logo

Insecure Storage of Sensitive Information

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when an application stores sensitive data—like credentials, personal information, or encryption keys—without enforcing proper access controls, allowing unauthorized users to read or modify it.

Extended Description

When read permissions are too permissive, attackers can easily exfiltrate confidential data, leading to data breaches and compliance violations. Conversely, insufficient write controls let attackers alter or destroy critical information, which can corrupt application logic, cause service outages, or enable further system compromise. Preventing this requires implementing strict access policies, encrypting sensitive data at rest, and regularly auditing storage configurations. While SAST tools can flag insecure storage patterns, Plexicus uses AI to analyze context and generate precise remediation code, helping teams fix these flaws efficiently across their entire application portfolio.
Common Consequences 2
Scope: Confidentiality

Impact: Read Application DataRead Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Scope: Integrity

Impact: Modify Application DataModify Files or Directories

Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Observed Examples 1
CVE-2009-2272password and username stored in cleartext in a cookie
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
System Configuration
Related Weaknesses
ChildOf: Improper Control of a Resource Through its Lifetime (CWE-664)
Notes
RelationshipThere is an overlapping relationship between insecure storage of sensitive information (Insecure Storage of Sensitive Information) and missing encryption of sensitive information (Missing Encryption of Sensitive Data). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.
MaintenanceThis is a high-level entry that includes children from various parts of the CWE research view (Research Concepts). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.