Base weakness

Draft

CWE-312: Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

361

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-312 (Cleartext Storage of Sensitive Information) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code excerpt stores a plaintext user account ID in a browser cookie.

Vulnerable example

java

response.addCookie( new Cookie("userAccountID", acctID);

Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

This code writes a user's login information to a cookie so the user does not have to login again later.

Vulnerable example

php

function persistLogin($username, $password){

The following code attempts to establish a connection, read in a password, then store it to a buffer.

Vulnerable example

server.sin_family = AF_INET; hp = gethostbyname(argv[1]);

While successful, the program does not encrypt the data before writing it to a buffer, possibly exposing it to unauthorized actors.

The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.

Vulnerable example

java

# Java Web App ResourceBundle properties file

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

At least one OT product stored a password in plaintext.

In 2021, a web site operated by PeopleGIS stored data of US municipalities in Amazon Web Service (AWS) Simple Storage Service (S3) buckets.

Vulnerable example

other

A security researcher found 86 S3 buckets that could be accessed without authentication (CWE-306) and stored data unencrypted (CWE-312). These buckets exposed over 1000 GB of data and 1.6 million files including physical addresses, phone numbers, tax documents, pictures of driver's license IDs, etc. [REF-1296] [REF-1295]

Safe example

other

The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297]

While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.

Consider the following PowerShell command examples for encryption scopes of Azure storage objects. In the first example, an encryption scope is set for the storage account.

Vulnerable example

bash

New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption

Safe example

bash

New-AzStorageEncryptionScope -ResourceGroupName "MyResourceGroup" -AccountName "MyStorageAccount" -EncryptionScopeName testscope -StorageEncryption -RequireInfrastructureEncryption

CWE-312: Cleartext Storage of Sensitive Information

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-312?

What CVEs are caused by CWE-312?

How do you prevent CWE-312?

How is CWE-312 detected?

What are the consequences of CWE-312?

Is CWE-312 actively exploited?

References

Stay ahead of CWE-312

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-312?

What CVEs are caused by CWE-312?

How do you prevent CWE-312?

How is CWE-312 detected?

What are the consequences of CWE-312?

Is CWE-312 actively exploited?

References

Stay ahead of CWE-312