Insecure Storage of Sensitive Information
Incomplete Class
Structure: Simple
Description
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Common Consequences 2
Scope: Confidentiality
Impact: Read Application DataRead Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
Scope: Integrity
Impact: Modify Application DataModify Files or Directories
Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Observed Examples 1
CVE-2009-2272password and username stored in cleartext in a cookie
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
System Configuration
Related Weaknesses
Notes
RelationshipThere is an overlapping relationship between insecure storage of sensitive information (Insecure Storage of Sensitive Information) and missing encryption of sensitive information (Missing Encryption of Sensitive Data). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.
MaintenanceThis is a high-level entry that includes children from various parts of the CWE research view (Research Concepts). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.