目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-312 敏感数据的明文存储 类漏洞列表 253

CWE-312 敏感数据的明文存储 类弱点 253 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-312指敏感信息以明文形式存储在可能被其他控制域访问的资源中。攻击者常通过直接读取配置文件、日志或数据库文件窃取凭证等关键数据。开发者应避免此类风险,采用强加密算法对静态数据进行加密存储,严格限制文件访问权限,并定期审查数据存储逻辑,确保敏感信息仅在必要时以密文形式保留,从而防止未授权访问。

MITRE CWE 官方描述
CWE:CWE-312 敏感信息的明文存储 英文:产品将敏感信息以明文形式存储在可能被其他控制域(control sphere)访问的资源中。
常见影响 (1)
ConfidentialityRead Application Data
An attacker with access to the system could read sensitive information stored in cleartext (i.e., unencrypted). Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
缓解措施 (2)
Implementation, System Configuration, OperationWhen storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Implementation, System Configuration, OperationIn some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
代码示例 (2)
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID);
Bad · Java
This code writes a user's login information to a cookie so the user does not have to login again later.
function persistLogin($username, $password){ $data = array("username" => $username, "password"=> $password); setcookie ("userdata", $data); }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2019-3753 多款Dell EMC PowerConnect模块信任管理问题漏洞 — PowerConnect 8024 6.5 -2019-08-20
CVE-2019-3937 Crestron Electronics AM-100和Crestron Electronics AM-101 信任管理问题漏洞 — Crestron AirMedia 7.8 -2019-04-30
CVE-2014-5433 Baxter Wireless Battery Module 安全漏洞 — SIGMA Spectrum Infusion System 9.8 -2019-03-26
CVE-2015-1012 Hospira Lifecare PCA Infusion Pump 信息泄露漏洞 — LifeCare PCA Infusion System 7.5 -2019-03-25
CVE-2015-3952 多款Hospira产品信息泄露漏洞 — Plum A+ Infusion System 7.5 -2019-03-25
CVE-2019-6549 Kunbus PR100088 Modbus 信任管理问题漏洞 — PR100088 Modbus gateway 6.5 -2019-02-12
CVE-2018-19009 Pilz PNOZmulti Configurator 信任管理问题漏洞 — Pilz PNOZmulti Configurator 7.8 -2019-01-25
CVE-2018-10871 Red Hat 389-ds-base 安全漏洞 — 389-ds-base 6.5 -2018-07-18
CVE-2017-2672 Foreman 信息泄露漏洞 — foreman 8.8 -2018-06-21
CVE-2017-9654 Philips DoseWise Portal 信任管理漏洞 — DoseWise Portal 9.8 -2018-04-24
CVE-2016-8366 Phoenix Contact ILC PLC 信任管理漏洞 — Phoenix Contact ILC PLCs 7.3 -2018-04-05
CVE-2017-9663 General Motors和Shanghai OnStar iOS Client 安全漏洞 — General Motors and Shanghai OnStar (SOS) iOS Client 7.5 -2018-01-09
CVE-2017-3214 Milwaukee ONE-KEY Android mobile应用程序信任管理问题漏洞 — ONE-KEY 7.5 -2017-06-20

CWE-312(敏感数据的明文存储) 是常见的弱点类别,本平台收录该类弱点关联的 253 条 CVE 漏洞。