Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 373

373 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-64122 Nuvation Energy Multi-Stack Controller Private Key Stored on Device — Multi-Stack Controller (MSC) 7.5 -2026-01-02
CVE-2021-47741 ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint — ZBL EPON ONU Broadband Router 7.5 High2025-12-31
CVE-2021-47726 NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup — NuCom 11N Wireless Router 7.5 High2025-12-31
CVE-2025-66029 Open OnDemand affected by Apache proxy passing sensitive headers — ondemand 7.6 High2025-12-17
CVE-2025-14148 IBM DevOps Deploy is susceptible to a Insufficiently Protected Credentials vulnerability — UCD - IBM DevOps Deploy 6.5 Medium2025-12-15
CVE-2025-58130 Apache Fineract: Server Key not masked — Apache Fineract 9.1AICriticalAI2025-12-12
CVE-2020-36896 QiHang Media Web Digital Signage 3.0.9 Cleartext Credentials Disclosure — QiHang Media Web Digital Signage 8.4AIHighAI2025-12-10
CVE-2025-64898 ColdFusion | Insufficiently Protected Credentials (CWE-522) — ColdFusion 4.3 Medium2025-12-09
CVE-2025-13164 Digiwin|EasyFlow GP - Insufficiently Protected Credentials — EasyFlow GP 4.9 Medium2025-11-17
CVE-2025-13163 Digiwin|EasyFlow GP - Insufficiently Protected Credentials — EasyFlow GP 4.9 Medium2025-11-17
CVE-2025-36096 AIX Insufficiently Protected Credentials — AIX 9.0 Critical2025-11-13
CVE-2025-6571 AXIS OS 安全漏洞 — AXIS OS 6.0 Medium2025-11-11
CVE-2025-42897 Information Disclosure vulnerability in SAP Business One (SLD) — SAP Business One (SLD) 5.3 Medium2025-11-11
CVE-2025-12636 Ubia Ubox — Ubox Android 6.5 Medium2025-11-06
CVE-2025-54863 Insufficiently Protected Credentials in Radiometrics VizAir — VizAir 10.0 Critical2025-11-04
CVE-2025-12461 Unprotected access to parts of the application in Epsilon RH by Grupo Castilla — Epsilon RH 5.3AIMediumAI2025-10-29
CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext — github-workflow-updater-extension 3.8 Low2025-10-28
CVE-2025-54808 Oxford Nanopore Technologies MinKNOW Insufficiently Protected Credentials — MinKNOW 7.8 High2025-10-23
CVE-2024-42192 HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage — Traveler for Microsoft Outlook 5.5 Medium2025-10-16
CVE-2025-62157 Argo Workflows exposes artifact repository credentials in workflow-controller logs — argo-workflows 8.1AIHighAI2025-10-14
CVE-2025-61776 Dependency-Track possibly discloses private NuGet repository credentials to api.nuget.org — dependency-track 4.7 Medium2025-10-07
CVE-2025-37728 Kibana Insufficiently Protected Credentials in the CrowdStrike Connector — Kibana 5.4 Medium2025-10-07
CVE-2025-27231 LDAP 'Bind password' field value can be leaked by a Zabbix Super Admin — Zabbix 4.9 -2025-10-03
CVE-2025-34207 Vasion Print (formerly PrinterLogic) Insecure SSH Client Configuration — Print Virtual Appliance Host 9.8AICriticalAI2025-09-29
CVE-2025-10880 Insufficiently Protected Credentials in Dingtian DT-R002 — DT-R002 7.5AIHighAI2025-09-25
CVE-2025-10879 Insufficiently Protected Credentials in Dingtian DT-R002 — DT-R002 5.3AIMediumAI2025-09-25
CVE-2025-40838 Ericsson Indoor Connect 8855 - Insufficiently Protected Credentials Vulnerability — Indoor Connect 8855 7.5AIHighAI2025-09-25
CVE-2025-10360 Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.5 — Puppet Enterprise 4.4AIMediumAI2025-09-24
CVE-2025-54467 NeuVector process with sensitive arguments lead to leakage — neuvector 5.3 Medium2025-09-17
CVE-2025-23342 NVIDIA NVDebug 安全漏洞 — NVDebug tool 8.2 High2025-09-09

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 373 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.