CWE-922 Detail

CWE-922

Insecure Storage of Sensitive Information
Incomplete
2013-07-17
00h00 +00:00
2023-10-26
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

CWE Description

If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.

General Informations

Modes Of Introduction

Architecture and Design : OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Implementation
System Configuration

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
ConfidentialityRead Application Data, Read Files or Directories

Note: Attackers can read sensitive information by accessing the unrestricted storage mechanism.
IntegrityModify Application Data, Modify Files or Directories

Note: Attackers can overwrite sensitive information by accessing the unrestricted storage mechanism.

Observed Examples

References Description

CVE-2009-2272

password and username stored in cleartext in a cookie

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comment : Examine children of this entry to see if there is a better fit

NotesNotes

There is an overlapping relationship between insecure storage of sensitive information (CWE-922) and missing encryption of sensitive information (CWE-311). Encryption is often used to prevent an attacker from reading the sensitive data. However, encryption does not prevent the attacker from erasing or overwriting the data. While data tampering would be visible upon inspection, the integrity and availability of the data is compromised prior to the audit.
This is a high-level entry that includes children from various parts of the CWE research view (CWE-1000). Currently, most of the information is in these child entries. This entry will be made more comprehensive in later CWE versions.

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2013-06-23 +00:00 2013-07-17 +00:00 2.5

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2017-11-08 +00:00 updated Modes_of_Introduction, Relationships
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated Maintenance_Notes
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2022-10-13 +00:00 updated Common_Consequences, Relationship_Notes
CWE Content Team MITRE 2023-01-31 +00:00 updated Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples