Cyber Resilience

CWE · MITRE source

CWE-312Cleartext Storage of Sensitive Information

Abstraction: Base · CVEs in our corpus: 808

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 12 mapping(s) from 7 framework(s): ATT&CK 6 (mostly) · STIG oracle linux 8 1 (mostly) · STIG oracle linux 9 1 (mostly) · STIG rhel 8 1 (mostly) · OWASP-Web 1 (mostly) · CAPEC 1 (partial) · ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A06:2025 Insecure Design.

NIST 800-53 r5 controls that address this weakness (7)AI

Control Title Family Why it addresses this CWE
SC-12Cryptographic Key Establishment and ManagementSCKey-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.
SC-28Protection of Information at RestSCRequiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.
SC-38Operations SecuritySCReduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts.
CM-13Data Action MappingCMData action mapping can detect storage actions that leave sensitive information in cleartext.
CM-6Configuration SettingsCMConfiguration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.
AT-3Role-based TrainingATTraining on secure data handling discourages cleartext storage of sensitive information.
MP-1Policy and ProceduresMPPolicy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2011-4723 KEV10.05.70.03132011-12-20
CVE-2022-261488.09.80.53442022-03-21
CVE-2023-507198.07.50.83552023-12-15
CVE-2001-14817.09.80.02902001-12-31
CVE-2008-01747.09.80.01962008-01-29
CVE-2017-52497.09.80.00702018-02-22
CVE-2017-52507.09.80.00702018-02-22
CVE-2018-183947.09.80.00712018-10-19
CVE-2018-186417.09.80.00932018-12-04
CVE-2014-54337.09.80.02062019-03-26
CVE-2019-02857.09.80.06612019-04-10
CVE-2019-113847.09.80.00992019-04-22
CVE-2019-98237.09.80.01572019-07-03
CVE-2019-98737.09.80.01562019-07-03
CVE-2019-130967.09.80.01142019-07-22
CVE-2019-192287.09.80.01902019-12-04
CVE-2020-57237.09.80.05702020-03-30
CVE-2019-188687.09.80.00842020-05-07
CVE-2020-90457.09.90.00992020-05-21
CVE-2020-120327.09.10.00942020-06-29
CVE-2021-299547.09.80.00642021-06-24
CVE-2022-251587.09.10.01322022-04-01
CVE-2021-367827.09.90.02932022-09-07
CVE-2020-153327.09.80.00882022-09-29
CVE-2022-437577.09.90.00552023-02-07