Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-312 Base Rascunho
Cleartext Storage of Sensitive Information
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in…
Definição
What is CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches.
To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Impacto no mundo real
Real-world CVEs caused by CWE-312
-
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
-
password and username stored in cleartext in a cookie
-
password stored in cleartext in a file with insecure permissions
-
chat program disables SSL in some circumstances even when the user says to use SSL.
-
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
-
storage of unencrypted passwords in a database
-
storage of unencrypted passwords in a database
-
product stores a password in cleartext in memory
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
The following code excerpt stores a plaintext user account ID in a browser cookie.
- 2
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
- 3
This code writes a user's login information to a cookie so the user does not have to login again later.
- 4
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
- 5
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
Exemplo de código vulnerável
Vulnerable Java
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID); Exemplo de código seguro
Secure Other
While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-312
- Implementation / System Configuration / Operation When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
- Implementation / System Configuration / Operation In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Sinais de deteção
How to detect CWE-312
O Plexicus deteta automaticamente o CWE-312 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-312?
Qual a gravidade do CWE-312?
Que linguagens ou plataformas são afetadas pelo CWE-312?
Como posso prevenir o CWE-312?
Como é que o Plexicus deteta e corrige o CWE-312?
Onde posso saber mais sobre o CWE-312?
Frequently asked questions
O que é o CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Qual a gravidade do CWE-312?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-312?
MITRE lists the following affected platforms: Cloud Computing, ICS/OT, Mobile.
Como posso prevenir o CWE-312?
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Como é que o Plexicus deteta e corrige o CWE-312?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-312 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-312?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/312.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-312
CWE-311 Pai
Missing Encryption of Sensitive Data
This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed.
CWE-319 Irmão
Cleartext Transmission of Sensitive Information
This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection…
CWE-313 Filho
Cleartext Storage in a File or on Disk
This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…
CWE-314 Filho
Cleartext Storage in the Registry
This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.
CWE-315 Filho
Cleartext Storage of Sensitive Information in a Cookie
This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…
CWE-316 Filho
Cleartext Storage of Sensitive Information in Memory
This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…
CWE-317 Filho
Cleartext Storage of Sensitive Information in GUI
This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…
CWE-318 Filho
Cleartext Storage of Sensitive Information in Executable
This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…
CWE-526 Filho
Cleartext Storage of Sensitive Information in an Environment Variable
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment…
Recursos
Further reading
- MITRE — CWE-312 oficial https://cwe.mitre.org/data/definitions/312.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach https://www.wizcase.com/blog/us-municipality-breach-report/
- 1,000 GB of local government data exposed by Massachusetts software company https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.