CWE-319 - Cleartext Transmission of Sensitive Information

CWE ID:

CWE-319

High

Abstraction:Base
Structure:Simple
Status:Draft

Release Date:2006-07-19
Latest Modification Date:2025-04-03

Weakness Name

Cleartext Transmission of Sensitive Information

Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Common Consequences

Scope: Integrity, Confidentiality

Impact: Read Application Data, Modify Files or Directories

Notes: Anyone can read the information by gaining access to the channel being used for communication. Many communication channels can be "sniffed" (monitored) by adversaries during data transmission. For example, in networking, packets can traverse many intermediary nodes from the source to the destination, whether across the internet, an internal network, the cloud, etc. Some actors might have privileged access to a network interface or any link along the channel, such as a router, but they might not be authorized to collect the underlying data. As a result, network traffic could be sniffed by adversaries, spilling security-critical data.

Scope: Integrity, Confidentiality

Impact: Read Application Data, Modify Files or Directories, Other

Notes: When full communications are recorded or logged, such as with a packet dump, an adversary could attempt to obtain the dump long after the transmission has occurred and try to "sniff" the cleartext from the recorded communications in the dump itself. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.