CWE · MITRE source
CWE-922Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
If read access is not properly restricted, then attackers can steal the sensitive information. If write access is not properly restricted, then attackers can modify and possibly delete the data, causing incorrect results and possibly a denial of service.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (8)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
CP-6 | Alternate Storage Site | CP | Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information. |
CP-9 | System Backup | CP | Requiring protection of backup information directly addresses insecure storage of sensitive data in backups. |
CM-12 | Information Location | CM | Tracking information locations and access supports secure storage practices instead of insecure ones. |
PM-17 | Protecting Controlled Unclassified Information on External Systems | PM | Policy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections. |
RA-2 | Security Categorization | RA | Proper categorization drives selection of storage controls that keep sensitive information from being stored insecurely. |
SC-28 | Protection of Information at Rest | SC | The control explicitly requires secure storage mechanisms for sensitive information, closing the insecure-storage weakness class. |
SI-23 | Information Fragmentation | SI | Storing information as fragments on distinct components is an architectural control that avoids insecure single-location storage of the complete sensitive data set. |
SR-7 | Supply Chain Operations Security | SR | OPSEC requirements improve handling and storage practices for sensitive supply-chain information. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-13937 | 6.7 | 5.3 | 0.9333 | 2020-10-19 |
CVE-2018-25031 | 5.7 | 4.3 | 0.8042 | 2022-03-11 |
CVE-2024-30896 | 3.4 | 9.1 | 0.2574 | 2024-11-21 |
CVE-2020-1493 | 2.9 | 5.5 | 0.3033 | 2020-08-17 |
CVE-2020-28911 | 2.6 | 6.5 | 0.2144 | 2021-05-24 |
CVE-2024-7569 | 2.4 | 9.6 | 0.0747 | 2024-08-13 |
CVE-2024-37728 | 2.3 | 7.5 | 0.1345 | 2024-09-10 |
CVE-2017-5249 | 2.0 | 9.8 | 0.0018 | 2018-02-22 |
CVE-2017-5250 | 2.0 | 9.8 | 0.0015 | 2018-02-22 |
CVE-2020-8481 | 2.0 | 9.8 | 0.0050 | 2020-04-29 |
CVE-2021-27170 | 2.0 | 9.8 | 0.0008 | 2021-02-10 |
CVE-2021-42371 | 2.0 | 9.8 | 0.0073 | 2021-11-08 |
CVE-2023-29727 | 2.0 | 9.8 | 0.0016 | 2023-05-30 |
CVE-2023-32191 | 2.0 | 9.9 | 0.0020 | 2024-10-16 |
CVE-2024-4995 | 2.0 | 9.8 | 0.0019 | 2024-12-18 |
CVE-2025-12539 | 2.0 | 10.0 | 0.0072 | 2025-11-11 |
CVE-2021-28813 | 1.9 | 9.6 | 0.0037 | 2021-09-10 |
CVE-2022-35513 | 1.9 | 7.5 | 0.0629 | 2022-09-07 |
CVE-2017-7253 | 1.8 | 8.8 | 0.0084 | 2017-03-30 |
CVE-2023-43630 | 1.8 | 8.8 | 0.0001 | 2023-09-20 |
CVE-2023-43631 | 1.8 | 8.8 | 0.0003 | 2023-09-21 |
CVE-2023-43633 | 1.8 | 8.8 | 0.0002 | 2023-09-21 |
CVE-2023-43634 | 1.8 | 8.8 | 0.0003 | 2023-09-21 |
CVE-2023-42913 | 1.8 | 8.8 | 0.0037 | 2024-03-28 |
CVE-2024-10943 | 1.8 | 9.1 | 0.0012 | 2024-11-12 |