Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 374

374 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2020-10755 OpenStack openstack-cinder 安全漏洞 — openstack-cinder 6.5 Medium2020-06-10
CVE-2020-7030 IPO Information Disclosure — IP Office 5.5 Medium2020-06-03
CVE-2014-1423 Online Accounts Signon daemon gives out all oauth tokens to any app — signon 5.9 Medium2020-05-07
CVE-2020-5406 PCF Autoscaling logs its database credentials — VMware Tanzu Application Service for VMs 8.8 -2020-04-10
CVE-2020-5263 Information disclosure through error object — auth0.js 5.5 Medium2020-04-09
CVE-2019-5648 LDAP Credential Exposure in Barracuda Load Balancer ADC — Load Balancer ADC 7.2 -2020-03-12
CVE-2020-5404 Authentication Leak On Redirect With Reactor Netty HttpClient — Reactor Netty 7.1 -2020-03-03
CVE-2020-5400 Cloud Controller logs environment variables from app manifests — CAPI 6.5 -2020-02-27
CVE-2020-6969 AutomationDirect C-More Touch Panels EA9 安全漏洞 — C-More Touch Panels EA9 series 9.8 -2020-02-05
CVE-2019-10205 Red Hat Quay 安全漏洞 — quay 6.3 -2020-01-02
CVE-2019-10214 containers image 安全漏洞 — containers/image 5.9 -2019-11-25
CVE-2019-10224 Red Hat 389 Directory Server 信息泄露漏洞 — 389-ds-base 4.6 -2019-11-25
CVE-2019-10206 Ansible 输入验证错误漏洞 — Ansible 6.5 -2019-11-22
CVE-2019-10210 PostgreSQL 输入验证错误漏洞 — postgresql 6.7 -2019-10-29
CVE-2019-11284 Reactor Netty authentication leak in redirects — Reactor Netty 7.5 -2019-10-17
CVE-2019-9533 The root password of the Cobham EXPLORER 710 is the same for all versions of firmware up to and including v1.08 — Explorer 710 9.8 -2019-10-10
CVE-2019-13421 floragunn Search Guard 信息泄露漏洞 — Search Guard 4.9 -2019-08-23
CVE-2019-10960 Zebra Technologies Industrial Printers 信任管理问题漏洞 — Zebra Industrial Printers All Versions 6.1 -2019-08-20
CVE-2019-3800 CF CLI writes the client id and secret to config file — CF CLI Release 7.8 -2019-08-05
CVE-2019-10981 Schneider Electric AVEVA Vijeo Citect和Schneider Electric AVEVA CitectSCADA 信任管理问题漏洞 — AVEVA Vijeo Citect and CitectSCADA 7.8 -2019-05-31
CVE-2019-10139 cockpit-ovirt 信任管理问题漏洞 — cockpit-ovirt 7.8 -2019-05-17
CVE-2019-11820 Synology Calendar 信任管理问题漏洞 — Calendar 5.5 -2019-05-09
CVE-2019-3938 Crestron Electronics AM-100和Crestron Electronics AM-101 信任管理问题漏洞 — Crestron AirMedia 7.8 -2019-04-30
CVE-2019-6525 AVEVA Wonderware System Platform 信任管理问题漏洞 — Wonderware System Platform 8.8 -2019-04-11
CVE-2019-3782 CredHub CLI writes environment variable credentials to disk — CredHub CLI 7.8 -2019-02-13
CVE-2018-17922 CIRCONTROL CirCarLife 日志信息泄露漏洞 — Circontrol CirCarLife all versions prior to 4.3.1 9.1 -2018-11-02
CVE-2018-8858 Vecna VGo Robot 安全漏洞 — VGo Robot 9.8 -2018-10-30
CVE-2018-17900 多款Yokogawa产品安全漏洞 — STARDOM Controllers FCJ,FCN-100,FCN-RTU, FCN-500 9.8 -2018-10-12
CVE-2017-2665 Red Hat Storage Console 信任管理漏洞 — rhscon-core 6.3 -2018-07-06
CVE-2017-16718 Beckhoff TwinCAT 安全漏洞 — Beckhoff TwinCAT 5.9 -2018-06-27

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 374 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.