Description
The product stores sensitive information in cleartext in an executable.
Attackers can reverse engineer binary code to obtain secret data. This is especially easy when the cleartext is plain ASCII. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Potential Impact
Confidentiality
Read Application Data
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2005-1794 | Product stores RSA private key in a DLL and uses it to sign a certificate, allowing spoofing of servers and Adversary-in-the-Middle (AITM) attacks. |
| CVE-2001-1527 | administration passwords in cleartext in executable |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Plaintext Storage in Executable
Frequently Asked Questions
What is CWE-318?
CWE-318 (Cleartext Storage of Sensitive Information in Executable) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product stores sensitive information in cleartext in an executable.
How can CWE-318 be exploited?
Attackers can exploit CWE-318 (Cleartext Storage of Sensitive Information in Executable) to read application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-318?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-318?
CWE-318 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 2 real-world CVEs.