1. Home
  2. Weaknesses
  3. CWE-319

CWE-319: Cleartext Transmission of Sensitive Information

ID CWE-319
Abstraction Base
Structure Simple
Status Draft
Number of CVEs 625
Detail CAPEC Dashboard Vulnerabilities Web & Social
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination, whether across the internet, an internal network, the cloud, etc. Some actors might have privileged access to a network interface or any link along the channel, such as a router, but they might not be authorized to collect the underlying data. As a result, network traffic could be sniffed by adversaries, spilling security-critical data.

Applicable communication channels are not limited to software products. Applicable channels include hardware-specific technologies such as internal hardware networks and external debug channels, supporting remote JTAG debugging. When mitigations are not applied to combat adversaries within the product's threat model, this weakness significantly lowers the difficulty of exploitation by such adversaries.

When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

Modes of Introduction

Phase Note
Architecture and Design OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Architecture and Design For hardware, this may be introduced when design does not plan for an attacker having physical access while a legitimate user is remotely operating the device.
Operation
System Configuration

Applicable Platforms

Type Class Name Prevalence
Language Not Language-Specific
Technology Cloud Computing
Technology Mobile
Technology ICS/OT
Technology System on Chip
Technology Test/Debug Hardware

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-311 Missing Encryption of Sensitive Data Class Simple Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-311 Missing Encryption of Sensitive Data Class Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-65 Sniff Application Code CWE-319
CAPEC-102 Session Sidejacking CWE-319
CAPEC-117 Interception CWE-319
CAPEC-383 Harvesting Information via API Event Monitoring CWE-319
CAPEC-477 Signature Spoofing by Mixing Signed and Unsigned Content CWE-319

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date