CWE-312: CWE-312: Cleartext Storage of Sensitive Information

BaseStable

Description

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-312: CWE-312: Cleartext Storage of Sensitive Information?+

CWE-312: CWE-312: Cleartext Storage of Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

What are the security consequences of CWE-312: Cleartext Storage of Sensitive Information?+

If exploited, CWE-312 (CWE-312: Cleartext Storage of Sensitive Information) it can compromise Read Application Data, leading to outcomes such as Scope: Confidentiality An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used and then decode the information..

How do you prevent or mitigate CWE-312: Cleartext Storage of Sensitive Information?+

Recommended mitigations for CWE-312 include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [ REF-1297 ] [ REF-1299 ] [ REF-1301 ] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.

Which programming languages are affected by CWE-312: Cleartext Storage of Sensitive Information?+

CWE-312 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-312 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More