Description
The application stores sensitive information in cleartext in a file, or on disk.
The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Modes of Introduction:
– Architecture and Design
Related Weaknesses
CWE-312
Consequences
Confidentiality: Read Application Data
Potential Mitigations
CVE References
- CVE-2002-1696
- Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
- CVE-2004-2397
- Cleartext storage of private key and passphrase in log file when user imports the key.
