1. Home
  2. Weaknesses
  3. CWE-312

CWE-312: Cleartext Storage of Sensitive Information

ID CWE-312
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 555
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Because the information is stored in cleartext (i.e., unencrypted), attackers could potentially read it. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

When organizations adopt cloud services, it can be easier for attackers to access the data from anywhere on the Internet.

In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

Modes of Introduction

Phase Note
Architecture and Design OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Cloud Computing
Technology ICS/OT
Technology Mobile

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-311 Missing Encryption of Sensitive Data Class Simple Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-311 Missing Encryption of Sensitive Data Class Simple Draft
CWE-1000 Research Concepts Draft CWE-922 Insecure Storage of Sensitive Information Class Simple Incomplete

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-37 Retrieve Embedded Sensitive Data CWE-312

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date