Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-312 Base Draft
Cleartext Storage of Sensitive Information
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in…
Definition
What is CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches.
To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-312
-
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
-
password and username stored in cleartext in a cookie
-
password stored in cleartext in a file with insecure permissions
-
chat program disables SSL in some circumstances even when the user says to use SSL.
-
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
-
storage of unencrypted passwords in a database
-
storage of unencrypted passwords in a database
-
product stores a password in cleartext in memory
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
The following code excerpt stores a plaintext user account ID in a browser cookie.
- 2
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
- 3
This code writes a user's login information to a cookie so the user does not have to login again later.
- 4
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
- 5
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
Verwundbares Codebeispiel
Vulnerable Java
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID); Sicheres Codebeispiel
Secure Other
While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-312
- Implementation / System Configuration / Operation When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
- Implementation / System Configuration / Operation In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Erkennungssignale
How to detect CWE-312
Plexicus erkennt CWE-312 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-312?
Wie gravierend ist CWE-312?
Welche Sprachen oder Plattformen sind von CWE-312 betroffen?
Wie kann ich CWE-312 verhindern?
Wie erkennt und behebt Plexicus CWE-312?
Wo erfahre ich mehr über CWE-312?
Frequently asked questions
Was ist CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Wie gravierend ist CWE-312?
MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.
Welche Sprachen oder Plattformen sind von CWE-312 betroffen?
MITRE lists the following affected platforms: Cloud Computing, ICS/OT, Mobile.
Wie kann ich CWE-312 verhindern?
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Wie erkennt und behebt Plexicus CWE-312?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-312 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-312?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/312.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-312
CWE-311 Parent
Missing Encryption of Sensitive Data
This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed.
CWE-319 Sibling
Cleartext Transmission of Sensitive Information
This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection…
CWE-313 Child
Cleartext Storage in a File or on Disk
This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…
CWE-314 Child
Cleartext Storage in the Registry
This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.
CWE-315 Child
Cleartext Storage of Sensitive Information in a Cookie
This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…
CWE-316 Child
Cleartext Storage of Sensitive Information in Memory
This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…
CWE-317 Child
Cleartext Storage of Sensitive Information in GUI
This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…
CWE-318 Child
Cleartext Storage of Sensitive Information in Executable
This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…
CWE-526 Child
Cleartext Storage of Sensitive Information in an Environment Variable
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment…
Ressourcen
Further reading
- MITRE — offizielle CWE-312 https://cwe.mitre.org/data/definitions/312.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach https://www.wizcase.com/blog/us-municipality-breach-report/
- 1,000 GB of local government data exposed by Massachusetts software company https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.