CWE · MITRE source
CWE-922Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: mostly · 9 mapping(s) from 4 framework(s): ATT&CK 5 (mostly) · STIG windows server 2016 2 (partial) · OWASP-Web 1 (mostly) · STIG windows server 2019 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A01:2025 Broken Access Control.
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CP-6 | Alternate Storage Site | CP | Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information. |
CP-9 | System Backup | CP | Requiring protection of backup information directly addresses insecure storage of sensitive data in backups. |
CM-12 | Information Location | CM | Tracking information locations and access supports secure storage practices instead of insecure ones. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Policy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections. |
RA-2 | Security Categorization | RA | Proper categorization drives selection of storage controls that keep sensitive information from being stored insecurely. |
SC-28 | Protection of Information at Rest | SC | The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class. |
SI-23 | Information Fragmentation | SI | Storing information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set. |
SR-7 | Supply Chain Operations Security | SR | OPSEC requirements improve handling and storage practices for sensitive supply-chain information. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-13937 | 8.0 | 5.3 | 0.7881 | 2020-10-19 |
CVE-2017-5249 | 7.0 | 9.8 | 0.0070 | 2018-02-22 |
CVE-2017-5250 | 7.0 | 9.8 | 0.0070 | 2018-02-22 |
CVE-2020-8481 | 7.0 | 9.8 | 0.0181 | 2020-04-29 |
CVE-2021-27170 | 7.0 | 9.8 | 0.1595 | 2021-02-10 |
CVE-2021-28813 | 7.0 | 9.6 | 0.0106 | 2021-09-10 |
CVE-2021-42371 | 7.0 | 9.8 | 0.0151 | 2021-11-08 |
CVE-2023-29727 | 7.0 | 9.8 | 0.0121 | 2023-05-30 |
CVE-2024-7569 | 7.0 | 9.6 | 0.0164 | 2024-08-13 |
CVE-2023-32191 | 7.0 | 9.9 | 0.0064 | 2024-10-16 |
CVE-2024-10943 | 7.0 | 9.1 | 0.0048 | 2024-11-12 |
CVE-2024-30896 | 7.0 | 9.1 | 0.0517 | 2024-11-21 |
CVE-2024-4995 | 7.0 | 9.8 | 0.0091 | 2024-12-18 |
CVE-2024-53931 | 7.0 | 9.1 | 0.0034 | 2025-01-06 |
CVE-2024-53932 | 7.0 | 9.1 | 0.0034 | 2025-01-06 |
CVE-2025-8699 | 7.0 | 9.1 | 0.0071 | 2025-09-12 |
CVE-2025-12539 | 7.0 | 10.0 | 0.0095 | 2025-11-11 |
CVE-2026-33407 | 7.0 | 9.1 | 0.0037 | 2026-03-24 |
CVE-2018-25031 | 6.0 | 4.3 | 0.4233 | 2022-03-11 |
CVE-2023-41723 | 6.0 | 4.3 | 0.1232 | 2023-11-07 |
CVE-2017-7253 | 5.5 | 8.8 | 0.0230 | 2017-03-30 |
CVE-2019-5625 | 5.5 | 7.1 | 0.0041 | 2019-05-22 |
CVE-2019-5626 | 5.5 | 7.8 | 0.0035 | 2019-05-22 |
CVE-2019-5627 | 5.5 | 7.8 | 0.0035 | 2019-05-22 |
CVE-2019-12911 | 5.5 | 7.5 | 0.0122 | 2019-07-17 |