Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-312 Base Draft
Cleartext Storage of Sensitive Information
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in…
Definition
What is CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
Storing sensitive information in cleartext is a fundamental security failure because it removes the primary barrier protecting data at rest. Whether the exposure happens via a database breach, log file leakage, or insecure backups, attackers can immediately read and misuse the information without needing to crack encryption. This flaw directly violates the core security principle of defense in depth and is often the root cause of massive data breaches.
To prevent this, developers must ensure that all sensitive data is encrypted before being written to any storage medium, using strong, standard cryptographic libraries. Additionally, consider minimizing data collection, implementing robust key management, and regularly auditing storage locations—like logs, debug files, and analytics caches—to ensure no sensitive data is accidentally persisted in plain text.
Real-world impact
Real-world CVEs caused by CWE-312
-
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
-
password and username stored in cleartext in a cookie
-
password stored in cleartext in a file with insecure permissions
-
chat program disables SSL in some circumstances even when the user says to use SSL.
-
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
-
storage of unencrypted passwords in a database
-
storage of unencrypted passwords in a database
-
product stores a password in cleartext in memory
How attackers exploit it
Step-by-step attacker path
- 1
The following code excerpt stores a plaintext user account ID in a browser cookie.
- 2
Because the account ID is in plaintext, the user's account information is exposed if their computer is compromised by an attacker.
- 3
This code writes a user's login information to a cookie so the user does not have to login again later.
- 4
The code stores the user's username and password in plaintext in a cookie on the user's machine. This exposes the user's login information if their computer is compromised by an attacker. Even if the user's machine is not compromised, this weakness combined with cross-site scripting (CWE-79) could allow an attacker to remotely copy the cookie.
- 5
Also note this example code also exhibits Plaintext Storage in a Cookie (CWE-315).
Vulnerable code example
Vulnerable Java
The following code excerpt stores a plaintext user account ID in a browser cookie.
response.addCookie( new Cookie("userAccountID", acctID); Secure code example
Secure Other
While it was not publicly disclosed how the data was protected after discovery, multiple options could have been considered.
The sensitive information could have been protected by ensuring that the buckets did not have public read access, e.g., by enabling the s3-account-level-public-access-blocks-periodic rule to Block Public Access. In addition, the data could have been encrypted at rest using the appropriate S3 settings, e.g., by enabling server-side encryption using the s3-bucket-server-side-encryption-enabled setting. Other settings are available to further prevent bucket data from being leaked. [REF-1297] What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-312
- Implementation / System Configuration / Operation When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
- Implementation / System Configuration / Operation In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
Detection signals
How to detect CWE-312
Plexicus auto-detects CWE-312 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-312?
How serious is CWE-312?
What languages or platforms are affected by CWE-312?
How can I prevent CWE-312?
How does Plexicus detect and fix CWE-312?
Where can I learn more about CWE-312?
Frequently asked questions
What is CWE-312?
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems.
How serious is CWE-312?
MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.
What languages or platforms are affected by CWE-312?
MITRE lists the following affected platforms: Cloud Computing, ICS/OT, Mobile.
How can I prevent CWE-312?
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301] In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
How does Plexicus detect and fix CWE-312?
Plexicus's SAST engine matches the data-flow signature for CWE-312 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-312?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/312.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-312
CWE-311 Parent
Missing Encryption of Sensitive Data
This vulnerability occurs when an application stores or sends sensitive information without first encrypting it, leaving the data exposed.
CWE-319 Sibling
Cleartext Transmission of Sensitive Information
This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection…
CWE-313 Child
Cleartext Storage in a File or on Disk
This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…
CWE-314 Child
Cleartext Storage in the Registry
This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.
CWE-315 Child
Cleartext Storage of Sensitive Information in a Cookie
This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…
CWE-316 Child
Cleartext Storage of Sensitive Information in Memory
This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…
CWE-317 Child
Cleartext Storage of Sensitive Information in GUI
This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…
CWE-318 Child
Cleartext Storage of Sensitive Information in Executable
This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…
CWE-526 Child
Cleartext Storage of Sensitive Information in an Environment Variable
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment…
Resources
Further reading
- MITRE — official CWE-312 https://cwe.mitre.org/data/definitions/312.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Mobile App Top 10 List https://www.veracode.com/blog/2010/12/mobile-app-top-10-list
- OT:ICEFALL: The legacy of "insecure by design" and its implications for certifications and risk management https://www.forescout.com/resources/ot-icefall-report/
- Over 80 US Municipalities' Sensitive Information, Including Resident's Personal Data, Left Vulnerable in Massive Data Breach https://www.wizcase.com/blog/us-municipality-breach-report/
- 1,000 GB of local government data exposed by Massachusetts software company https://www.zdnet.com/article/1000-gb-of-local-government-data-exposed-by-massachusetts-software-company/
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.