目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-256 明文存储口令 类漏洞列表 161

CWE-256 明文存储口令 类弱点 161 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-256 指产品将密码以明文形式存储在内存或文件等资源中,属于数据保护不当类漏洞。攻击者若获取系统访问权限,可直接读取存储介质中的明文密码,进而冒充合法用户进行未授权访问或横向移动。开发者应避免直接存储明文,转而采用加盐哈希算法对密码进行不可逆处理,并确保密钥管理安全,从而有效防止凭据泄露风险。

MITRE CWE 官方描述
CWE:CWE-256 Plaintext Storage of a Password 英文:The product stores a password in plaintext within resources such as memory or files.
常见影响 (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
缓解措施 (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
代码示例 (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2024-52361 IBM Storage Defender 安全漏洞 — Storage Defender - Resiliency Service 5.7 Medium2024-12-18
CVE-2023-50956 IBM Storage Defender 安全漏洞 — Storage Defender - Resiliency Service 4.4 Medium2024-12-18
CVE-2024-53292 Dell VxVerify 安全漏洞 — Dell VxRail HCI 7.2 High2024-12-11
CVE-2024-11982 Billion Electric多款产品 安全漏洞 — M100 7.2 High2024-11-29
CVE-2024-36464 Zabbix 安全漏洞 — Zabbix 2.7 Low2024-11-27
CVE-2024-29978 Sharp MFP 安全漏洞 — Multiple MFPs (multifunction printers) 5.9 Medium2024-11-26
CVE-2024-49351 IBM Workload Scheduler 安全漏洞 — Workload Scheduler 5.5 Medium2024-11-26
CVE-2024-49370 Pimcore 安全漏洞 — pimcore 6.5AIMediumAI2024-10-23
CVE-2024-42496 Smart-tab 安全漏洞 — Smart-tab Android app 6.8 -2024-09-30
CVE-2024-31899 IBM Cognos Command Center 安全漏洞 — Cognos Command Center 4.3 Medium2024-09-26
CVE-2024-5960 Eliz Panel 安全漏洞 — Panel 9.8 Critical2024-09-18
CVE-2024-20489 Cisco IOS XR 安全漏洞 — Cisco IOS XR Software 8.4 High2024-09-11
CVE-2024-45283 SAP NetWeaver AS 安全漏洞 — SAP NetWeaver AS for Java (Destination Service) 6.0 Medium2024-09-10
CVE-2024-43378 Calamares Branding and Modules for NixOS 安全漏洞 — calamares-nixos-extensions 7.8 High2024-08-15
CVE-2024-39922 Siemens LOGO! 安全漏洞 — LOGO! 12/24RCE 4.6 Medium2024-08-13
CVE-2024-36460 Zabbix 安全漏洞 — Zabbix 8.1 High2024-08-09
CVE-2024-6118 Hamastar MeetingHub Paperless Meetings 安全漏洞 — MeetingHub Paperless Meetings 7.8AIHighAI2024-08-05
CVE-2024-37135 Dell DM5500 安全漏洞 — Data Manager Appliance Software (DMAS) 3.3 Low2024-07-31
CVE-2024-3082 Plug and Track Sensor Net Connect 安全漏洞 — Sensor Net Connect V2 4.2 Medium2024-07-31
CVE-2024-39733 IBM Datacap Navigator 安全漏洞 — Datacap Navigator 5.5 Medium2024-07-14
CVE-2024-25052 IBM Jazz Reporting Service 安全漏洞 — Jazz Reporting Service 4.4 Medium2024-06-13
CVE-2024-4232 Digisol Router 安全漏洞 — Digisol Router DG-GR1321 3.9 -2024-05-10
CVE-2024-4425 CemiPark 安全漏洞 — CemiPark 7.5 -2024-05-09
CVE-2024-28971 Dell Update Manager Plugin 安全漏洞 — Update Manager Plugin 3.5 Low2024-05-08
CVE-2024-28961 Dell OpenManage Enterprise 安全漏洞 — Dell OpenManage Enterprise 6.3 Medium2024-04-29
CVE-2024-3624 Red Hat OpenShift 安全漏洞 7.3 High2024-04-25
CVE-2024-3625 Red Hat OpenShift 安全漏洞 7.3 High2024-04-25
CVE-2024-3623 Red Hat OpenShift 安全漏洞 6.5 Medium2024-04-25
CVE-2024-3622 Red Hat OpenShift 安全漏洞 8.8 High2024-04-25
CVE-2024-28782 IBM QRadar Suite 和 IBM Cloud Pak for Security 安全漏洞 — QRadar Suite Software 6.3 Medium2024-04-03

CWE-256(明文存储口令) 是常见的弱点类别,本平台收录该类弱点关联的 161 条 CVE 漏洞。