CWE-316 在内存中的明文存储

Cleartext Storage of Sensitive Information in Memory

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: unkown


The application stores sensitive information in cleartext in memory.


The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the application crashes, or if the programmer does not properly clear the memory before freeing it.

It could be argued that such problems are usually only exploitable by those with administrator privileges. However, swapping could cause the memory to be written to disk and leave it accessible to physical attack afterwards. Core dump files might have insecure permissions or be stored in archive files that are accessible to untrusted people. Or, uncleared sensitive memory might be inadvertently exposed to attackers due to another weakness.


  • cwe_Nature: ChildOf cwe_CWE_ID: 312 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 312 cwe_View_ID: 699 cwe_Ordinal: Primary


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
Confidentiality Read Memory


标识 说明 链接
CVE-2001-1517 Sensitive authentication information in cleartext in memory.
BID:10155 Sensitive authentication information in cleartext in memory.
CVE-2001-0984 Password protector leaves passwords in memory when window is minimized, even when "clear password when minimized" is set.
CVE-2003-0291 SSH client does not clear credentials from memory.


Relationship This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory. Terminology Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).


映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Plaintext Storage in Memory
Software Fault Patterns SFP23 Exposed Data