Read Time:1 Minute, 42 Second

Description

The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-311
CWE-311
CWE-922

 

Consequences

Confidentiality: Read Application Data

An attacker with access to the system could read sensitive information stored in cleartext.

 

Potential Mitigations

CVE References

  • CVE-2009-2272
    • password and username stored in cleartext in a cookie
  • CVE-2009-1466
    • password stored in cleartext in a file with insecure permissions
  • CVE-2009-0152
    • chat program disables SSL in some circumstances even when the user says to use SSL.
  • CVE-2009-1603
    • Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
  • CVE-2008-1567
    • storage of a secret key in cleartext in a temporary file
  • CVE-2008-0174
    • SCADA product uses HTTP Basic Authentication, which is not encrypted
  • CVE-2007-5778
    • login credentials stored unencrypted in a registry key
  • CVE-2002-1696
    • Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
  • CVE-2004-2397
    • Plaintext storage of private key and passphrase in log file when user imports the key.
  • CVE-2001-1537
    • Default configuration has cleartext usernames/passwords in cookie.
  • CVE-2005-2160
    • Authentication information stored in cleartext in a cookie.