目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-256 明文存储口令 类漏洞列表 161

CWE-256 明文存储口令 类弱点 161 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-256 指产品将密码以明文形式存储在内存或文件等资源中,属于数据保护不当类漏洞。攻击者若获取系统访问权限,可直接读取存储介质中的明文密码,进而冒充合法用户进行未授权访问或横向移动。开发者应避免直接存储明文,转而采用加盐哈希算法对密码进行不可逆处理,并确保密钥管理安全,从而有效防止凭据泄露风险。

MITRE CWE 官方描述
CWE:CWE-256 Plaintext Storage of a Password 英文:The product stores a password in plaintext within resources such as memory or files.
常见影响 (1)
Access ControlGain Privileges or Assume Identity
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
缓解措施 (3)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
Effectiveness: None
代码示例 (2)
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
The following code reads a password from the registry and uses the password to create a new network credential.
... String password = regKey.GetValue(passKey).toString(); NetworkCredential netCred = new NetworkCredential(username,password,domain); ...
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2022-41732 IBM Maximo Mobile 安全漏洞 — Maximo Mobile 6.2 Medium2022-11-28
CVE-2022-43958 Siemens Quality Management System 安全漏洞 — QMS Automotive 7.6 High2022-11-08
CVE-2022-3644 pulp_ansible 安全漏洞 — pulp_ansible 7.1 -2022-10-25
CVE-2022-3287 fwupd 安全漏洞 — fwupd 6.5 -2022-09-28
CVE-2022-36308 Airspan AirVelocity 1500 安全漏洞 — AirVelocity 9.1 -2022-08-16
CVE-2022-33928 Dell Wyse Management Suite 安全漏洞 — Wyse Management Suite 6.4 Medium2022-08-10
CVE-2022-1794 3S-Smart Software Solutions CODESYS 安全漏洞 — CODESYS OPC DA Server 5.5 Medium2022-07-11
CVE-2022-27548 HCL Technologies HCL Launch 安全漏洞 — HCL Launch 4.9 Medium2022-07-06
CVE-2022-31044 Rundeck 安全漏洞 — rundeck 7.5 High2022-06-15
CVE-2022-29085 多款Dell产品安全漏洞 — Unity 6.4 Medium2022-06-02
CVE-2022-22557 Dell EMC PowerStore 授权问题漏洞 — PowerStore 7.5 High2022-06-02
CVE-2021-32978 CLICK PLC CPU Modules 安全漏洞 — CLICK PLC CPU Modules: C0-1x CPUs 7.5 High2022-04-04
CVE-2020-25184 Rockwell Automation ISaGRAF 安全漏洞 — ISaGRAF Runtime 7.8 High2022-03-18
CVE-2021-43590 Dell Emc Enterprise Storage Analytics For Vrealize Operations 安全漏洞 — Dell EMC Enterprise Storage Analytics for vRealize Operations 6.0 Medium2022-03-04
CVE-2022-22554 Dell Emc System Update 安全漏洞 — DellEMC System Update - DSU 8.2 High2022-01-24
CVE-2021-23207 Fresenius Kabi Agilia Connect Infusion System 安全漏洞 — Vigilant Software Suite (Mastermed Dashboard) 6.5 Medium2022-01-21
CVE-2021-36317 DELL Dell EMC Avamar Server 安全漏洞 — Avamar 6.7 Medium2021-12-21
CVE-2021-3787 Binatone Hubble 安全漏洞 — Binatone Hubble Cameras 6.4 Medium2021-11-12
CVE-2021-36309 Dell Enterprise Sonic Os 信息泄露漏洞 — Enterprise SONiC OS 7.1 High2021-10-01
CVE-2021-1589 Cisco SD-WAN vManage Software 授权问题漏洞 — Cisco SD-WAN vManage 6.5 Medium2021-09-23
CVE-2020-5315 DELL EMC Repository Manager 安全漏洞 — Dell EMC Repository Manager (DRM) 8.8 High2021-07-19
CVE-2021-25358 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2021-04-09
CVE-2021-1126 Cisco Firepower Management Center 信息泄露漏洞 — Cisco Firepower Management Center 5.5 -2021-01-13
CVE-2020-26079 Cisco IoT Field Network Director 安全漏洞 — Cisco IoT Field Network Director (IoT-FND) 4.9 -2020-11-18
CVE-2020-8183 Nextcloud 安全漏洞 — Nextcloud Server 6.5 -2020-10-30
CVE-2020-1669 Juniper Networks Junos OS NFX 信息泄露漏洞 — Junos OS 6.3 Medium2020-10-16
CVE-2020-3483 Duo Network Gateway 安全漏洞 — Duo Network Gateway (DNG) 7.1 High2020-10-14
CVE-2020-10609 Grundfos CIM 500 安全漏洞 — CIM 500 9.8 -2020-07-27
CVE-2020-5374 Dell EMC OpenManage Integration for Microsoft System Center 安全漏洞 — OMIMSSC (OpenManage Integration for Microsoft System Center) 8.8 High2020-07-14
CVE-2019-19105 ABB Telephone Gateway TG/S和Busch-Jaeger Telefon-Gateway 安全漏洞 — TG/S 3.2 Telephone Gateway 6.2 Medium2020-04-22

CWE-256(明文存储口令) 是常见的弱点类别,本平台收录该类弱点关联的 161 条 CVE 漏洞。