The application stores sensitive information in cleartext in a file, or on disk.
The sensitive information could be read by attackers with access to the file, or with physical or administrator access to the raw disk. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Different people use "cleartext" and "plaintext" to mean the same thing:
the lack of encryption. However, within cryptography, these have more
precise meanings. Plaintext is the information just before it is fed into a
cryptographic algorithm, including already-encrypted text. Cleartext is any
information that is unencrypted, although it might be in an encoded form
that is not easily human-readable (such as base64 encoding).
Time of Introduction
Architecture and Design
Technical Impact: Read application
The following examples show a portion of properties and
configuration files for Java and ASP.NET applications. The files include
username and password information but they are stored in
This Java example shows a properties file with a cleartext username /
# Java Web App ResourceBundle properties file
The following example shows a portion of a configuration file for an
ASP.Net application. This configuration file includes username and
password information for a connection to a database but the pair is
stored in cleartext.
Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information and avoid CWE-260 and CWE-13