CWE · MITRE source
CWE-311Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 27 mapping(s) from 10 framework(s): CAPEC 10 (partial) · ATT&CK 8 (mostly) · CSF 2.0 2 (mostly) · STIG windows server 2019 1 (full) · STIG oracle linux 8 1 (mostly) · STIG oracle linux 9 1 (mostly) · STIG rhel 8 1 (mostly) · STIG rhel 9 1 (mostly) · STIG windows server 2016 1 (mostly) · OWASP-Web 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A06:2025 Insecure Design.
NIST 800-53 r5 controls that address this weakness (12)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-13 | Data Action Mapping | CM | The map highlights data actions that involve sensitive data, enabling identification of missing encryption requirements. |
CM-6 | Configuration Settings | CM | Settings can require encryption of sensitive data, preventing missing encryption weaknesses. |
PM-13 | Security and Privacy Workforce | PM | Privacy and security curricula stress encryption requirements, reducing missing encryption of sensitive data. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Requires encryption and similar controls for CUI processed or stored externally, preventing missing encryption of sensitive data. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Monitoring detects missing encryption of sensitive data in storage or transit configurations. |
RA-8 | Privacy Impact Assessments | RA | Privacy assessments routinely identify the need for encryption of PII, directly lowering the impact of missing encryption weaknesses. |
SA-3 | System Development Life Cycle | SA | Privacy and security considerations mandated across the SDLC make identification and protection of sensitive data (including encryption decisions) a required activity rather than an afterthought. |
SA-9 | External System Services | SA | Privacy and security requirements placed on external providers, together with monitoring, tangibly reduce missing encryption of sensitive data processed or stored by those services. |
AT-3 | Role-based Training | AT | Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses. |
CA-3 | Information Exchange | CA | Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit. |
PL-8 | Security and Privacy Architectures | PL | Architectures must describe confidentiality protections, which includes mandating encryption for sensitive data in transit and at rest. |
SC-13 | Cryptographic Protection | SC | Mandates encryption for specified data uses, directly preventing missing encryption of sensitive information. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-7406 | 7.0 | 9.8 | 0.0069 | 2017-07-07 |
CVE-2017-9854 | 7.0 | 9.8 | 0.0113 | 2017-08-05 |
CVE-2017-9632 | 7.0 | 9.8 | 0.0047 | 2017-08-07 |
CVE-2018-7498 | 7.0 | 9.8 | 0.0066 | 2018-03-28 |
CVE-2017-3198 | 7.0 | 9.8 | 0.0160 | 2018-07-09 |
CVE-2018-17915 | 7.0 | 9.8 | 0.0109 | 2018-10-10 |
CVE-2018-20100 | 7.0 | 9.8 | 0.0071 | 2019-01-02 |
CVE-2018-16879 | 7.0 | 9.8 | 0.0111 | 2019-01-03 |
CVE-2018-10612 | 7.0 | 9.8 | 0.0127 | 2019-01-29 |
CVE-2019-6526 | 7.0 | 9.8 | 0.0099 | 2019-04-15 |
CVE-2019-11367 | 7.0 | 9.8 | 0.0282 | 2019-06-03 |
CVE-2019-11523 | 7.0 | 9.8 | 0.0121 | 2019-06-06 |
CVE-2018-10698 | 7.0 | 9.8 | 0.0232 | 2019-06-07 |
CVE-2019-12924 | 7.0 | 9.8 | 0.0090 | 2019-07-08 |
CVE-2019-3431 | 7.0 | 9.8 | 0.0040 | 2019-12-23 |
CVE-2020-12032 | 7.0 | 9.1 | 0.0094 | 2020-06-29 |
CVE-2019-14480 | 7.0 | 9.8 | 0.0112 | 2020-12-16 |
CVE-2021-27779 | 7.0 | 9.1 | 0.0055 | 2022-05-25 |
CVE-2020-15331 | 7.0 | 9.8 | 0.0088 | 2022-09-29 |
CVE-2023-0750 | 7.0 | 9.8 | 0.0045 | 2023-04-06 |
CVE-2023-38699 | 7.0 | 9.1 | 0.0024 | 2023-08-04 |
CVE-2023-4420 | 7.0 | 9.8 | 0.0024 | 2023-08-24 |
CVE-2023-6339 | 7.0 | 10.0 | 0.0018 | 2024-01-02 |
CVE-2024-29151 UPD | 7.0 | 9.1 | 0.0032 | 2024-03-18 |
CVE-2024-47871 | 7.0 | 9.1 | 0.0017 | 2024-10-10 |