CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
Extended description
While many modern file systems or devices utilize some form of access control in order to restrict access to data, not all storage mechanisms have this capability. For example, memory cards, floppy disks, CDs, and USB devices are typically made accessible to any user within the system. This can become a problem when sensitive data is stored in these mechanisms in a multi-user environment, because anybody on the system can read or write this data. On Android devices, external storage is typically globally readable and writable by other applications on the device. External storage may also be easily accessible through the mobile device's USB connection or physically accessible through the device's memory card port.
Common consequences2
- ConfidentialityRead Application DataRead Files or Directories
Attackers can read sensitive information by accessing the unrestricted storage mechanism.
- IntegrityModify Application DataModify Files or Directories
Attackers can modify or delete sensitive information by accessing the unrestricted storage mechanism.
Relationships1
- ChildOfCWE-922
CVEs referencing this CWE10
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2022-1706 | A vulnerability was found in Ignition where ignition configs are accessible from unprivileged containers in VMs running on VMware products. This issue is only relevant in user environments where the Ignition config contains secrets. The highest threat from this vulnerability is to data confidentiality. Possible workaround is to not put secrets in the Ignition config. | MEDIUM6.5 | 1.15%p63 | 2026-03-11 | |
| CVE-2023-2665 | Storage of Sensitive Data in a Mechanism without Access Control in GitHub repository francoisjacquet/rosariosis prior to 11.0. | HIGH7.5 | 0.61%p45 | 2025-01-24 | |
| CVE-2025-30016 | SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application. | CRITICAL9.8 | 0.54%p41 | 2026-04-15 | |
| CVE-2023-41965 | Sending some requests in the web application of the vulnerable device allows information to be obtained due to the lack of security in the authentication process. | HIGH7.5 | 0.51%p39 | 2025-04-15 | |
| CVE-2024-9334 | Use of Hard-coded Credentials, Storage of Sensitive Data in a Mechanism without Access Control vulnerability in E-Kent Pallium Vehicle Tracking allows Authentication Bypass. This issue affects Pallium Vehicle Tracking: before 17.10.2024. | HIGH8.2 | 0.34%p25 | 2026-06-02 | |
| CVE-2021-27456 | Philips Gemini PET/CT family software stores sensitive information in a removable media device that does not have built-in access control. | LOW2.4 | 0.23%p14 | 2025-04-16 | |
| CVE-2024-5206 | A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the `stop_words_` attribute, rather than only storing the subset of tokens required for the TF-IDF technique to function. This behavior leads to the potential leakage of sensitive information, as the `stop_words_` attribute could contain tokens that were meant to be discarded and not stored, such as passwords or keys. The impact of this vulnerability varies based on the nature of the data being processed by the vectorizer. | MEDIUM4.7 | 0.19%p8 | 2024-11-21 | |
| CVE-2025-24870 | SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability. | MEDIUM6.0 | 0.16%p5 | 2026-04-15 | |
| CVE-2023-41818 | An improper use of the SD card for sensitive data vulnerability was reported in the Motorola Device Help application that could allow a local attacker to read system logs. | MEDIUM5.0 | 0.15%p4 | 2026-04-15 | |
| CVE-2025-24843 | Insecure file retrieval process that facilitates potential for file manipulation to affect product stability and confidentiality, integrity, authenticity, and attestation of stored data. | MEDIUM5.1 | 0.14%p4 | 2026-04-15 |