": [],
"aliases": [
"CVE-2024-42451"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-04T02:15:04Z",
"severity": "HIGH"
},
"details": "A vulnerability in Veeam Backup \u0026 Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker\u0027s side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform.",
"id": "GHSA-w345-4xm5-q2xp",
"modified": "2024-12-04T03:31:15Z",
"published": "2024-12-04T03:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42451"
},
{
"type": "WEB",
"url": "https://www.veeam.com/kb4693"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3FR-WWFG-6332
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947.
{
"affected": [],
"aliases": [
"CVE-2021-38915"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-12T19:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Data Risk Manager 2.0.6 stores user credentials in plain clear text which can be read by an authenticated user. IBM X-Force ID: 209947.",
"id": "GHSA-w3fr-wwfg-6332",
"modified": "2022-05-24T19:17:16Z",
"published": "2022-05-24T19:17:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38915"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209947"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6497499"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W3G5-QFMH-45M7
Vulnerability from github – Published: 2022-06-12 00:00 – Updated: 2022-06-18 00:00A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.
{
"affected": [],
"aliases": [
"CVE-2017-20040"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-11T10:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.",
"id": "GHSA-w3g5-qfmh-45m7",
"modified": "2022-06-18T00:00:22Z",
"published": "2022-06-12T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20040"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.98908"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Mar/25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W496-F5JM-W9C3
Vulnerability from github – Published: 2023-01-30 09:30 – Updated: 2025-11-04 00:30Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user's authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials.
{
"affected": [],
"aliases": [
"CVE-2023-22332"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T07:15:00Z",
"severity": "MODERATE"
},
"details": "Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), All versions of 3.7 series, All versions of 3.6 series, All versions of 3.5 series, All versions of 3.4 series, and All versions of 3.3 series. A specific database user\u0027s authentication information may be obtained by another database user. As a result, the information stored in the database may be altered and/or database may be suspended by a remote attacker who successfully logged in the product with the obtained credentials.",
"id": "GHSA-w496-f5jm-w9c3",
"modified": "2025-11-04T00:30:35Z",
"published": "2023-01-30T09:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22332"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN72418815"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00015.html"
},
{
"type": "WEB",
"url": "https://www.pgpool.net/mediawiki/index.php/Main_Page#News"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W6G3-R938-VJ7F
Vulnerability from github – Published: 2024-11-04 21:30 – Updated: 2024-11-05 18:32Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read Exchange account passwords via HTTP GET request.
{
"affected": [],
"aliases": [
"CVE-2024-34891"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T19:15:06Z",
"severity": "MODERATE"
},
"details": "Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read Exchange account passwords via HTTP GET request.",
"id": "GHSA-w6g3-r938-vj7f",
"modified": "2024-11-05T18:32:05Z",
"published": "2024-11-04T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34891"
},
{
"type": "WEB",
"url": "https://github.com/DrieVlad/BitrixVulns"
},
{
"type": "WEB",
"url": "http://bitrix24.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.