CWE-311
Missing Encryption of Sensitive Data
Description
The product does not encrypt sensitive or critical information before storage or transmission.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65
CVEs mapped to this weakness (303)
page 13 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-24768 | 0.00 | — | 0.00 | Feb 5, 2024 | 1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version… | |||
| CVE-2023-43618 | — | 0.00 | — | 0.00 | Sep 20, 2023 | An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message. | ||
| CVE-2023-38699 | 0.00 | — | 0.00 | Aug 4, 2023 | MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests… | |||
| CVE-2023-38688 | 0.00 | — | 0.00 | Aug 4, 2023 | twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result,… | |||
| CVE-2023-37943 | 0.00 | — | 0.00 | Jul 12, 2023 | Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory… | |||
| CVE-2023-32982 | 0.00 | — | 0.00 | May 16, 2023 | Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||
| CVE-2023-28841 | 0.00 | — | 0.01 | Apr 4, 2023 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as… | |||
| CVE-2023-0690 | 0.00 | — | 0.00 | Feb 8, 2023 | HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This… | |||
| CVE-2018-25060 | — | 0.00 | — | 0.01 | Dec 30, 2022 | A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely.… | ||
| CVE-2021-4239 | — | 0.00 | — | 0.00 | Dec 27, 2022 | The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing… | ||
| CVE-2022-4683 | — | 0.00 | — | 0.00 | Dec 23, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0. | ||
| CVE-2022-4409 | — | 0.00 | — | 0.00 | Dec 11, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9. | ||
| CVE-2022-3250 | — | 0.00 | — | 0.00 | Sep 21, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6. | ||
| CVE-2022-3174 | — | 0.00 | — | 0.01 | Sep 13, 2022 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2. | ||
| CVE-2015-3207 | — | 0.00 | — | 0.01 | Jul 7, 2022 | In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes. | ||
| CVE-2022-2097 | 0.00 | — | 0.02 | Jul 5, 2022 | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in… | |||
| CVE-2022-21951 | 0.00 | — | 0.00 | May 25, 2022 | A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI… | |||
| CVE-2022-27206 | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-23116 | 0.00 | — | 0.01 | Jan 12, 2022 | Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. | |||
| CVE-2021-33900 | 0.00 | — | 0.01 | Jul 26, 2021 | While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not… |
- CVE-2024-24768Feb 5, 2024risk 0.00cvss —epss 0.00
1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version…
- CVE-2023-43618Sep 20, 2023risk 0.00cvss —epss 0.00
An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.
- CVE-2023-38699Aug 4, 2023risk 0.00cvss —epss 0.00
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests…
- CVE-2023-38688Aug 4, 2023risk 0.00cvss —epss 0.00
twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, the connection is not using TLS for communication. In the configuration of the irc connection, the software disables TLS, which makes all communication to Twitch IRC servers unencrypted. As a result,…
- CVE-2023-37943Jul 12, 2023risk 0.00cvss —epss 0.00
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory…
- CVE-2023-32982May 16, 2023risk 0.00cvss —epss 0.00
Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
- CVE-2023-28841Apr 4, 2023risk 0.00cvss —epss 0.01
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is commonly referred to as…
- CVE-2023-0690Feb 8, 2023risk 0.00cvss —epss 0.00
HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This…
- CVE-2018-25060Dec 30, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely.…
- CVE-2021-4239Dec 27, 2022risk 0.00cvss —epss 0.00
The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing…
- CVE-2022-4683Dec 23, 2022risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.
- CVE-2022-4409Dec 11, 2022risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.1.9.
- CVE-2022-3250Sep 21, 2022risk 0.00cvss —epss 0.00
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.6.
- CVE-2022-3174Sep 13, 2022risk 0.00cvss —epss 0.01
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository ikus060/rdiffweb prior to 2.4.2.
- CVE-2015-3207Jul 7, 2022risk 0.00cvss —epss 0.01
In Openshift Origin 3 the cookies being set in console have no 'secure', 'HttpOnly' attributes.
- CVE-2022-2097Jul 5, 2022risk 0.00cvss —epss 0.02
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in…
- CVE-2022-21951May 25, 2022risk 0.00cvss —epss 0.00
A Cleartext Transmission of Sensitive Information vulnerability in SUSE Rancher, Rancher allows attackers on the network to read and change network data due to missing encryption of data transmitted via the network when a cluster is created from an RKE template with the CNI…
- CVE-2022-27206Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-23116Jan 12, 2022risk 0.00cvss —epss 0.01
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.
- CVE-2021-33900Jul 26, 2021risk 0.00cvss —epss 0.01
While investigating DIRSTUDIO-1219 it was noticed that configured StartTLS encryption was not applied when any SASL authentication mechanism (DIGEST-MD5, GSSAPI) was used. While investigating DIRSTUDIO-1220 it was noticed that any configured SASL confidentiality layer was not…