目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-312 敏感数据的明文存储 类漏洞列表 254

CWE-312 敏感数据的明文存储 类弱点 254 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-312指敏感信息以明文形式存储在可能被其他控制域访问的资源中。攻击者常通过直接读取配置文件、日志或数据库文件窃取凭证等关键数据。开发者应避免此类风险,采用强加密算法对静态数据进行加密存储,严格限制文件访问权限,并定期审查数据存储逻辑,确保敏感信息仅在必要时以密文形式保留,从而防止未授权访问。

MITRE CWE 官方描述
CWE:CWE-312 敏感信息的明文存储 英文:产品将敏感信息以明文形式存储在可能被其他控制域(control sphere)访问的资源中。
常见影响 (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
缓解措施 (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
代码示例 (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2021-22929 Brave 日志信息泄露漏洞 — https://github.com/brave/brave-core 2.8 -2021-08-31
CVE-2021-29481 Ratpack 安全漏洞 — ratpack 6.5 Medium2021-06-29
CVE-2021-27487 ZOLL Defibrillator Dashboard 安全漏洞 — ZOLL Defibrillator Dashboard 5.5 -2021-06-16
CVE-2018-16498 Versa Networks Versa Director 安全漏洞 — Versa Director 8.1 -2021-05-26
CVE-2021-20995 WAGO 安全漏洞 — 0852-0303 5.3 Medium2021-05-13
CVE-2021-21339 TYPO3 跨站脚本漏洞 — TYPO3.CMS 5.9 Medium2021-03-23
CVE-2021-23878 迈克菲 McAfee Endpoint Security 加密问题漏洞 — Endpoint Security (ENS) for Windows 7.3 High2021-02-10
CVE-2021-1265 Cisco DNA Center 安全漏洞 — Cisco Digital Network Architecture Center (DNA Center) 6.5 -2021-01-20
CVE-2020-25678 部分Red Hat产品 安全漏洞 — ceph 5.5 -2021-01-08
CVE-2020-29502 Dell EMC PowerStore 访问控制错误漏洞 — PowerStore 7.5 High2021-01-05
CVE-2020-29501 Dell EMC PowerStore 安全漏洞 — PowerStore 6.4 Medium2021-01-05
CVE-2020-29500 Dell EMC PowerStore 信息泄露漏洞 — PowerStore 7.5 High2021-01-05
CVE-2020-26288 parse-server 加密问题漏洞 — parse-server 7.7 High2020-12-30
CVE-2020-25677 Red Hat ceph-ansible 安全漏洞 — ceph-ansible 5.5 -2020-12-08
CVE-2020-26228 TYPO3 加密问题漏洞 — TYPO3.CMS 8.1 High2020-11-23
CVE-2020-8276 Brave Desktop Privacy-preserving analytics system 安全漏洞 — https://github.com/brave/brave-core 5.5 -2020-11-09
CVE-2020-8225 Nextcloud Desktop Client 安全漏洞 — Desktop Client 6.5 -2020-09-18
CVE-2020-15784 SUSE Linux Enterprise Server 安全漏洞 — Spectrum Power 4 5.3 -2020-09-09
CVE-2020-7517 Schneider Electric Easergy Builder 安全漏洞 — Easergy Builder (Version 1.4.7.2 and older) 5.5 -2020-07-23
CVE-2020-7516 Schneider Electric Easergy Builder 安全漏洞 — Easergy Builder V1.4.7.2 and prior 7.8 -2020-07-23
CVE-2020-15105 Django Two-Factor Authentication 安全漏洞 — django-two-factor-auth 5.4 Medium2020-07-10
CVE-2020-15085 MIRUMEE SOFTWARE Saleor Storefront 安全漏洞 — saleor-storefront 6.9 Medium2020-06-30
CVE-2020-7513 Schneider Electric Easergy T300 信息泄露漏洞 — Easergy T300 (Firmware version 1.5.2 and older) 7.5 -2020-06-16
CVE-2020-9045 Johnson Controls Software House C?CURE 9000和American Dynamics victor Video Management System 安全漏洞 — Software House C•CURE 9000 v2.70 9.9 Critical2020-05-21
CVE-2020-10706 Red Hat OpenShift Container Platform 安全漏洞 — openshift/openshift-apiserver 6.3 Medium2020-05-12
CVE-2020-5723 Grandstream UCM6200 安全漏洞 — Grandstream UCM6200 series 9.8 -2020-03-30
CVE-2020-6980 多款Rockwell Automation产品安全漏洞 — Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior 3.3 -2020-03-16
CVE-2019-14886 Business-central 安全漏洞 — Business-central 6.5 -2020-03-05
CVE-2019-18238 Moxa IOxpress Configuration Utility和ioLogik 2500 安全漏洞 — Moxa ioLogik 2500 series firmware, Version 3.0 or lower, IOxpress configuration utility, Version 2.3.0 or lower 7.5 -2020-02-26
CVE-2019-14890 Ansible Tower 安全漏洞 — Tower 6.5 -2019-11-26

CWE-312(敏感数据的明文存储) 是常见的弱点类别,本平台收录该类弱点关联的 254 条 CVE 漏洞。