Detalle CWE-311

CWE-311

Missing Encryption of Sensitive Data
Alto
Draft
2006-07-19
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notificaciones para un CWE
Manténgase informado sobre cualquier cambio en un CWE específico.
Gestionar notificaciones

Nombre: Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Informaciones generales

Modos de introducción

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Operation

Plataformas aplicables

Lenguaje

Class: Not Language-Specific (Undetermined)

Consecuencias comunes

Alcance Impacto Probabilidad
ConfidentialityRead Application Data

Note: If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.
Confidentiality
Integrity		Modify Application Data

Note: Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.

Ejemplos observados

Referencias Descripción

CVE-2022-26390

wireless battery product stores credentials and Personal Health Information (PHI) without encryption

CVE-2009-2272

password and username stored in cleartext in a cookie

CVE-2009-1466

password stored in cleartext in a file with insecure permissions

CVE-2009-0152

chat program disables SSL in some circumstances even when the user says to use SSL.

CVE-2009-1603

Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption

CVE-2009-0964

storage of unencrypted passwords in a database

CVE-2008-6157

storage of unencrypted passwords in a database

CVE-2008-6828

product stores a password in cleartext in memory

CVE-2008-1567

storage of a secret key in cleartext in a temporary file

CVE-2008-0174

SCADA product uses HTTP Basic Authentication, which is not encrypted

CVE-2007-5778

login credentials stored unencrypted in a registry key

CVE-2002-1949

Passwords transmitted in cleartext.

CVE-2008-4122

Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.

CVE-2008-3289

Product sends password hash in cleartext in violation of intended policy.

CVE-2008-4390

Remote management feature sends sensitive information including passwords in cleartext.

CVE-2007-5626

Backup routine sends password in cleartext in email.

CVE-2004-1852

Product transmits Blowfish encryption key in cleartext.

CVE-2008-0374

Printer sends configuration information, including administrative password, in cleartext.

CVE-2007-4961

Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).

CVE-2007-4786

Product sends passwords in cleartext to a log server.

CVE-2005-3140

Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.

Mitigaciones potenciales

Phases : Requirements
Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
Phases : Architecture and Design
Phases : Architecture and Design
Phases : Architecture and Design
Phases : Implementation // Architecture and Design
When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
Phases : Implementation
Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.

Métodos de detección

Manual Analysis

The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.
Efectividad : High

Automated Analysis

Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.

Manual Static Analysis - Binary or Bytecode

Efectividad : SOAR Partial

Dynamic Analysis with Automated Results Interpretation

Efectividad : SOAR Partial

Dynamic Analysis with Manual Results Interpretation

Efectividad : High

Manual Static Analysis - Source Code

Efectividad : High

Automated Static Analysis - Source Code

Efectividad : SOAR Partial

Architecture or Design Review

Efectividad : High

Notas de mapeo de vulnerabilidades

Justificación : CWE-311 is high-level with more precise children available. It is a level-1 Class (i.e., a child of a Pillar).
Comentario : Consider children CWE-312: Cleartext Storage of Sensitive Information or CWE-319: Cleartext Transmission of Sensitive Information.

Patrones de ataque relacionados

CAPEC-ID Nombre del patrón de ataque
CAPEC-157 Sniffing Attacks
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.
CAPEC-158 Sniffing Network Traffic
In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.
CAPEC-204 Lifting Sensitive Data Embedded in Cache
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-37 Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
CAPEC-383 Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
CAPEC-384 Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.
CAPEC-385 Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.
CAPEC-386 Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.
CAPEC-387 Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.
CAPEC-388 Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.
CAPEC-477 Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
CAPEC-609 Cellular Traffic Intercept
Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.
CAPEC-65 Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

Notas

There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data.

Referencias

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-265

Top 25 Series - Rank 10 - Missing Encryption of Sensitive Data
Frank Kim.
https://www.sans.org/blog/top-25-series-rank-10-missing-encryption-of-sensitive-data/

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-267

FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology.
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf

REF-1479

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, Rama S. Moorthy.
https://www.ida.org/-/media/feature/publications/s/st/stateoftheart-resources-soar-for-software-vulnerability-detection-test-and-evaluation/p-5061.ashx

Envío

Nombre Organización Fecha Fecha de lanzamiento Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Modificaciones

Nombre Organización Fecha Comentario
Eric Dalci Cigital 2008-07-01 +00:00 updated Time_of_Introduction
Veracode 2008-08-15 +00:00 Suggested OWASP Top Ten 2004 mapping
CWE Content Team MITRE 2008-09-08 +00:00 updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
CWE Content Team MITRE 2009-10-29 +00:00 updated Common_Consequences, Other_Notes
CWE Content Team MITRE 2010-02-16 +00:00 updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Likelihood_of_Exploit, Name, Observed_Examples, Potential_Mitigations, References, Related_Attack_Patterns, Relationships, Taxonomy_Mappings, Time_of_Introduction
CWE Content Team MITRE 2010-04-05 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2010-06-21 +00:00 updated Common_Consequences, Potential_Mitigations, References
CWE Content Team MITRE 2010-09-27 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2010-12-13 +00:00 updated Demonstrative_Examples, Observed_Examples, Related_Attack_Patterns
CWE Content Team MITRE 2011-03-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2011-06-01 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2011-06-27 +00:00 updated Relationships
CWE Content Team MITRE 2011-09-13 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, References, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2012-10-30 +00:00 updated Potential_Mitigations, References
CWE Content Team MITRE 2013-07-17 +00:00 updated Relationship_Notes
CWE Content Team MITRE 2014-02-18 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2014-06-23 +00:00 updated Relationships
CWE Content Team MITRE 2014-07-30 +00:00 updated Detection_Factors, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2015-12-07 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-01-19 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-05-03 +00:00 updated Related_Attack_Patterns
CWE Content Team MITRE 2017-11-08 +00:00 updated Likelihood_of_Exploit, Modes_of_Introduction, Potential_Mitigations, References, Relationships
CWE Content Team MITRE 2018-03-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2019-01-03 +00:00 updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2019-06-20 +00:00 updated Related_Attack_Patterns, Relationships, Type
CWE Content Team MITRE 2020-02-24 +00:00 updated References, Relationships
CWE Content Team MITRE 2020-12-10 +00:00 updated Potential_Mitigations, Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-06-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Potential_Mitigations
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes, Relationships
CWE Content Team MITRE 2024-02-29 +00:00 updated Taxonomy_Mappings
CWE Content Team MITRE 2025-04-03 +00:00 updated Description, Diagram
CWE Content Team MITRE 2025-09-09 +00:00 updated Detection_Factors, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Observed_Examples, Relationships, Weakness_Ordinalities
La información presentada en CVE Find proviene de varias fuentes de referencia cuidadosamente seleccionadas. Los datos CVE son proporcionados por MITRE Corporation y la Base de Datos Nacional de Vulnerabilidades (NVD). El catálogo de Vulnerabilidades Explotadas Conocidas (KEV) proviene de la Agencia de Seguridad de Infraestructura y Ciberseguridad (CISA), mientras que las puntuaciones EPSS provienen de FIRST.org. Además, los datos sobre debilidades de software (CWE) y patrones de ataque comunes (CAPEC) son mantenidos por MITRE Corporation, y la información sobre configuraciones de hardware y software (CPE) es proporcionada por la NVD.