Cyber Resilience

CWE · MITRE source

CWE-319Cleartext Transmission of Sensitive Information

Abstraction: Base · CVEs in our corpus: 892

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: full · 6 mapping(s) from 3 framework(s): CAPEC 4 (partial) · OWASP-Web 1 (full) · ATT&CK 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A04:2025 Cryptographic Failures.

NIST 800-53 r5 controls that address this weakness (15)AI

Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.

Control Title Family Why it addresses this CWE
SC-12Cryptographic Key Establishment and ManagementSCKey-establishment procedures specify secure distribution channels that preclude cleartext transmission of key material.
SC-13Cryptographic ProtectionSCRequires cryptography for transmission uses, eliminating cleartext exposure of sensitive data in transit.
SC-19Voice Over Internet ProtocolSCUsage restrictions and technology-specific guidance routinely mandate encryption (SRTP, TLS) for voice streams that carry sensitive information.
CM-13Data Action MappingCMMapping transmission actions in data flows helps prevent cleartext transmission of sensitive information.
CM-6Configuration SettingsCMSettings can enforce secure transmission protocols to prevent cleartext transmission of sensitive data.
AT-3Role-based TrainingATRole-based training covers secure transmission methods, mitigating cleartext transmission of sensitive data.
CA-3Information ExchangeCABy requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data.
MP-1Policy and ProceduresMPPolicy addresses secure transport and handling of media to avoid cleartext transmission of sensitive information.
PM-17Protecting Controlled Unclassified Information on External SystemsPMEnforces safeguards against cleartext transmission of CUI when data leaves organizational boundaries to external systems.
SA-9External System ServicesSAExplicit controls and continuous oversight on external system services prevent cleartext transmission of sensitive information over provider-managed channels.
Show 5 more broadly-applicable controls
SC-23Session AuthenticitySCEliminates cleartext exposure of session identifiers or tokens that would allow hijacking.
SC-37Out-of-band ChannelsSCSensitive values are moved off the primary channel, avoiding cleartext transmission risks associated with that channel.
SC-40Wireless Link ProtectionSCMandates cryptographic protection of the wireless medium, eliminating cleartext transmission of sensitive information over the air.
SC-8Transmission Confidentiality and IntegritySCThe control explicitly requires confidentiality protection for transmitted information, preventing cleartext exposure of sensitive data.
SC-9Transmission ConfidentialitySCDirectly prevents cleartext transmission of sensitive information by requiring encryption or equivalent confidentiality protections during transit.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2018-127108.08.00.76512018-08-29
CVE-2024-25735 UPD8.09.10.50622024-03-27
CVE-2015-09877.010.00.01162015-10-06
CVE-2017-159997.09.80.00692017-10-29
CVE-2018-60177.09.10.00992018-01-24
CVE-2018-60187.09.10.00992018-01-24
CVE-2018-12977.09.80.10102018-02-13
CVE-2018-72597.09.80.01012018-02-20
CVE-2018-62957.09.80.00752018-03-13
CVE-2018-72467.09.80.00852018-04-18
CVE-2016-56497.09.80.27222018-07-24
CVE-2018-88557.09.80.00832018-07-24
CVE-2018-117497.09.80.00762018-08-24
CVE-2018-54017.09.10.00872018-10-08
CVE-2018-54027.09.10.00882018-10-08
CVE-2019-65267.09.80.00992019-04-15
CVE-2019-37937.09.80.01052019-04-24
CVE-2019-38017.09.80.00592019-04-25
CVE-2018-114217.09.80.00912019-07-03
CVE-2018-114227.09.80.01022019-07-03
CVE-2019-55057.09.80.00842019-09-24
CVE-2019-172187.09.10.00672019-10-06
CVE-2019-173937.09.80.01842019-10-18
CVE-2019-188527.09.80.01542019-11-11
CVE-2019-125037.09.80.02002019-12-02