1. Home
  2. CWE Database
  3. CWE-313
Variant · Low-Medium

CWE-313: Cleartext Storage in a File or on Disk

The product stores sensitive information in cleartext in a file, or on disk.

CWE-313 · Variant Level ·5 CVEs

Description

The product stores sensitive information in cleartext in a file, or on disk.

The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
Bad
# Java Web App ResourceBundle properties file
                     ...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword...
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.
Bad
...<connectionStrings><add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /></connectionStrings>...
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2001-1481Cleartext credentials in world-readable file.
CVE-2005-1828Password in cleartext in config file.
CVE-2005-2209Password in cleartext in config file.
CVE-2002-1696Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
CVE-2004-2397Cleartext storage of private key and passphrase in log file when user imports the key.

CWE-312: Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphe...

Taxonomy Mappings

  • PLOVER: — Plaintext Storage in File or on Disk
  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-313?

CWE-313 (Cleartext Storage in a File or on Disk) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores sensitive information in cleartext in a file, or on disk.

How can CWE-313 be exploited?

Attackers can exploit CWE-313 (Cleartext Storage in a File or on Disk) to read application data. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-313?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-313?

CWE-313 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 5 real-world CVEs.