VYPR

CWE-311

Missing Encryption of Sensitive Data

ClassDraftLikelihood: High

Description

The product does not encrypt sensitive or critical information before storage or transmission.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65

CVEs mapped to this weakness (303)

page 13 of 16
  • CVE-2024-24768Feb 5, 2024
    risk 0.00cvss epss 0.00

    1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version…

  • CVE-2023-43618Sep 20, 2023
    risk 0.00cvss epss 0.00

    An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.

  • CVE-2023-38699Aug 4, 2023
    risk 0.00cvss epss 0.00

    MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests…

  • CVE-2023-38688Aug 4, 2023
    risk 0.00cvss epss 0.00

    twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result,…

  • CVE-2023-37943Jul 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory…

  • CVE-2023-32982May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-28841Apr 4, 2023
    risk 0.00cvss epss 0.01

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as…

  • CVE-2023-0690Feb 8, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This…

  • CVE-2018-25060Dec 30, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely.…

  • CVE-2021-4239Dec 27, 2022
    risk 0.00cvss epss 0.00

    The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing…

  • CVE-2022-4683Dec 23, 2022
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.

  • CVE-2022-4409Dec 11, 2022
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.

  • CVE-2022-3250Sep 21, 2022
    risk 0.00cvss epss 0.00

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.

  • CVE-2022-3174Sep 13, 2022
    risk 0.00cvss epss 0.01

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.

  • CVE-2015-3207Jul 7, 2022
    risk 0.00cvss epss 0.01

    In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.

  • CVE-2022-2097Jul 5, 2022
    risk 0.00cvss epss 0.02

    AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in…

  • CVE-2022-21951May 25, 2022
    risk 0.00cvss epss 0.00

    A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI…

  • CVE-2022-27206Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-23116Jan 12, 2022
    risk 0.00cvss epss 0.01

    Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

  • CVE-2021-33900Jul 26, 2021
    risk 0.00cvss epss 0.01

    While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not…