Cyber Resilience

CWE · MITRE source

CWE-922Insecure Storage of Sensitive Information

Abstraction: Class · CVEs in our corpus: 373

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 9 mapping(s) from 4 framework(s): ATT&CK 5 (mostly) · STIG windows server 2016 2 (partial) · OWASP-Web 1 (mostly) · STIG windows server 2019 1 (partial)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A01:2025 Broken Access Control.

NIST 800-53 r5 controls that address this weakness (8)AI

Control Title Family Why it addresses this CWE
CP-6Alternate Storage SiteCPEstablishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information.
CP-9System BackupCPRequiring protection of backup information directly addresses insecure storage of sensitive data in backups.
CM-12Information LocationCMTracking information locations and access supports secure storage practices instead of insecure ones.
PM-17Protecting Controlled Unclassified Information on External SystemsPMPolicy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections.
RA-2Security CategorizationRAProper categorization drives selection of storage controls that keep sensitive information from being stored insecurely.
SC-28Protection of Information at RestSCThe control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class.
SI-23Information FragmentationSIStoring information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set.
SR-7Supply Chain Operations SecuritySROPSEC requirements improve handling and storage practices for sensitive supply-chain information.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2020-139378.05.30.78812020-10-19
CVE-2017-52497.09.80.00702018-02-22
CVE-2017-52507.09.80.00702018-02-22
CVE-2020-84817.09.80.01812020-04-29
CVE-2021-271707.09.80.15952021-02-10
CVE-2021-288137.09.60.01062021-09-10
CVE-2021-423717.09.80.01512021-11-08
CVE-2023-297277.09.80.01212023-05-30
CVE-2024-75697.09.60.01642024-08-13
CVE-2023-321917.09.90.00642024-10-16
CVE-2024-109437.09.10.00482024-11-12
CVE-2024-308967.09.10.05172024-11-21
CVE-2024-49957.09.80.00912024-12-18
CVE-2024-539317.09.10.00342025-01-06
CVE-2024-539327.09.10.00342025-01-06
CVE-2025-86997.09.10.00712025-09-12
CVE-2025-125397.010.00.00952025-11-11
CVE-2026-334077.09.10.00372026-03-24
CVE-2018-250316.04.30.42332022-03-11
CVE-2023-417236.04.30.12322023-11-07
CVE-2017-72535.58.80.02302017-03-30
CVE-2019-56255.57.10.00412019-05-22
CVE-2019-56265.57.80.00352019-05-22
CVE-2019-56275.57.80.00352019-05-22
CVE-2019-129115.57.50.01222019-07-17