CWE-311
Missing Encryption of Sensitive Data
Description
The product does not encrypt sensitive or critical information before storage or transmission.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65
CVEs mapped to this weakness (303)
page 11 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-41124 | — | Med | 0.34 | 6.3 | 0.00 | Jul 19, 2024 | Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in… | |
| CVE-2023-46219 | Med | 0.34 | 5.3 | 0.01 | Dec 12, 2023 | When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. | ||
| CVE-2018-10825 | Med | 0.34 | 5.3 | 0.00 | May 15, 2018 | Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack. | ||
| CVE-2024-38283 | — | Med | 0.33 | — | 0.00 | Jun 13, 2024 | Sensitive customer information is stored in the device without encryption. | |
| CVE-2025-13453 | Med | 0.30 | 4.6 | 0.00 | Jan 14, 2026 | A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive. | ||
| CVE-2024-7142 | Med | 0.30 | 4.6 | 0.00 | Jan 10, 2025 | On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them | ||
| CVE-2018-8849 | Med | 0.30 | 4.6 | 0.00 | May 18, 2018 | Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest. | ||
| CVE-2017-14012 | Med | 0.30 | 4.6 | 0.00 | May 1, 2018 | Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. | ||
| CVE-2018-4847 | Med | 0.30 | 4.6 | 0.00 | Apr 23, 2018 | A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the… | ||
| CVE-2017-8769 | Med | 0.30 | 4.6 | 0.00 | May 18, 2017 | Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat… | ||
| CVE-2017-8168 | Med | 0.28 | 4.3 | 0.00 | Nov 22, 2017 | FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may… | ||
| CVE-2025-8763 | Low | 0.24 | 3.7 | 0.00 | Aug 9, 2025 | A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. It has been rated as problematic. This issue affects some unknown processing of the file /etc/strongswan.conf of the component strongSwan. The manipulation of the argument i_dont_care_about_security_and_use_aggressive_mod… | ||
| CVE-2018-8864 | Low | 0.20 | 3.1 | 0.00 | May 25, 2018 | In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms. | ||
| CVE-2025-47274 | Low | 0.09 | — | 0.00 | May 12, 2025 | ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are… | ||
| CVE-2025-1243 | Low | 0.06 | — | 0.00 | Feb 12, 2025 | The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response`… | ||
| CVE-2026-27944 | 0.01 | — | 0.22 | Mar 5, 2026 | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an… | |||
| CVE-2026-55568 | 0.00 | — | 0.00 | Jun 19, 2026 | ### Impact The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https://` proxy — a proxy reached over a TLS-encrypted connection — through the… | |||
| CVE-2025-64147 | 0.00 | — | 0.00 | Oct 29, 2025 | Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||
| CVE-2025-64146 | 0.00 | — | 0.00 | Oct 29, 2025 | Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | |||
| CVE-2025-64145 | 0.00 | — | 0.00 | Oct 29, 2025 | Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
- risk 0.34cvss 6.3epss 0.00
Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in…
- risk 0.34cvss 5.3epss 0.01
When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.
- risk 0.34cvss 5.3epss 0.00
Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack.
- risk 0.33cvss —epss 0.00
Sensitive customer information is stored in the device without encryption.
- risk 0.30cvss 4.6epss 0.00
A potential vulnerability was reported in some ThinkPlus USB drives that could allow a user with physical access to read data stored on the drive.
- risk 0.30cvss 4.6epss 0.00
On Arista CloudVision Appliance (CVA) affected releases running on appliances that support hardware disk encryption (DCA-350E-CV only), the disk encryption might not be successfully performed. This results in the disks remaining unsecured and data on them
- risk 0.30cvss 4.6epss 0.00
Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician Programme and 8870 N'Vision removable Application Card do not encrypt PII and PHI while at rest.
- risk 0.30cvss 4.6epss 0.00
Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
- risk 0.30cvss 4.6epss 0.00
A vulnerability has been identified in SIMATIC WinCC OA Operator iOS App (All versions < V1.4). Insufficient protection of sensitive information (e.g. session key for accessing server) in Siemens WinCC OA Operator iOS app could allow an attacker with physical access to the…
- risk 0.30cvss 4.6epss 0.00
Facebook WhatsApp Messenger before 2.16.323 for Android uses the SD card for cleartext storage of files (Audio, Documents, Images, Video, and Voice Notes) associated with a chat, even after that chat is deleted. There may be users who expect file deletion to occur upon chat…
- risk 0.28cvss 4.3epss 0.00
FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R006C10 have an information leak vulnerability. Due to an incorrect configuration item, the information transmitted by a transmission channel is not encrypted. An attacker accessing the internal network may…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. It has been rated as problematic. This issue affects some unknown processing of the file /etc/strongswan.conf of the component strongSwan. The manipulation of the argument i_dont_care_about_security_and_use_aggressive_mod…
- risk 0.20cvss 3.1epss 0.00
In ATI Systems Emergency Mass Notification Systems (HPSS16, HPSS32, MHPSS, and ALERT4000) devices, a missing encryption of sensitive data vulnerability caused by specially crafted malicious radio transmissions may allow an attacker to remotely trigger false alarms.
- risk 0.09cvss —epss 0.00
ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the ordering of code used to start an MCP server container, versions of ToolHive prior to 0.0.33 inadvertently store secrets in the run config files which are…
- risk 0.06cvss —epss 0.00
The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the `update response`…
- CVE-2026-27944Mar 5, 2026risk 0.01cvss —epss 0.22
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an…
- CVE-2026-55568Jun 19, 2026risk 0.00cvss —epss 0.00
### Impact The built-in cURL handlers (`GuzzleHttp\Handler\CurlHandler` and `GuzzleHttp\Handler\CurlMultiHandler`, used by default whenever the PHP cURL extension is available) accept an `https://` proxy — a proxy reached over a TLS-encrypted connection — through the…
- CVE-2025-64147Oct 29, 2025risk 0.00cvss —epss 0.00
Jenkins Curseforge Publisher Plugin 1.0 does not mask API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
- CVE-2025-64146Oct 29, 2025risk 0.00cvss —epss 0.00
Jenkins Curseforge Publisher Plugin 1.0 stores API Keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system.
- CVE-2025-64145Oct 29, 2025risk 0.00cvss —epss 0.00
Jenkins ByteGuard Build Actions Plugin 1.0 does not mask API tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.