CWE-319
Cleartext Transmission of Sensitive Information
Description
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-117 · CAPEC-383 · CAPEC-477 · CAPEC-65
CVEs mapped to this weakness (302)
page 12 of 16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32034 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker… | |||
| CVE-2025-52490 | 0.00 | — | 0.00 | Jul 29, 2025 | An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output. | |||
| CVE-2025-32793 | 0.00 | — | 0.00 | Apr 21, 2025 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a… | |||
| CVE-2024-43432 | 0.00 | — | 0.00 | Nov 11, 2024 | A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. | |||
| CVE-2024-47833 | 0.00 | — | 0.00 | Oct 9, 2024 | Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and… | |||
| CVE-2024-38167 | — | 0.00 | — | 0.01 | Aug 13, 2024 | .NET and Visual Studio Information Disclosure Vulnerability | ||
| CVE-2024-39459 | 0.00 | — | 0.00 | Jun 26, 2024 | In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global… | |||
| CVE-2024-35058 | — | 0.00 | — | 0.00 | May 21, 2024 | An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string. | ||
| CVE-2024-35057 | — | 0.00 | — | 0.00 | May 21, 2024 | An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet. | ||
| CVE-2024-35059 | — | 0.00 | — | 0.00 | May 21, 2024 | An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. | ||
| CVE-2024-28250 | 0.00 | — | 0.00 | Mar 18, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent… | |||
| CVE-2024-28249 | 0.00 | — | 0.00 | Mar 18, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on… | |||
| CVE-2024-25631 | 0.00 | — | 0.00 | Feb 20, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14… | |||
| CVE-2024-25630 | 0.00 | — | 0.00 | Feb 20, 2024 | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not… | |||
| CVE-2024-0056 | 0.00 | — | 0.01 | Jan 9, 2024 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability | |||
| CVE-2023-4918 | 0.00 | — | 0.00 | Sep 12, 2023 | A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights… | |||
| CVE-2023-33187 | — | 0.00 | — | 0.00 | May 26, 2023 | Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates… | ||
| CVE-2023-30841 | 0.00 | — | 0.00 | Apr 26, 2023 | Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This… | |||
| CVE-2023-30515 | 0.00 | — | 0.00 | Apr 12, 2023 | Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. | |||
| CVE-2023-30514 | 0.00 | — | 0.00 | Apr 12, 2023 | Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. |
- CVE-2026-32034Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker…
- CVE-2025-52490Jul 29, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output.
- CVE-2025-32793Apr 21, 2025risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.15.0 to 1.15.15, 1.16.0 to 1.16.8, and 1.17.0 to 1.17.2, are vulnerable when using Wireguard transparent encryption in a Cilium cluster, packets that originate from a…
- CVE-2024-43432Nov 11, 2024risk 0.00cvss —epss 0.00
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
- CVE-2024-47833Oct 9, 2024risk 0.00cvss —epss 0.00
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and…
- CVE-2024-38167Aug 13, 2024risk 0.00cvss —epss 0.01
.NET and Visual Studio Information Disclosure Vulnerability
- CVE-2024-39459Jun 26, 2024risk 0.00cvss —epss 0.00
In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global…
- CVE-2024-35058May 21, 2024risk 0.00cvss —epss 0.00
An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.
- CVE-2024-35057May 21, 2024risk 0.00cvss —epss 0.00
An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.
- CVE-2024-35059May 21, 2024risk 0.00cvss —epss 0.00
An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.
- CVE-2024-28250Mar 18, 2024risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.8 and 1.15.2, In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent…
- CVE-2024-28249Mar 18, 2024risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.13.13, 1.14.8, and 1.15.2, in Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, IPsec-eligible traffic between a node's Envoy proxy and pods on…
- CVE-2024-25631Feb 20, 2024risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted. This issue affects Cilium v1.14…
- CVE-2024-25630Feb 20, 2024risk 0.00cvss —epss 0.00
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, traffic to/from the Ingress and health endpoints is not…
- CVE-2024-0056Jan 9, 2024risk 0.00cvss —epss 0.01
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
- CVE-2023-4918Sep 12, 2023risk 0.00cvss —epss 0.00
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights…
- CVE-2023-33187May 26, 2023risk 0.00cvss —epss 0.00
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates…
- CVE-2023-30841Apr 26, 2023risk 0.00cvss —epss 0.00
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This…
- CVE-2023-30515Apr 12, 2023risk 0.00cvss —epss 0.00
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.
- CVE-2023-30514Apr 12, 2023risk 0.00cvss —epss 0.00
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.