The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
View on MITREAnyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination, whether across the internet, an internal network, the cloud, etc. Some actors might have privileged access to a network interface or any link along the channel, such as a router, but they might not be authorized to collect the underlying data. As a result, network traffic could be sniffed by adversaries, spilling security-critical data.
When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
No detection method information available for this CWE.
The following code attempts to establish a connection to a site to communicate sensitive information.
Though a connection is successfully made, the connection is unencrypted and it is possible that all sensitive data sent to or received from the server will be read by unintended actors.
The following Azure CLI command lists the properties of a particular storage account:
The JSON result might be:
The following Azure CLI command lists the properties of a particular storage account:
The JSON result might be:
The following Azure CLI command lists the properties of a particular storage account:
The JSON result might be:
Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
View DetailsBuilding Controller uses a protocol that transmits authentication credentials in plaintext.
View DetailsChain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.
View DetailsRemote management feature sends sensitive information including passwords in cleartext.
View DetailsPrinter sends configuration information, including administrative password, in cleartext.
View DetailsChain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).
View DetailsProduct sends file with cleartext passwords in e-mail message intended for diagnostic purposes.
View DetailsNo relationship information available for this CWE.
CWE-319: Cleartext Transmission of Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
If exploited, CWE-319 (Cleartext Transmission of Sensitive Information) it can compromise Integrity and Confidentiality, leading to outcomes such as Read Application Data, Modify Files or Directories and Other.
Recommended mitigations for CWE-319 include: Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols. When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page. When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
CWE-319 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-319, including CVE-2022-29519, CVE-2022-30312, CVE-2022-31204, CVE-2002-1949 and CVE-2008-4122. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-319 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.