When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [ REF-1297 ] [ REF-1299 ] [ REF-1301 ]
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
No detection method information available for this CWE.
No examples or observed CVEs available for this CWE.
CWE-312: CWE-312: Cleartext Storage of Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
If exploited, CWE-312 (CWE-312: Cleartext Storage of Sensitive Information) it can compromise Read Application Data, leading to outcomes such as Scope: Confidentiality An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used and then decode the information..
Recommended mitigations for CWE-312 include: When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [ REF-1297 ] [ REF-1299 ] [ REF-1301 ] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CWE-312 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-312 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.