Common Weakness Enumeration

CWE-316

Allowed

Cleartext Storage of Sensitive Information in Memory

Abstraction: Variant · Status: Draft

The product stores sensitive information in cleartext in memory.

62 vulnerabilities reference this CWE, most recent first.

GHSA-2P2F-PX33-4VV5

Vulnerability from github – Published: 2026-07-14 20:05 – Updated: 2026-07-14 20:05
VLAI
Summary
nebula-mesh: CA private key not zeroized on web mobile-bundle error paths
Details

Impact

The web handler renderMobileBundle (internal/web/handlers.go:1325) passes the real *pki.CAResolver directly into mobilebundle.Build. Inside Build (internal/mobilebundle/builder.go:54), resolver.LoadByID decrypts the CA's ed25519 private key into a *pki.CAManager, but Build never calls CAManager.Wipe() on any return path (success or any of the error paths at lines 56, 62, 68, 80, 86, 92, 98, 102, 109, 118, 150).

As a result, when a mobile-bundle request goes through the web UI and Build returns — especially on error (missing network, invalid prefix, DB error, signing failure) — the plaintext CA private key remains on the Go heap, unwiped, until garbage collection. An attacker able to read process memory (core dump, swap, memory-scraping) can recover the CA signing key, which would allow minting arbitrary host certificates for the mesh.

The API handler (internal/api/mobile_bundle.go:74) already does this correctly: it loads the CAManager, defer caMgr.Wipe(), and wraps it in caManagerResolver. Only the web path is affected.

This is the same key-zeroization class previously addressed in GHSA-8h84-fhqq-q58v.

Patches

Add defer caMgr.Wipe() inside mobilebundle.Build immediately after the LoadByID call so every caller (web and API) is protected on all return paths. Ensure CAManager.Wipe() is idempotent, since the API handler also wipes the same manager.

Workarounds

None at the configuration level; requires a code fix.

Resources

  • internal/web/handlers.go:1325
  • internal/mobilebundle/builder.go:54
  • internal/api/mobile_bundle.go:74 (correct reference implementation)
  • Prior related advisory: GHSA-8h84-fhqq-q58v
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.7"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/forgekeep/nebula-mesh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212",
      "CWE-316"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-14T20:05:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Impact\n\nThe web handler `renderMobileBundle` (`internal/web/handlers.go:1325`) passes the real `*pki.CAResolver` directly into `mobilebundle.Build`. Inside `Build` (`internal/mobilebundle/builder.go:54`), `resolver.LoadByID` decrypts the CA\u0027s ed25519 private key into a `*pki.CAManager`, but `Build` never calls `CAManager.Wipe()` on any return path (success or any of the error paths at lines 56, 62, 68, 80, 86, 92, 98, 102, 109, 118, 150).\n\nAs a result, when a mobile-bundle request goes through the **web** UI and `Build` returns \u2014 especially on error (missing network, invalid prefix, DB error, signing failure) \u2014 the plaintext CA private key remains on the Go heap, unwiped, until garbage collection. An attacker able to read process memory (core dump, swap, memory-scraping) can recover the CA signing key, which would allow minting arbitrary host certificates for the mesh.\n\nThe **API** handler (`internal/api/mobile_bundle.go:74`) already does this correctly: it loads the `CAManager`, `defer caMgr.Wipe()`, and wraps it in `caManagerResolver`. Only the web path is affected.\n\nThis is the same key-zeroization class previously addressed in GHSA-8h84-fhqq-q58v.\n\n## Patches\n\nAdd `defer caMgr.Wipe()` inside `mobilebundle.Build` immediately after the `LoadByID` call so every caller (web and API) is protected on all return paths. Ensure `CAManager.Wipe()` is idempotent, since the API handler also wipes the same manager.\n\n## Workarounds\n\nNone at the configuration level; requires a code fix.\n\n## Resources\n\n- `internal/web/handlers.go:1325`\n- `internal/mobilebundle/builder.go:54`\n- `internal/api/mobile_bundle.go:74` (correct reference implementation)\n- Prior related advisory: GHSA-8h84-fhqq-q58v",
  "id": "GHSA-2p2f-px33-4vv5",
  "modified": "2026-07-14T20:05:38Z",
  "published": "2026-07-14T20:05:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-2p2f-px33-4vv5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forgekeep/nebula-mesh/commit/1f1ab9aa8472239763d967e3d50a3cd53a1a79b9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/forgekeep/nebula-mesh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/forgekeep/nebula-mesh/releases/tag/v0.3.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nebula-mesh: CA private key not zeroized on web mobile-bundle error paths"
}

GHSA-2WPH-4XPG-R884

Vulnerability from github – Published: 2023-12-12 12:30 – Updated: 2023-12-12 12:30
VLAI
Details

A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions < V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46141"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-12T12:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SIMATIC STEP 7 (TIA Portal) (All versions \u003c V19). An information disclosure vulnerability could allow a local attacker to gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application.",
  "id": "GHSA-2wph-4xpg-r884",
  "modified": "2023-12-12T12:30:53Z",
  "published": "2023-12-12T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46141"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-887801.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4265-PFR7-6XJV

Vulnerability from github – Published: 2025-11-14 18:31 – Updated: 2025-11-14 18:31
VLAI
Details

A sensitive information disclosure vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.

Browser self-protection should be enabled to mitigate this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4618"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T18:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A sensitive information disclosure vulnerability in Palo Alto Networks Prisma\u00ae Browser allows a locally authenticated non-admin user to retrieve sensitive data from Prisma Browser.\n\nBrowser self-protection should be enabled to mitigate this issue.",
  "id": "GHSA-4265-pfr7-6xjv",
  "modified": "2025-11-14T18:31:39Z",
  "published": "2025-11-14T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4618"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2025-4618"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-49QV-652V-577V

Vulnerability from github – Published: 2026-05-20 12:30 – Updated: 2026-05-20 12:30
VLAI
Details

Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component.

This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0857"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T11:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component.\n\nThis issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020.",
  "id": "GHSA-49qv-652v-577v",
  "modified": "2026-05-20T12:30:38Z",
  "published": "2026-05-20T12:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0857"
    },
    {
      "type": "WEB",
      "url": "https://seccore.at/blog/cves-meona"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CVC-J8GF-MG3G

Vulnerability from github – Published: 2024-07-14 15:30 – Updated: 2024-07-14 15:30
VLAI
Details

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that could be obtained by a malicious user. IBM X-Force ID: 295791.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-14T13:15:20Z",
    "severity": "MODERATE"
  },
  "details": "IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 temporarily stores data from different environments that could be obtained by a malicious user.  IBM X-Force ID:  295791.",
  "id": "GHSA-4cvc-j8gf-mg3g",
  "modified": "2024-07-14T15:30:57Z",
  "published": "2024-07-14T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39732"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/295791"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7160185"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59P6-QQ9J-XGJC

Vulnerability from github – Published: 2025-11-11 03:30 – Updated: 2025-11-11 03:30
VLAI
Details

SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-42888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-11T01:15:37Z",
    "severity": "MODERATE"
  },
  "details": "SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability.",
  "id": "GHSA-59p6-qq9j-xgjc",
  "modified": "2025-11-11T03:30:28Z",
  "published": "2025-11-11T03:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42888"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3651097"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62VX-HPCR-M9CH

Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 18:48
VLAI
Summary
@perfood/couch-auth may expose session tokens, passwords
Details

Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@perfood/couch-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-60794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-316"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-20T18:48:26Z",
    "nvd_published_at": "2025-11-20T15:17:37Z",
    "severity": "MODERATE"
  },
  "details": "Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access techniques, potentially leading to session hijacking.",
  "id": "GHSA-62vx-hpcr-m9ch",
  "modified": "2025-11-20T18:48:27Z",
  "published": "2025-11-20T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60794"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/perfood/couch-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pr0wl1ng/security-advisories/blob/main/CVE-2025-60794.md"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@perfood/couch-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@perfood/couch-auth may expose session tokens, passwords"
}

GHSA-6844-78P7-PCMC

Vulnerability from github – Published: 2023-07-19 09:30 – Updated: 2023-07-19 09:30
VLAI
Details

A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-19T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Intergard SGS 8.7.0. It has been classified as problematic. This affects an unknown part. The manipulation leads to cleartext storage of sensitive information in memory. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-234447. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-6844-78p7-pcmc",
  "modified": "2023-07-19T09:30:54Z",
  "published": "2023-07-19T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3762"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.234447"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.234447"
    },
    {
      "type": "WEB",
      "url": "https://youtu.be/Ee2KU-T_0pI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R3R-R496-RRFW

Vulnerability from github – Published: 2022-11-25 00:30 – Updated: 2022-11-28 21:30
VLAI
Details

Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29832"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-25T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later allows a remote unauthorized attacker to disclose sensitive information. As a result, unauthorized users could obtain information about the project file for MELSEC safety CPU modules.",
  "id": "GHSA-7r3r-r496-rrfw",
  "modified": "2022-11-28T21:30:22Z",
  "published": "2022-11-25T00:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29832"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU97244961"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-333-05"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C244-PRPX-2Q63

Vulnerability from github – Published: 2022-05-17 04:39 – Updated: 2025-10-06 18:31
VLAI
Details

upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-2366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-316"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-19T05:09:00Z",
    "severity": "MODERATE"
  },
  "details": "upAdminPg.asp in Advantech WebAccess before 7.2 allows remote authenticated users to discover credentials by reading HTML source code.",
  "id": "GHSA-c244-prpx-2q63",
  "modified": "2025-10-06T18:31:00Z",
  "published": "2022-05-17T04:39:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2366"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-198-02"
    },
    {
      "type": "WEB",
      "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02"
    },
    {
      "type": "WEB",
      "url": "http://webaccess.advantech.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.