Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

Vulnerability Intelligence

Customers

CWE-922: Insecure Storage of Sensitive Information | Mondoo Vulnerability Intelligence

CWE-922

ClassIncomplete

View on MITRE

Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

98 linked vulnerabilities

1 related weaknesses

Extended Description

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

Confidentiality

Read Application Data

Read Files or Directories

Attackers can read sensitive information by accessing the unrestricted storage mechanism.

Integrity

Modify Application Data

Modify Files or Directories

Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.

Automated Static Analysis

Effectiveness: High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Modes of Introduction

Architecture and Design

Implementation

System Configuration

Related Weaknesses

CWE-664ChildOf

Example CVEs (1)

CVE-2009-2272

password and username stored in cleartext in a cookie

External Links

MITRE CWE Database