CWE-312
Cleartext Storage of Sensitive Information
Description
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-37
CVEs mapped to this weakness (269)
page 13 of 14| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26228 | 0.00 | — | 0.01 | Nov 23, 2020 | TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly… | |||
| CVE-2020-2274 | 0.00 | — | 0.00 | Sep 16, 2020 | Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2020-17495 | — | 0.00 | — | 0.01 | Aug 11, 2020 | django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database. | ||
| CVE-2020-15105 | 0.00 | — | 0.01 | Jul 10, 2020 | Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a… | |||
| CVE-2020-12458 | — | 0.00 | — | 0.00 | Apr 29, 2020 | An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords). | ||
| CVE-2020-2177 | 0.00 | — | 0.01 | Apr 16, 2020 | Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2020-2164 | 0.00 | — | 0.01 | Mar 25, 2020 | Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||
| CVE-2019-10682 | — | 0.00 | — | 0.01 | Mar 18, 2020 | django-nopassword before 5.0.0 stores cleartext secrets in the database. | ||
| CVE-2020-2154 | 0.00 | — | 0.00 | Mar 9, 2020 | Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system. | |||
| CVE-2019-14825 | 0.00 | — | 0.01 | Nov 25, 2019 | A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged… | |||
| CVE-2019-8118 | 0.00 | — | 0.01 | Nov 5, 2019 | Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts. | |||
| CVE-2019-10453 | 0.00 | — | 0.00 | Oct 16, 2019 | Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-10452 | 0.00 | — | 0.00 | Oct 16, 2019 | Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-10450 | 0.00 | — | 0.00 | Oct 16, 2019 | Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-10451 | 0.00 | — | 0.00 | Oct 16, 2019 | Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. | |||
| CVE-2019-10449 | 0.00 | — | 0.01 | Oct 16, 2019 | Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-10447 | 0.00 | — | 0.01 | Oct 16, 2019 | Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-10448 | 0.00 | — | 0.01 | Oct 16, 2019 | Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-10443 | 0.00 | — | 0.02 | Oct 16, 2019 | Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2019-10440 | 0.00 | — | 0.01 | Oct 16, 2019 | Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system. |
- CVE-2020-26228Nov 23, 2020risk 0.00cvss —epss 0.01
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 user session identifiers were stored in cleartext - without processing with additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly…
- CVE-2020-2274Sep 16, 2020risk 0.00cvss —epss 0.00
Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2020-17495Aug 11, 2020risk 0.00cvss —epss 0.01
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
- CVE-2020-15105Jul 10, 2020risk 0.00cvss —epss 0.01
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a…
- CVE-2020-12458Apr 29, 2020risk 0.00cvss —epss 0.00
An information-disclosure flaw was found in Grafana through 6.7.3. The database directory /var/lib/grafana and database file /var/lib/grafana/grafana.db are world readable. This can result in exposure of sensitive information (e.g., cleartext or encrypted datasource passwords).
- CVE-2020-2177Apr 16, 2020risk 0.00cvss —epss 0.01
Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2164Mar 25, 2020risk 0.00cvss —epss 0.01
Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2019-10682Mar 18, 2020risk 0.00cvss —epss 0.01
django-nopassword before 5.0.0 stores cleartext secrets in the database.
- CVE-2020-2154Mar 9, 2020risk 0.00cvss —epss 0.00
Jenkins Zephyr for JIRA Test Management Plugin 1.5 and earlier stores its credentials in plain text in a global configuration file on the Jenkins master file system.
- CVE-2019-14825Nov 25, 2019risk 0.00cvss —epss 0.01
A cleartext password storage issue was discovered in Katello, versions 3.x.x.x before katello 3.12.0.9. Registry credentials used during container image discovery were inadvertently logged without being masked. This flaw could expose the registry credentials to other privileged…
- CVE-2019-8118Nov 5, 2019risk 0.00cvss —epss 0.01
Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 uses weak cryptographic function to store the failed login attempts for customer accounts.
- CVE-2019-10453Oct 16, 2019risk 0.00cvss —epss 0.00
Jenkins Delphix Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-10452Oct 16, 2019risk 0.00cvss —epss 0.00
Jenkins View26 Test-Reporting Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-10450Oct 16, 2019risk 0.00cvss —epss 0.00
Jenkins ElasticBox CI Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-10451Oct 16, 2019risk 0.00cvss —epss 0.00
Jenkins SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
- CVE-2019-10449Oct 16, 2019risk 0.00cvss —epss 0.01
Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-10447Oct 16, 2019risk 0.00cvss —epss 0.01
Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-10448Oct 16, 2019risk 0.00cvss —epss 0.01
Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-10443Oct 16, 2019risk 0.00cvss —epss 0.02
Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2019-10440Oct 16, 2019risk 0.00cvss —epss 0.01
Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.