CWE-319: Cleartext Transmission of Sensitive Information

CWE-319: Cleartext Transmission of Sensitive Information | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code attempts to establish a connection to a site to communicate sensitive information.

Vulnerable example

java

try {

Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors.

In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.

Multiple vendors used cleartext transmission of sensitive information in their OT products.

A TAP accessible register is read/written by a JTAG based tool, for internal use by authorized users. However, an adversary can connect a probing device and collect the values from the unencrypted channel connecting the JTAG interface to the authorized user, if no additional protections are employed.

The following Azure CLI command lists the properties of a particular storage account:

Example

bash

az storage account show -g {ResourceGroupName} -n {StorageAccountName}

Vulnerable example

json

Safe example

bash

az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true

Safe example

json

CWE-319: Cleartext Transmission of Sensitive Information

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-319?

What CVEs are caused by CWE-319?

How do you prevent CWE-319?

How is CWE-319 detected?

What are the consequences of CWE-319?

Is CWE-319 actively exploited?

References

Stay ahead of CWE-319

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Black Box

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Related

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-319?

What CVEs are caused by CWE-319?

How do you prevent CWE-319?

How is CWE-319 detected?

What are the consequences of CWE-319?

Is CWE-319 actively exploited?

References

Stay ahead of CWE-319