CWE · MITRE source
CWE-311Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (12)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CM-13 | Data Action Mapping | CM | The map highlights data actions that involve sensitive data, enabling identification of missing encryption requirements. |
CM-6 | Configuration Settings | CM | Settings can require encryption of sensitive data, preventing missing encryption weaknesses. |
PM-13 | Security and Privacy Workforce | PM | Privacy and security curricula stress encryption requirements, reducing missing encryption of sensitive data. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Requires encryption and similar controls for CUI processed or stored externally, preventing missing encryption of sensitive data. |
RA-5 | Vulnerability Monitoring and Scanning | RA | Monitoring detects missing encryption of sensitive data in storage or transit configurations. |
RA-8 | Privacy Impact Assessments | RA | Privacy assessments routinely identify the need for encryption of PII, directly lowering the impact of missing encryption weaknesses. |
SA-3 | System Development Life Cycle | SA | Privacy and security considerations mandated across the SDLC make identification and protection of sensitive data (including encryption decisions) a required activity rather than an afterthought. |
SA-9 | External System Services | SA | Privacy and security requirements placed on external providers, together with monitoring, tangibly reduce missing encryption of sensitive data processed or stored by those services. |
AT-3 | Role-based Training | AT | Privacy and security training stresses encryption of sensitive data, reducing missing encryption weaknesses. |
CA-3 | Information Exchange | CA | Exchange agreements must document security requirements, which would include encryption to protect sensitive data in transit. |
PL-8 | Security and Privacy Architectures | PL | Architectures must describe confidentiality protections, which includes mandating encryption for sensitive data in transit and at rest. |
SC-13 | Cryptographic Protection | SC | Mandates encryption for specified data uses, directly preventing missing encryption of sensitive information. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-8221 | 2.6 | 7.5 | 0.1907 | 2017-04-25 |
CVE-2026-27944 | 2.3 | 9.8 | 0.0583 | 2026-03-05 |
CVE-2019-11367 | 2.2 | 9.8 | 0.0353 | 2019-06-03 |
CVE-2019-11523 | 2.1 | 9.8 | 0.0251 | 2019-06-06 |
CVE-2017-7406 | 2.0 | 9.8 | 0.0010 | 2017-07-07 |
CVE-2017-9854 | 2.0 | 9.8 | 0.0020 | 2017-08-05 |
CVE-2017-9632 | 2.0 | 9.8 | 0.0007 | 2017-08-07 |
CVE-2018-7498 | 2.0 | 9.8 | 0.0009 | 2018-03-28 |
CVE-2017-3198 | 2.0 | 9.8 | 0.0021 | 2018-07-09 |
CVE-2018-17915 | 2.0 | 9.8 | 0.0009 | 2018-10-10 |
CVE-2018-20100 | 2.0 | 9.8 | 0.0016 | 2019-01-02 |
CVE-2018-16879 | 2.0 | 9.8 | 0.0023 | 2019-01-03 |
CVE-2018-10612 | 2.0 | 9.8 | 0.0022 | 2019-01-29 |
CVE-2019-6526 | 2.0 | 9.8 | 0.0012 | 2019-04-15 |
CVE-2018-10698 | 2.0 | 9.8 | 0.0019 | 2019-06-07 |
CVE-2019-12924 | 2.0 | 9.8 | 0.0011 | 2019-07-08 |
CVE-2019-3431 | 2.0 | 9.8 | 0.0007 | 2019-12-23 |
CVE-2019-14480 | 2.0 | 9.8 | 0.0029 | 2020-12-16 |
CVE-2020-15331 | 2.0 | 9.8 | 0.0028 | 2022-09-29 |
CVE-2023-0750 | 2.0 | 9.8 | 0.0024 | 2023-04-06 |
CVE-2023-4420 | 2.0 | 9.8 | 0.0007 | 2023-08-24 |
CVE-2023-6339 | 2.0 | 10.0 | 0.0004 | 2024-01-02 |
CVE-2025-69969 | 1.9 | 9.6 | 0.0005 | 2026-03-04 |
CVE-2017-3218 | 1.8 | 8.8 | 0.0002 | 2017-06-21 |
CVE-2017-3219 | 1.8 | 8.8 | 0.0003 | 2017-06-21 |