CWE-311
Missing Encryption of Sensitive Data
Description
The product does not encrypt sensitive or critical information before storage or transmission.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-157 · CAPEC-158 · CAPEC-204 · CAPEC-31 · CAPEC-37 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388 · CAPEC-477 · CAPEC-609 · CAPEC-65
CVEs mapped to this weakness (303)
page 14 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2249 | — | 0.00 | — | 0.00 | Sep 1, 2020 | Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | ||
| CVE-2020-2250 | 0.00 | — | 0.01 | Sep 1, 2020 | Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. | |||
| CVE-2020-2239 | 0.00 | — | 0.01 | Sep 1, 2020 | Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. | |||
| CVE-2017-18909 | — | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory. | ||
| CVE-2020-12691 | — | 0.00 | — | 0.05 | May 6, 2020 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to… | ||
| CVE-2020-12692 | — | 0.00 | — | 0.01 | May 6, 2020 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | ||
| CVE-2019-10363 | 0.00 | — | 0.01 | Jul 31, 2019 | Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form. | |||
| CVE-2019-5448 | — | 0.00 | — | 0.01 | Jul 30, 2019 | Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network. | ||
| CVE-2019-11405 | 0.00 | — | 0.01 | Apr 21, 2019 | OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies. | |||
| CVE-2019-11404 | 0.00 | — | 0.01 | Apr 21, 2019 | arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack. | |||
| CVE-2019-1003088 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-1003089 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-1003095 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003094 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003062 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003056 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-1003066 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003071 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003064 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins aws-device-farm Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-1003060 | 0.00 | — | 0.01 | Apr 4, 2019 | Jenkins Official OWASP ZAP Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. |
- CVE-2020-2249Sep 1, 2020risk 0.00cvss —epss 0.00
Jenkins Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
- CVE-2020-2250Sep 1, 2020risk 0.00cvss —epss 0.01
Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2020-2239Sep 1, 2020risk 0.00cvss —epss 0.01
Jenkins Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.
- CVE-2017-18909Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
- CVE-2020-12691May 6, 2020risk 0.00cvss —epss 0.05
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to…
- CVE-2020-12692May 6, 2020risk 0.00cvss —epss 0.01
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
- CVE-2019-10363Jul 31, 2019risk 0.00cvss —epss 0.01
Jenkins Configuration as Code Plugin 1.24 and earlier did not reliably identify sensitive values expected to be exported in their encrypted form.
- CVE-2019-5448Jul 30, 2019risk 0.00cvss —epss 0.01
Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Data due to HTTP URLs in lockfile causing unencrypted authentication data to be sent over the network.
- CVE-2019-11405Apr 21, 2019risk 0.00cvss —epss 0.01
OpenAPI Tools OpenAPI Generator before 4.0.0-20190419.052012-560 uses http:// URLs in various build.gradle, build.gradle.mustache, and build.sbt files, which may have caused insecurely resolved dependencies.
- CVE-2019-11404Apr 21, 2019risk 0.00cvss —epss 0.01
arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.
- CVE-2019-1003088Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-1003089Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-1003095Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003094Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Open STF Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003062Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003056Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-1003066Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Bugzilla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003071Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins OctopusDeploy Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003064Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins aws-device-farm Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-1003060Apr 4, 2019risk 0.00cvss —epss 0.01
Jenkins Official OWASP ZAP Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.