CWE · MITRE source
CWE-319Cleartext Transmission of Sensitive Information
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 6 mapping(s) from 3 framework(s): CAPEC 4 (partial) · OWASP-Web 1 (full) · ATT&CK 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A04:2025 Cryptographic Failures.
NIST 800-53 r5 controls that address this weakness (15)AI
Showing the 10 most specific. Generic controls that address many weakness types are collapsed below.
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-12 | Cryptographic Key Establishment and Management | SC | Key-establishment procedures specify secure distribution channels that preclude cleartext transmission of key material. |
SC-13 | Cryptographic Protection | SC | Requires cryptography for transmission uses, eliminating cleartext exposure of sensitive data in transit. |
SC-19 | Voice Over Internet Protocol | SC | Usage restrictions and technology-specific guidance routinely mandate encryption (SRTP, TLS) for voice streams that carry sensitive information. |
CM-13 | Data Action Mapping | CM | Mapping transmission actions in data flows helps prevent cleartext transmission of sensitive information. |
CM-6 | Configuration Settings | CM | Settings can enforce secure transmission protocols to prevent cleartext transmission of sensitive data. |
AT-3 | Role-based Training | AT | Role-based training covers secure transmission methods, mitigating cleartext transmission of sensitive data. |
CA-3 | Information Exchange | CA | By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data. |
MP-1 | Policy and Procedures | MP | Policy addresses secure transport and handling of media to avoid cleartext transmission of sensitive information. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Enforces safeguards against cleartext transmission of CUI when data leaves organizational boundaries to external systems. |
SA-9 | External System Services | SA | Explicit controls and continuous oversight on external system services prevent cleartext transmission of sensitive information over provider-managed channels. |
Show 5 more broadly-applicable controls
SC-23 | Session Authenticity | SC | Eliminates cleartext exposure of session identifiers or tokens that would allow hijacking. |
SC-37 | Out-of-band Channels | SC | Sensitive values are moved off the primary channel, avoiding cleartext transmission risks associated with that channel. |
SC-40 | Wireless Link Protection | SC | Mandates cryptographic protection of the wireless medium, eliminating cleartext transmission of sensitive information over the air. |
SC-8 | Transmission Confidentiality and Integrity | SC | The control explicitly requires confidentiality protection for transmitted information, preventing cleartext exposure of sensitive data. |
SC-9 | Transmission Confidentiality | SC | Directly prevents cleartext transmission of sensitive information by requiring encryption or equivalent confidentiality protections during transit. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2018-12710 | 8.0 | 8.0 | 0.7651 | 2018-08-29 |
CVE-2024-25735 UPD | 8.0 | 9.1 | 0.5062 | 2024-03-27 |
CVE-2015-0987 | 7.0 | 10.0 | 0.0116 | 2015-10-06 |
CVE-2017-15999 | 7.0 | 9.8 | 0.0069 | 2017-10-29 |
CVE-2018-6017 | 7.0 | 9.1 | 0.0099 | 2018-01-24 |
CVE-2018-6018 | 7.0 | 9.1 | 0.0099 | 2018-01-24 |
CVE-2018-1297 | 7.0 | 9.8 | 0.1010 | 2018-02-13 |
CVE-2018-7259 | 7.0 | 9.8 | 0.0101 | 2018-02-20 |
CVE-2018-6295 | 7.0 | 9.8 | 0.0075 | 2018-03-13 |
CVE-2018-7246 | 7.0 | 9.8 | 0.0085 | 2018-04-18 |
CVE-2016-5649 | 7.0 | 9.8 | 0.2722 | 2018-07-24 |
CVE-2018-8855 | 7.0 | 9.8 | 0.0083 | 2018-07-24 |
CVE-2018-11749 | 7.0 | 9.8 | 0.0076 | 2018-08-24 |
CVE-2018-5401 | 7.0 | 9.1 | 0.0087 | 2018-10-08 |
CVE-2018-5402 | 7.0 | 9.1 | 0.0088 | 2018-10-08 |
CVE-2019-6526 | 7.0 | 9.8 | 0.0099 | 2019-04-15 |
CVE-2019-3793 | 7.0 | 9.8 | 0.0105 | 2019-04-24 |
CVE-2019-3801 | 7.0 | 9.8 | 0.0059 | 2019-04-25 |
CVE-2018-11421 | 7.0 | 9.8 | 0.0091 | 2019-07-03 |
CVE-2018-11422 | 7.0 | 9.8 | 0.0102 | 2019-07-03 |
CVE-2019-5505 | 7.0 | 9.8 | 0.0084 | 2019-09-24 |
CVE-2019-17218 | 7.0 | 9.1 | 0.0067 | 2019-10-06 |
CVE-2019-17393 | 7.0 | 9.8 | 0.0184 | 2019-10-18 |
CVE-2019-18852 | 7.0 | 9.8 | 0.0154 | 2019-11-11 |
CVE-2019-12503 | 7.0 | 9.8 | 0.0200 | 2019-12-02 |