Description
The product stores sensitive information in cleartext within the GUI.
An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Potential Impact
Confidentiality
Read Memory, Read Application Data
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2002-1848 | Unencrypted passwords stored in GUI dialog may allow local users to access the passwords. |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Plaintext Storage in GUI
- Software Fault Patterns: SFP23 — Exposed Data
Frequently Asked Questions
What is CWE-317?
CWE-317 (Cleartext Storage of Sensitive Information in GUI) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores sensitive information in cleartext within the GUI.
How can CWE-317 be exploited?
Attackers can exploit CWE-317 (Cleartext Storage of Sensitive Information in GUI) to read memory, read application data. This weakness is typically introduced during the Architecture and Design phase of software development.
How do I prevent CWE-317?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-317?
CWE-317 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 1 real-world CVEs.