Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-317:Cleartext Storage of Sensitive Information in GUI
Weakness ID:317
Version:v4.17
Weakness Name:Cleartext Storage of Sensitive Information in GUI
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product stores sensitive information in cleartext within the GUI.

▼Extended Description

An attacker can often obtain data from a GUI, even if hidden, by using an API to directly access GUI objects such as windows and menus. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB312Cleartext Storage of Sensitive Information
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 312
Name: Cleartext Storage of Sensitive Information
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
MemberOfProhibitedC1013Encrypt Data
MemberOfProhibitedC1402Comprehensive Categorization: Encryption
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1013
Name: Encrypt Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1402
Name: Comprehensive Categorization: Encryption
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-296Windows(os class) Weaknesses
MemberOfProhibitedBSBOSS-323Read Memory (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-296
Name: Windows(os class) Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-323
Name: Read Memory (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1013Encrypt Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1013
Name: Encrypt Data
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityN/ARead MemoryRead Application Data
N/A
Scope: Confidentiality
Likelihood: N/A
Impact: Read Memory, Read Application Data
Note:
N/A
▼Potential Mitigations
▼Modes Of Introduction
Phase: Architecture and Design
Note:

OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
Operating System
Class: Windows(Sometimes Prevalence)
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
CVE-2002-1848
Unencrypted passwords stored in GUI dialog may allow local users to access the passwords.
Reference: CVE-2002-1848
Description:
Unencrypted passwords stored in GUI dialog may allow local users to access the passwords.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Terminology

      Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/APlaintext Storage in GUI
      Software Fault PatternsSFP23N/AExposed Data
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Plaintext Storage in GUI
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP23
      Fit: N/A
      Entry Name: Exposed Data
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found