Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-312 Base Borrador
Cleartext Storage of Sensitive Information
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in…
Definición
What is CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches.
To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Impacto en el mundo real
Real-world CVEs caused by CWE-312
-
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
-
password and username stored in cleartext in a cookie
-
password stored in cleartext in a file with insecure permissions
-
chat program disables SSL in some circumstances even when the user says to use SSL.
-
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
-
storage of unencrypted passwords in a database
-
storage of unencrypted passwords in a database
-
product stores a password in cleartext in memory
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
The following code excerpt stores a plaintext user account ID in a browser cookie.
- 2
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
- 3
This code writes a user's login information to a cookie so the user does not have to login again later.
- 4
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
- 5
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
Ejemplo de código vulnerable
Vulnerable Java
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID); Ejemplo de código seguro
Secure Other
While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-312
- Implementation / System Configuration / Operation When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
- Implementation / System Configuration / Operation In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Señales de detección
How to detect CWE-312
Plexicus detecta automáticamente CWE-312 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-312?
¿Qué gravedad tiene CWE-312?
¿Qué lenguajes o plataformas se ven afectados por CWE-312?
¿Cómo puedo prevenir CWE-312?
¿Cómo detecta y corrige Plexicus CWE-312?
¿Dónde puedo aprender más sobre CWE-312?
Frequently asked questions
¿Qué es CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
¿Qué gravedad tiene CWE-312?
MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.
¿Qué lenguajes o plataformas se ven afectados por CWE-312?
MITRE lists the following affected platforms: Cloud Computing, ICS/OT, Mobile.
¿Cómo puedo prevenir CWE-312?
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
¿Cómo detecta y corrige Plexicus CWE-312?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-312 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-312?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/312.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-312
CWE-311 Padre
Missing Encryption of Sensitive Data
This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed.
CWE-319 Hermano
Cleartext Transmission of Sensitive Information
This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection…
CWE-313 Hijo
Cleartext Storage in a File or on Disk
This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…
CWE-314 Hijo
Cleartext Storage in the Registry
This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.
CWE-315 Hijo
Cleartext Storage of Sensitive Information in a Cookie
This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…
CWE-316 Hijo
Cleartext Storage of Sensitive Information in Memory
This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…
CWE-317 Hijo
Cleartext Storage of Sensitive Information in GUI
This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…
CWE-318 Hijo
Cleartext Storage of Sensitive Information in Executable
This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…
CWE-526 Hijo
Cleartext Storage of Sensitive Information in an Environment Variable
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment…
Recursos
Further reading
- MITRE — CWE-312 oficial https://cwe.mitre.org/data/definitions/312.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach https://www.wizcase.com/blog/us-municipality-breach-report/
- 1,000 GB of local government data exposed by Massachusetts software company https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.