Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 373

373 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-27192 Adobe Commerce | Insufficiently Protected Credentials (CWE-522) — Adobe Commerce 2.7 Low2025-04-08
CVE-2025-26628 Azure Local Cluster Information Disclosure Vulnerability — Azure Local Cluster 7.3 High2025-04-08
CVE-2025-2908 Insufficiently Protected Credentials vulnerability in MeetMe products — MeetMe 7.5 -2025-03-28
CVE-2024-47109 IBM Sterling File Gateway information disclosure — Sterling File Gateway 5.3 Medium2025-03-10
CVE-2025-1886 Pass-Back vulnerability in Sage 200 Spain — Sage 200 Spain 4.9 -2025-03-07
CVE-2024-12799 Insufficiently Protected Credentials — Identity Manager Advanced Edition 9.1 -2025-03-05
CVE-2024-41771 IBM Engineering Requirements Management DOORS Next information disclosure — Engineering Requirements Management DOORS Next 7.5 High2025-03-03
CVE-2024-41770 IBM Engineering Requirements Management DOORS Next information disclosure — Engineering Requirements Management DOORS Next 7.5 High2025-03-03
CVE-2025-0760 Stored Credential Disclosure Vulnerability — Tenable Identity Exposure 2.7 Low2025-02-25
CVE-2024-37362 Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials — Pentaho Data Integration & Analytics 6.3 Medium2025-02-19
CVE-2025-0867 Privilege Escalation in MEAC300 — SICK MEAC300 9.9 Critical2025-02-14
CVE-2025-26492 JetBrains TeamCity 安全漏洞 — TeamCity 7.7 High2025-02-11
CVE-2025-0477 Rockwell Automation FactoryTalk® AssetCentre Data Exposure Vulnerability — FactoryTalk® AssetCentre 7.5 -2025-01-30
CVE-2025-0497 Rockwell Automation FactoryTalk® AssetCentre Data Exposure Vulnerability — FactoryTalk® AssetCentre 6.5 -2025-01-30
CVE-2025-0498 Rockwell Automation FactoryTalk® AssetCentre Data Exposure Vulnerability — FactoryTalk® AssetCentre 8.2 -2025-01-30
CVE-2025-0619 Unsafe stored password recovery — M-Files Server 4.9 -2025-01-23
CVE-2025-23040 Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop — desktop 6.6 Medium2025-01-15
CVE-2024-46480 Venki Supravizio BPM 安全漏洞 — Supravizio BPM 8.4 High2025-01-13
CVE-2024-56354 JetBrains TeamCity 安全漏洞 — TeamCity 5.5 Medium2024-12-20
CVE-2022-33954 IBM Robotic Process Automation information disclosure — Robotic Process Automation 4.6 Medium2024-12-19
CVE-2024-53832 Siemens CPCI85 Central Processing 安全漏洞 — CPCI85 Central Processing/Communication 4.6 Medium2024-12-10
CVE-2024-51545 Username Enumeration — ASPECT-Enterprise 10.0 Critical2024-12-05
CVE-2024-11856 HPE IceWall Products, Remote Unauthorized Data Modification — HPE IceWall 3.7 Low2024-12-02
CVE-2019-17082 OpenText AccuRev 安全漏洞 — AccuRev 9.8AICriticalAI2024-11-26
CVE-2024-6749 AXIS Camera Station Pro 安全漏洞 — AXIS Camera Station Pro 6.3 Medium2024-11-26
CVE-2024-47142 AIPHONE IXG SYSTEM 安全漏洞 — IXG-2C7 8.0 -2024-11-22
CVE-2024-39290 AIPHONE IX SYSTEM和AIPHONE IXG SYSTEM 安全漏洞 — IX-MV 8.1 -2024-11-22
CVE-2021-1232 Cisco SD-WAN vManage Information Disclosure Vulnerability — Cisco Catalyst SD-WAN Manager 6.5 Medium2024-11-18
CVE-2022-45157 Exposure of vSphere's CPI and CSI credentials in Rancher — rancher 9.1 Critical2024-11-13
CVE-2024-47588 Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) — SAP NetWeaver Java (Software Update Manager) 4.7 Medium2024-11-12

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 373 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.