CWE-312 Base Brouillon

Cleartext Storage of Sensitive Information

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in…

Définition

What is CWE-312?

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches. To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Vulnerability Diagram CWE-312
Cleartext Storage of Sensitive Information /etc/app/config.yaml db: password: "P@ss123" api: stripe: sk_live_AbCd… # readable by any user Local user / backup tape cat config.yaml → "P@ss123" backup leak / forensic dump secrets harvested Sensitive values are saved as plain text on disk or in config files.
Impact réel

Real-world CVEs caused by CWE-312

  • CVE-2022-30275

    Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.

  • CVE-2009-2272

    password and username stored in cleartext in a cookie

  • CVE-2009-1466

    password stored in cleartext in a file with insecure permissions

  • CVE-2009-0152

    chat program disables SSL in some circumstances even when the user says to use SSL.

  • CVE-2009-1603

    Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption

  • CVE-2009-0964

    storage of unencrypted passwords in a database

  • CVE-2008-6157

    storage of unencrypted passwords in a database

  • CVE-2008-6828

    product stores a password in cleartext in memory

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    The following code excerpt stores a plaintext user account ID in a browser cookie.

  2. 2

    Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.

  3. 3

    This code writes a user's login information to a cookie so the user does not have to login again later.

  4. 4

    The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.

  5. 5

    Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).

Exemple de code vulnérable

Vulnerable Java

The following code excerpt stores a plaintext user account ID in a browser cookie.

Vulnérable Java 
response.addCookie( new Cookie("userAccountID", acctID);
Exemple de code sécurisé

Secure Other

While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.

Sécurisé Other 
The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297]
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-312

  • Implementation / System Configuration / Operation When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
  • Implementation / System Configuration / Operation In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Signaux de détection

How to detect CWE-312

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-312 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-312 ?

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.

Quelle est la gravité de CWE-312 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-312 ?

MITRE lists the following affected platforms: Cloud Computing, ICS/OT, Mobile.

Comment puis-je prévenir CWE-312 ?

When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

Comment Plexicus détecte et corrige CWE-312 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-312 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-312 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/312.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-312

CWE-311 Parent

Missing Encryption of Sensitive Data

This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed.

CWE-319 Frère

Cleartext Transmission of Sensitive Information

This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection…

CWE-313 Enfant

Cleartext Storage in a File or on Disk

This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…

CWE-314 Enfant

Cleartext Storage in the Registry

This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.

CWE-315 Enfant

Cleartext Storage of Sensitive Information in a Cookie

This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…

CWE-316 Enfant

Cleartext Storage of Sensitive Information in Memory

This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…

CWE-317 Enfant

Cleartext Storage of Sensitive Information in GUI

This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…

CWE-318 Enfant

Cleartext Storage of Sensitive Information in Executable

This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…

CWE-526 Enfant

Cleartext Storage of Sensitive Information in an Environment Variable

This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo