CWE-319: Cleartext Transmission of Sensitive Information

BaseDraftExploit Likelihood: High

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-319: Cleartext Transmission of Sensitive Information?+

CWE-319: Cleartext Transmission of Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

What are the security consequences of Cleartext Transmission of Sensitive Information?+

If exploited, CWE-319 (Cleartext Transmission of Sensitive Information) it can compromise Integrity and Confidentiality, leading to outcomes such as Read Application Data, Modify Files or Directories and Other.

How do you prevent or mitigate Cleartext Transmission of Sensitive Information?+

Recommended mitigations for CWE-319 include: Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols. When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page. When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.

Which programming languages are affected by Cleartext Transmission of Sensitive Information?+

CWE-319 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Cleartext Transmission of Sensitive Information?+

MITRE documents real CVEs mapped to CWE-319, including CVE-2022-29519, CVE-2022-30312, CVE-2022-31204, CVE-2002-1949 and CVE-2008-4122. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-319 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More