The product stores sensitive information in cleartext in a cookie.

What CVEs are caused by CWE-315?

8 recorded CVEs are attributed to CWE-315, including CVE-2024-8644, CVE-2026-25818, CVE-2024-41290.

How is CWE-315 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-315?

Exploiting CWE-315 can lead to: Read Application Data.

Is CWE-315 actively exploited?

8 recorded CVEs are caused by CWE-315; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

CVE-2024-24768

1Panel set-cookie is missing the Secure keyword

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code excerpt stores a plaintext user account ID in a browser cookie.

Vulnerable example

java

response.addCookie( new Cookie("userAccountID", acctID) );

Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-315?

What CVEs are caused by CWE-315?

How is CWE-315 detected?

What are the consequences of CWE-315?

Is CWE-315 actively exploited?

References

Stay ahead of CWE-315

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-315?

What CVEs are caused by CWE-315?

How is CWE-315 detected?

What are the consequences of CWE-315?

Is CWE-315 actively exploited?

References

Stay ahead of CWE-315