Plaintext Storage in a File or on Disk| ID: 313 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
Storing sensitive data in plaintext in a file, or on disk,
makes the data more easily accessible than if encrypted. This significantly
lowers the difficulty of exploitation by attackers.
Applicable PlatformsLanguage Class: All
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Secret information should not be stored in plaintext in a file or
disk. Even if heavy fortifications are in place, sensitive data should
be encrypted to prevent the risk of losing confidentiality. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-313 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
plaintext. (Demonstrative Example Id DX-43)
Observed Examples
- CVE-2001-1481 : Plaintext credentials in world-readable file.
- CVE-2005-1828 : Password in cleartext in config file.
- CVE-2005-2209 : Password in cleartext in config file.
- CVE-2002-1696 : Decrypted copy of a message written to disk given a combination of options and when user replies to an encrypted message.
- CVE-2004-2397 : Plaintext storage of private key and passphrase in log file when user imports the key.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | Plaintext Storage in File or on Disk | |
References:None
