The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

What CVEs are caused by CWE-312?

365 recorded CVEs are attributed to CWE-312, including CVE-2011-4723, CVE-2026-22240, CVE-2022-43757. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

How do you prevent CWE-312?

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]

How is CWE-312 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-312?

Exploiting CWE-312 can lead to: Read Application Data.

Is CWE-312 actively exploited?

Yes. 1 CWE-312 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 365 recorded CVEs.

CWE-312: Cleartext Storage of Sensitive Information

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code excerpt stores a plaintext user account ID in a browser cookie.

Vulnerable example

java

response.addCookie( new Cookie("userAccountID", acctID);

Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

This code writes a user's login information to a cookie so the user does not have to login again later.

Vulnerable example

php

function persistLogin($username, $password){

The following code attempts to establish a connection, read in a password, then store it to a buffer.

Vulnerable example

server.sin_family = AF_INET; hp = gethostbyname(argv[1]);

While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable example

java

# Java Web App ResourceBundle properties file

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

At least one OT product stored a password in plaintext.

In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.

Vulnerable example

other

A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295]

Safe example

other

The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297]

While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.

Consider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account.

Vulnerable example

bash

New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption

Safe example

bash

New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption -RequireInfrastructureEncryption

Real-world CVEs

CWE-312: Cleartext Storage of Sensitive Information

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-312?

What CVEs are caused by CWE-312?

How do you prevent CWE-312?

How is CWE-312 detected?

What are the consequences of CWE-312?

Is CWE-312 actively exploited?

References

Stay ahead of CWE-312

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-312?

What CVEs are caused by CWE-312?

How do you prevent CWE-312?

How is CWE-312 detected?

What are the consequences of CWE-312?

Is CWE-312 actively exploited?

References

Stay ahead of CWE-312