Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Potential Impact
Confidentiality
Read Application Data, Read Files or Directories
Integrity
Modify Application Data, Modify Files or Directories
Demonstrative Examples
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2009-2272 | password and username stored in cleartext in a cookie |
Related Weaknesses
Frequently Asked Questions
What is CWE-922?
CWE-922 (Insecure Storage of Sensitive Information) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product stores sensitive information without properly limiting read or write access by unauthorized actors.
How can CWE-922 be exploited?
Attackers can exploit CWE-922 (Insecure Storage of Sensitive Information) to read application data, read files or directories. This weakness is typically introduced during the Architecture and Design, Implementation, System Configuration phase of software development.
How do I prevent CWE-922?
Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.
What is the severity of CWE-922?
CWE-922 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.