Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 374

374 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2018-7518 BeaconMedaes Scroll Medical Air Systems TotalAlert Web Application 安全漏洞 — BeaconMedæs TotalAlert Scroll Medical Air Systems web application 9.1 -2018-05-24
CVE-2016-9593 foreman-debug 信息泄露漏洞 — foreman-debug 8.8 -2018-04-16
CVE-2017-0925 Gitlab Enterprise Edition 安全漏洞 — GitLab Community and Enterprise Editions 9.8 -2018-03-21
CVE-2018-3609 Trend Micro InterScan Messaging Security Virtual Appliance 安全漏洞 — Trend Micro InterScan Messaging Security Virtual Appliance 8.1 -2018-02-16
CVE-2017-3192 D-Link DIR-130和DIR-330 安全漏洞 — DIR-130 9.8 -2017-12-15
CVE-2017-13998 LOYTEC LVIS-3ME 信任管理漏洞 — LOYTEC LVIS-3ME 7.8 -2017-10-05
CVE-2017-8446 Elasticsearch X-Pack和Reporting插件安全漏洞 — Elastic X-Pack Reporting 6.5 -2017-08-18
CVE-2017-7547 PostgreSQL 安全漏洞 — postgresql 8.1 -2017-08-16
CVE-2017-6028 Schneider Electric Modicon PLCs Modicon M241和Modicon M251 信任管理问题漏洞 — Schneider Electric Modicon PLCs 9.1 -2017-06-30
CVE-2017-6046 Sierra Wireless AirLink Raven XE和XT 安全漏洞 — Sierra Wireless AirLink Raven XE and XT 6.5 -2017-06-30
CVE-2017-7524 tpm2-tools 安全漏洞 — tpm2-tools 7.5 -2017-06-27
CVE-2017-9552 Synology Photo Station 安全漏洞 — Synology Photo Station 7.8 -2017-06-13
CVE-2017-7486 PostgreSQL 信息泄露漏洞 — PostgreSQL 9.1 -2017-05-12
CVE-2014-0755 Rockwell RSLogix 5000 Insufficiently Protected Credentials — RSLogix 5000 software 7.1 -2014-02-05

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 374 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.