1. Home
  2. CWE Database
  3. CWE-312
Base · Medium

CWE-312: Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CWE-312 · Base Level ·21 CVEs ·2 Mitigations

Description

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Sensitive Data Exposure

Read our in-depth guide on exploiting and mitigating this weakness

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following code excerpt stores a plaintext user account ID in a browser cookie.
Bad
response.addCookie( new Cookie("userAccountID", acctID);
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
This code writes a user's login information to a cookie so the user does not have to login again later.
Bad
function persistLogin($username, $password){$data = array("username" => $username, "password"=> $password);setcookie ("userdata", $data);}
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
The following code attempts to establish a connection, read in a password, then store it to a buffer.
Bad
server.sin_family = AF_INET; hp = gethostbyname(argv[1]);if (hp==NULL) error("Unknown host");memcpy( (char *)&server.sin_addr,(char *)hp->h_addr,hp->h_length);if (argc < 3) port = 80;else port = (unsigned short)atoi(argv[3]);server.sin_port = htons(port);if (connect(sock, (struct sockaddr *)&server, sizeof server) < 0) error("Connecting");...while ((n=read(sock,buffer,BUFSIZE-1))!=-1) {
                        
                           write(dfd,password_buffer,n);...
While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
Bad
# Java Web App ResourceBundle properties file
                     ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Bad
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.

Mitigations & Prevention

ImplementationSystem ConfigurationOperation

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

ImplementationSystem ConfigurationOperation

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-26390wireless battery product stores credentials and Personal Health Information (PHI) without encryption
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2009-2272password and username stored in cleartext in a cookie
CVE-2009-1466password stored in cleartext in a file with insecure permissions
CVE-2009-0152chat program disables SSL in some circumstances even when the user says to use SSL.
CVE-2009-1603Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
CVE-2009-0964storage of unencrypted passwords in a database
CVE-2008-6157storage of unencrypted passwords in a database
CVE-2008-6828product stores a password in cleartext in memory
CVE-2008-1567storage of a secret key in cleartext in a temporary file
CVE-2008-0174SCADA product uses HTTP Basic Authentication, which is not encrypted
CVE-2007-5778login credentials stored unencrypted in a registry key
CVE-2001-1481Plaintext credentials in world-readable file.
CVE-2005-1828Password in cleartext in config file.
CVE-2005-2209Password in cleartext in config file.

Showing 15 of 21 observed examples.

CWE-311: Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

CWE-922: Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

Taxonomy Mappings

  • PLOVER: — Plaintext Storage of Sensitive Information
  • Software Fault Patterns: SFP23 — Exposed Data
  • ISA/IEC 62443: Part 4-2 — Req CR 4.1 a)
  • ISA/IEC 62443: Part 3-3 — Req SR 4.1

Frequently Asked Questions

What is CWE-312?

CWE-312 (Cleartext Storage of Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

How can CWE-312 be exploited?

Attackers can exploit CWE-312 (Cleartext Storage of Sensitive Information) to read application data. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-312?

Key mitigations include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

What is the severity of CWE-312?

CWE-312 is classified as a Base-level weakness (Medium abstraction). It has been observed in 21 real-world CVEs.