VYPR

CWE-256

Plaintext Storage of a Password

BaseIncompleteLikelihood: High

Description

The product stores a password in plaintext within resources such as memory or files.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (153)

page 5 of 8
  • CVE-2025-53665Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53664Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53662Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53660Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53656Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins…

  • CVE-2025-53655Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2023-48700Nov 21, 2023
    risk 0.00cvss epss 0.00

    The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to…

  • CVE-2023-4918Sep 12, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights…

  • CVE-2023-2633May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server API keys displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-2632May 16, 2023
    risk 0.00cvss epss 0.01

    Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2022-43757Feb 7, 2023
    risk 0.00cvss epss 0.01

    A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…

  • CVE-2023-24442Jan 24, 2023
    risk 0.00cvss epss 0.00

    Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins…

  • CVE-2023-24450Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2023-24454Jan 24, 2023
    risk 0.00cvss epss 0.00

    Jenkins TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-24439Jan 24, 2023
    risk 0.00cvss epss 0.00

    Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-45392Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-45384Nov 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

  • CVE-2022-3644Oct 25, 2022
    risk 0.00cvss epss 0.00

    The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

  • CVE-2022-43419Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-43426Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.