LIVE NEWSROOM · --:-- · May 25, 2026
A LIBRARY FOR SECURITY RESEARCHERS

CWE WEAKNESSES  /  CWE-319

CWE-319

Cleartext Transmission of Sensitive Information

Base EXPLOIT LIKELIHOOD: HIGH

What it is

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact

Integrity, ConfidentialityRead Application Data, Modify Files or Directories
Integrity, ConfidentialityRead Application Data, Modify Files or Directories, Other

Mitigations

  • [Architecture and Design] Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
  • [Implementation] When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
  • [Implementation] When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
  • [Testing] Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
  • [Operation] Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.

Real-world CVE examples

  • CVE-2022-29519 — Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
  • CVE-2022-30312 — Building Controller uses a protocol that transmits authentication credentials in plaintext.
  • CVE-2022-31204 — Programmable Logic Controller (PLC) sends password in plaintext.
  • CVE-2002-1949 — Passwords transmitted in cleartext.
  • CVE-2008-4122 — Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.
  • CVE-2008-3289 — Product sends password hash in cleartext in violation of intended policy.
  • CVE-2008-4390 — Remote management feature sends sensitive information including passwords in cleartext.
  • CVE-2007-5626 — Backup routine sends password in cleartext in email.
  • CVE-2004-1852 — Product transmits Blowfish encryption key in cleartext.
  • CVE-2008-0374 — Printer sends configuration information, including administrative password, in cleartext.
  • CVE-2007-4961 — Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).
  • CVE-2007-4786 — Product sends passwords in cleartext to a log server.

Related weaknesses

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →

Scroll to Top