Read Time:1 Minute, 42 Second
Description
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Because the information is stored in cleartext, attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
Consequences
Confidentiality: Read Application Data
An attacker with access to the system could read sensitive information stored in cleartext.
Potential Mitigations
CVE References
- CVE-2009-2272
- password and username stored in cleartext in a cookie
- CVE-2009-1466
- password stored in cleartext in a file with insecure permissions
- CVE-2009-0152
- chat program disables SSL in some circumstances even when the user says to use SSL.
- CVE-2009-1603
- Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
- CVE-2009-0964
- storage of unencrypted passwords in a database
- CVE-2008-6157
- storage of unencrypted passwords in a database
- CVE-2008-6828
- product stores a password in cleartext in memory
- CVE-2008-1567
- storage of a secret key in cleartext in a temporary file
- CVE-2008-0174
- SCADA product uses HTTP Basic Authentication, which is not encrypted
- CVE-2007-5778
- login credentials stored unencrypted in a registry key
- CVE-2001-1481
- Plaintext credentials in world-readable file.
- CVE-2005-1828
- Password in cleartext in config file.
- CVE-2005-2209
- Password in cleartext in config file.
- CVE-2002-1696
- Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
- CVE-2004-2397
- Plaintext storage of private key and passphrase in log file when user imports the key.
- CVE-2002-1800
- Admin password in plaintext in a cookie.
- CVE-2001-1537
- Default configuration has cleartext usernames/passwords in cookie.
- CVE-2001-1536
- Usernames/passwords in cleartext in cookies.
- CVE-2005-2160
- Authentication information stored in cleartext in a cookie.