What is the authoritative source for CWE-311?

Missing Encryption of Sensitive Data (CWE-311) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

ClassDraft

CWE-311Missing Encryption of Sensitive Data

Category: data-exposure

The product does not encrypt sensitive or critical information before storage or transmission.

Confidentiality — Read Application Data
If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.
Confidentiality / Integrity — Modify Application Data
Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.

[Requirements]Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
[Architecture and Design]
[Architecture and Design]
[Architecture and Design]
[Implementation, Architecture and Design]When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.

Type	Target	Confidence	Tier
AttackPattern	Application API Button Hijackingcapec-388	100%	live
AttackPattern	Navigation Remapping To Propagate Malicious Contentcapec-387	100%	live
AttackPattern	Sniffing Network Trafficcapec-158	100%	live
AttackPattern	Transaction or Event Tampering via Application API Manipulationcapec-385	100%	live
AttackPattern	Signature Spoofing by Mixing Signed and Unsigned Contentcapec-477	100%	live
AttackPattern	Sniffing Attackscapec-157	100%	live
AttackPattern	Accessing/Intercepting/Modifying HTTP Cookiescapec-31	100%	live
AttackPattern	Retrieve Embedded Sensitive Datacapec-37	100%	live
AttackPattern	Application API Message Manipulation via Man-in-the-Middlecapec-384	100%	live
AttackPattern	Lifting Sensitive Data Embedded in Cachecapec-204	100%	live
AttackPattern	Sniff Application Codecapec-65	100%	live
AttackPattern	Harvesting Information via API Event Monitoringcapec-383	100%	live
AttackPattern	Cellular Traffic Interceptcapec-609	100%	live
AttackPattern	Application API Navigation Remappingcapec-386	100%	live

Type	Target	Confidence	Tier
ComplianceControl	dora-art12	100%	live
ComplianceControl	cra-annexi-1	100%	live
ComplianceControl	nis2-art21h	100%	live
ComplianceControl	gdpr-art35	100%	live
ComplianceControl	gdpr-art25	100%	live
ComplianceControl	owasp_top10-a04	100%	live
ComplianceControl	gdpr-art34	100%	live
ComplianceControl	cra-art13	100%	live
ComplianceControl	dora-art9	100%	live
ComplianceControl	owasp_top10-a02	100%	live
ComplianceControl	pci_dss_v4-r3	100%	live
ComplianceControl	gdpr-art32	100%	live

Type	Target	Confidence	Tier
Vulnerability	CVE-2025-29314cve-2025-29314	0%	live
Vulnerability	CVE-2025-48981cve-2025-48981	0%	live
Vulnerability	CVE-2025-69969cve-2025-69969	0%	live
Vulnerability	CVE-2026-27944cve-2026-27944	0%	live
Vulnerability	CVE-2026-28678cve-2026-28678	0%	live
Vulnerability	CVE-2026-32891cve-2026-32891	0%	live