CWE-319: Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Last updated
Overview
CWE-319 (Cleartext Transmission of Sensitive Information) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
467 recorded CVEs are caused by CWE-319 (Cleartext Transmission of Sensitive Information). The highest-severity and most recent are shown first. 85 new CWE-319 CVEs have been recorded so far in 2026 (104 in 2025).
- CVE-2025-47419
Non-Secure Access
Critical · CVSS 10.0 · EPSS 16th2025-05-06 - CVE-2015-0987Critical · CVSS 10.0 · EPSS 64th2015-10-03
- CVE-2026-48902
Joomla! Core - [20260518] - Transport encryption downgrade for password and username reset links
Critical · CVSS 9.8 · EPSS 9th2026-05-26 - CVE-2026-24212Critical · CVSS 9.8 · EPSS 47th2026-05-26
- CVE-2025-32880Critical · CVSS 9.8 · EPSS 30th2025-06-20
- CVE-2025-26199Critical · CVSS 9.8 · EPSS 39th2025-06-18
- CVE-2023-39245Critical · CVSS 9.8 · EPSS 36th2024-02-15
- CVE-2023-32328
IBM Security Verify Access information disclosure
Critical · CVSS 9.8 · EPSS 44th2024-02-07 - CVE-2023-33730Critical · CVSS 9.8 · EPSS 64th2023-05-31
- CVE-2022-46680Critical · CVSS 9.8 · EPSS 30th2023-05-22
- CVE-2023-30354Critical · CVSS 9.8 · EPSS 36th2023-05-10
- CVE-2022-47714Critical · CVSS 9.8 · EPSS 45th2023-02-01
Showing 12 of 467 recorded CWE-319 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-319 vulnerabilitiesCommon consequences
What can happen when CWE-319 is exploited.
Read Application Data, Modify Files or Directories
Affects: Integrity, Confidentiality
Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination, whether across the internet, an internal network, the cloud, etc. Some actors might have privileged access to a network interface or any link along the channel, such as a router, but they might not be authorized to collect the underlying data. As a result, network traffic could be sniffed by adversaries, spilling security-critical data.
Read Application Data, Modify Files or Directories, Other
Affects: Integrity, Confidentiality
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-319, grouped by where in the lifecycle they apply.
Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
How to detect it
Black Box
Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.
Attach the monitor to the process, trigger the feature that sends the data, and look for the presence or absence of common cryptographic functions in the call tree. Monitor the network and determine if the data packets contain readable commands. Tools exist for detecting if certain encodings are in use. If the traffic contains high entropy, this might indicate the usage of encryption.
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code attempts to establish a connection to a site to communicate sensitive information.
Vulnerable example
try {Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors.
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.
Multiple vendors used cleartext transmission of sensitive information in their OT products.
A TAP accessible register is read/written by a JTAG based tool, for internal use by authorized users. However, an adversary can connect a probing device and collect the values from the unencrypted channel connecting the JTAG interface to the authorized user, if no additional protections are employed.
The following Azure CLI command lists the properties of a particular storage account:
Example
az storage account show -g {ResourceGroupName} -n {StorageAccountName}Vulnerable example
{Safe example
az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only trueSafe example
{Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2022-29519 — Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
- CVE-2022-30312 — Building Controller uses a protocol that transmits authentication credentials in plaintext.
- CVE-2022-31204 — Programmable Logic Controller (PLC) sends password in plaintext.
- CVE-2002-1949 — Passwords transmitted in cleartext.
- CVE-2008-4122 — Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.
- CVE-2008-3289 — Product sends password hash in cleartext in violation of intended policy.
- CVE-2008-4390 — Remote management feature sends sensitive information including passwords in cleartext.
- CVE-2007-5626 — Backup routine sends password in cleartext in email.
- CVE-2004-1852 — Product transmits Blowfish encryption key in cleartext.
- CVE-2008-0374 — Printer sends configuration information, including administrative password, in cleartext.
- CVE-2007-4961 — Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).
- CVE-2007-4786 — Product sends passwords in cleartext to a log server.
- CVE-2005-3140 — Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.
Terminology & mappings
Mapped taxonomies
- PLOVER: Plaintext Transmission of Sensitive Information
- The CERT Oracle Secure Coding Standard for Java (2011): Do not rely on the default automatic signature verification provided by URLClassLoader and java.util.jar (SEC06-J)
- The CERT Oracle Secure Coding Standard for Java (2011): Sign then seal sensitive objects before sending them outside a trust boundary (SER02-J)
- Software Fault Patterns: Exposed Data (SFP23)
- ISA/IEC 62443: Req SR 4.1 (Part 3-3)
- ISA/IEC 62443: Req CR 4.1B (Part 4-2)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-319.
- What is CWE-319?
- The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
- What CVEs are caused by CWE-319?
- 467 recorded CVEs are attributed to CWE-319, including CVE-2025-47419, CVE-2015-0987, CVE-2026-48902.
- How do you prevent CWE-319?
- Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
- How is CWE-319 detected?
- Black Box: Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.
- What are the consequences of CWE-319?
- Exploiting CWE-319 can lead to: Read Application Data, Modify Files or Directories, Other.
- Is CWE-319 actively exploited?
- 467 recorded CVEs are caused by CWE-319; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-319) (opens in a new tab)
- CWE-319 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-319
Get alerted the moment a new CWE-319 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.