CWE-319
Cleartext Transmission of Sensitive Information
AI Translation Available
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Status
draft
Abstraction
base
Likelihood
high
Affected Platforms
Cloud Computing
ICS/OT
Mobile
Not Technology-Specific
System on Chip
Test/Debug Hardware
Technical Details
AI Translation
Common Consequences
integrity
confidentiality
Impacts
read application data
modify files or directories
other
Detection Methods
black box
automated static analysis
Potential Mitigations
Phases:
architecture and design
implementation
testing
operation
Descriptions:
•
Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
•
When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
•
Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
•
When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
•
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.