CWE-316 Cleartext Storage in Memory
What this means
SiteShadow flagged sensitive values being held in memory in a way that may be exposed through crashes, heap dumps, debug tooling, or overly broad logging/telemetry.
Why it matters
Memory exposure can leak secrets via dumps or crashes.
- Crash dumps and diagnostics can capture plaintext secrets.
- Debugging/observability tooling can inadvertently record memory/state.
- In some environments, other processes/users may access memory snapshots.
Safer examples
1) Minimize lifetime of secrets in memory
Keep secrets in memory only as long as needed; avoid storing them in global variables.
2) Avoid logging objects that contain secrets
Redact before logging and be careful with "dump whole object" patterns (see CWE-532 / L01).
3) Use platform facilities where appropriate
In some stacks you can use OS keychains / secret stores rather than keeping secrets in-process.
How SiteShadow detects it (high level)
- Flags sensitive values flowing into long-lived objects (configs, caches) and debug/logging sinks.
- Uses heuristics around credential-like fields being retained and exposed.
References
- CWE-316: https://cwe.mitre.org/data/definitions/316.html
---