Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 373

373 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-42933 Insecure Storage of Sensitive Information in SAP Business One (SLD) — SAP Business One (SLD) 8.8 High2025-09-09
CVE-2025-41682 Credential Disclosure via Insecure Storage on Charge Controller — CC612 8.8 High2025-09-08
CVE-2025-58366 Onyxia private helm repository credentials are leaked through unauthenticated API — onyxia 9.1AICriticalAI2025-09-05
CVE-2025-52549 Predictable root linux password generation — E3 Supervisory Control 9.8AICriticalAI2025-09-02
CVE-2025-52545 Privilege escalation in the application services — E3 Supervisory Control 9.1AICriticalAI2025-09-02
CVE-2025-6519 Consistent predictable generation of the password for the default admin user "ONEDAY" to the application services — E3 Supervisory Control 9.8AICriticalAI2025-09-02
CVE-2025-55306 GenX_FX authentication bypass in JWT validation — GenX_FX 9.8 Critical2025-08-19
CVE-2025-40751 Siemens SIMATIC RTLS Locating Manager 安全漏洞 — SIMATIC RTLS Locating Manager 6.3 Medium2025-08-12
CVE-2025-54882 Himmelblau's Kerberos credential cache collection is world readable — himmelblau 7.1 High2025-08-07
CVE-2025-54876 Jans CLI stores plaintext passwords in the local cli_cmd.log file — jans 5.5AIMediumAI2025-08-05
CVE-2025-38739 Dell Digital Delivery 安全漏洞 — Dell Digital Delivery 7.2 High2025-08-04
CVE-2025-53008 GLPI's MailCollector Receiver is vulnerable to credential exfiltration — glpi 6.5 Medium2025-07-30
CVE-2025-5922 Retrievable password hash protecting TSplus admin console — TSplus Remote Access 8.8AIHighAI2025-07-29
CVE-2025-54428 RevelaCode exposes Sensitive MongoDB Atlas URI in .env (potential credential leak) — RevelaCode-Backend 9.8 Critical2025-07-28
CVE-2025-34139 Sitecore XM/XP/XC and Managed Cloud 8.0 - 10.4 Arbitrary File Read — Experience Manager (XM) 7.5 -2025-07-25
CVE-2025-6227 Invite token is used as part of the secure communication — Mattermost 2.2 Low2025-07-18
CVE-2025-34078 NSClient++ 0.5.2.35 Local Privilege Escalation via ExternalScripts and Web Interface — NSClient++ 7.8AIHighAI2025-07-02
CVE-2025-6081 Pass-back attack in Konica Minolta bizhub 227 multifunctional printers — bizhub 227 Multifunction printers 6.8 Medium2025-07-01
CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment — tiny-secp256k1 7.5AIHighAI2025-07-01
CVE-2024-51984 Authenticated disclosure of external service passwords via pass-back attack affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc. — HL-L8260CDN 6.8 Medium2025-06-25
CVE-2025-6526 70mai M300 HTTP Server insufficiently protected credentials — M300 3.1 Low2025-06-23
CVE-2025-30183 CyberData 011209 SIP Emergency Intercom Insufficiently Protected Credentials — 011209 SIP Emergency Intercom 7.5 High2025-06-09
CVE-2024-47081 Requests vulnerable to .netrc credentials leak via malicious URLs — requests 5.3 Medium2025-06-09
CVE-2025-3480 MedDream WEB DICOM Viewer Cleartext Transmission of Credentials Information Disclosure Vulnerability — WEB DICOM Viewer 6.5AIMediumAI2025-05-22
CVE-2025-3079 Canon ImageRunner 安全漏洞 — imageRUNNER Series 8.7 High2025-05-19
CVE-2025-3078 Canon ImageRunner 安全漏洞 — imageRUNNER ADVANCE Series 8.7 High2025-05-19
CVE-2025-4679 Synology Active Backup 安全漏洞 — Active Backup for Microsoft 365 6.5 Medium2025-05-16
CVE-2025-2772 BEC Technologies Multiple Routers Insufficiently Protected Credentials Information Disclosure Vulnerability — Multiple Routers 6.5 -2025-04-23
CVE-2025-32963 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS — operator 9.9 -2025-04-22
CVE-2025-22372 Insecure password storage in SicommNet BASEC — BASEC 6.5AIMediumAI2025-04-14

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 373 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.