CWE-316 在内存中的明文存储
Cleartext Storage of Sensitive Information in Memory
结构: Simple
Abstraction: Variant
状态: Draft
被利用可能性: unkown
基本描述
The application stores sensitive information in cleartext in memory.
扩展描述
The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the application crashes, or if the programmer does not properly clear the memory before freeing it.
It could be argued that such problems are usually only exploitable by those with administrator privileges. However, swapping could cause the memory to be written to disk and leave it accessible to physical attack afterwards. Core dump files might have insecure permissions or be stored in archive files that are accessible to untrusted people. Or, uncleared sensitive memory might be inadvertently exposed to attackers due to another weakness.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 312 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 312 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Confidentiality | Read Memory |
分析过的案例
| 标识 | 说明 | 链接 |
|---|---|---|
| CVE-2001-1517 | Sensitive authentication information in cleartext in memory. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1517 |
| BID:10155 | Sensitive authentication information in cleartext in memory. | http://www.securityfocus.com/bid/10155 |
| CVE-2001-0984 | Password protector leaves passwords in memory when window is minimized, even when "clear password when minimized" is set. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0984 |
| CVE-2003-0291 | SSH client does not clear credentials from memory. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0291 |
Notes
Relationship
This could be a resultant weakness, e.g. if the compiler removes code that was intended to wipe memory.
Terminology
Different people use "cleartext" and "plaintext" to mean the same thing: the lack of encryption. However, within cryptography, these have more precise meanings. Plaintext is the information just before it is fed into a cryptographic algorithm, including already-encrypted text. Cleartext is any information that is unencrypted, although it might be in an encoded form that is not easily human-readable (such as base64 encoding).
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| PLOVER | Plaintext Storage in Memory | ||
| Software Fault Patterns | SFP23 | Exposed Data |
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论