Description
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Confidentiality: Read Application Data
An attacker with access to the system could read sensitive information stored in cleartext.
Potential Mitigations
CVE References
- CVE-2009-2272
- password and username stored in cleartext in a cookie
- CVE-2009-1466
- password stored in cleartext in a file with insecure permissions
- CVE-2009-0152
- chat program disables SSL in some circumstances even when the user says to use SSL.
- CVE-2009-1603
- Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
- CVE-2009-0964
- storage of unencrypted passwords in a database
- CVE-2008-6157
- storage of unencrypted passwords in a database
- CVE-2008-6828
- product stores a password in cleartext in memory
- CVE-2008-1567
- storage of a secret key in cleartext in a temporary file
- CVE-2008-0174
- SCADA product uses HTTP Basic Authentication, which is not encrypted
- CVE-2007-5778
- login credentials stored unencrypted in a registry key
- CVE-2001-1481
- Plaintext credentials in world-readable file.
- CVE-2005-1828
- Password in cleartext in config file.
- CVE-2005-2209
- Password in cleartext in config file.
- CVE-2002-1696
- Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
- CVE-2004-2397
- Plaintext storage of private key and passphrase in log file when user imports the key.
- CVE-2002-1800
- Admin password in plaintext in a cookie.
- CVE-2001-1537
- Default configuration has cleartext usernames/passwords in cookie.
- CVE-2001-1536
- Usernames/passwords in cleartext in cookies.
- CVE-2005-2160
- Authentication information stored in cleartext in a cookie.
More Stories
The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them
Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...
ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows
Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...
CWE-669 – Incorrect Resource Transfer Between Spheres
Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...
CWE-67 – Improper Handling of Windows Device Names
Description The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a...
CWE-670 – Always-Incorrect Control Flow Implementation
Description The code contains a control flow path that does not reflect the algorithm that the path is intended to...
CWE-671 – Lack of Administrator Control over Security
Description The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect...