VYPR

CWE-312

Cleartext Storage of Sensitive Information

BaseDraft

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-37

CVEs mapped to this weakness (269)

page 11 of 14
  • CVE-2023-50772Dec 13, 2023
    risk 0.00cvss epss 0.00

    Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-50770Dec 13, 2023
    risk 0.00cvss epss 0.00

    Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that…

  • CVE-2015-8314Dec 12, 2023
    risk 0.00cvss epss 0.01

    The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.

  • CVE-2023-48707Nov 24, 2023
    risk 0.00cvss epss 0.00

    CodeIgniter Shield is an authentication and authorization provider for CodeIgniter 4. The `secretKey` value is an important key for HMAC SHA256 authentication and in affected versions was stored in the database in cleartext form. If a malicious person somehow had access to the…

  • CVE-2023-46653Oct 25, 2023
    risk 0.00cvss epss 0.00

    Jenkins lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level, potentially resulting in its exposure.

  • CVE-2023-46128Oct 24, 2023
    risk 0.00cvss epss 0.01

    Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as…

  • CVE-2023-41335Sep 26, 2023
    risk 0.00cvss epss 0.00

    Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the…

  • CVE-2023-34236Jul 14, 2023
    risk 0.00cvss epss 0.01

    Weave GitOps Terraform Controller (aka Weave TF-controller) is a controller for Flux to reconcile Terraform resources in a GitOps way. A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive…

  • CVE-2023-32983May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2023-32982May 16, 2023
    risk 0.00cvss epss 0.00

    Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2023-30853Apr 28, 2023
    risk 0.00cvss epss 0.00

    Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially…

  • CVE-2023-29471Apr 27, 2023
    risk 0.00cvss epss 0.00

    Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

  • CVE-2023-22894Apr 19, 2023
    risk 0.00cvss epss 0.02

    Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super…

  • CVE-2023-30531Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2023-30530Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-30528Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2023-30527Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2023-30523Apr 12, 2023
    risk 0.00cvss epss 0.00

    Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file…

  • CVE-2023-0690Feb 8, 2023
    risk 0.00cvss epss 0.00

    HashiCorp Boundary from 0.10.0 through 0.11.2 contain an issue where when using a PKI-based worker with a Key Management Service (KMS) defined in the configuration file, new credentials created after an automatic rotation may not have been encrypted via the intended KMS. This…

  • CVE-2022-43757Feb 7, 2023
    risk 0.00cvss epss 0.01

    A Cleartext Storage of Sensitive Information vulnerability in SUSE Rancher allows users on managed clusters to gain access to credentials. The impact depends on the credentials exposed This issue affects: SUSE Rancher Rancher versions prior to 2.5.17; Rancher versions prior to…