Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 374

374 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-27109 Insufficiently protected credentials in GE HealthCare EchoPAC products — EchoPAC Software Only 7.6 High2024-05-14
CVE-2024-33497 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 6.3 Medium2024-05-14
CVE-2024-33496 Siemens 多款产品 安全漏洞 — SIMATIC RTLS Locating Manager 6.3 Medium2024-05-14
CVE-2024-22345 IBM TXSeries for Multiplatforms information disclosure — TXSeries for Multiplatforms 6.2 Medium2024-05-10
CVE-2024-23551 HCL BigFix Compliance is potentially affected by Oracle database credentials stored at endpoint — BigFix Compliance 6.5 Medium2024-05-07
CVE-2023-37400 IBM Aspera Faspex privilege escalation — Aspera Faspex 7.8 High2024-04-19
CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability — Azure Identity Library for .NET 5.5 Medium2024-04-09
CVE-2023-41677 Fortinet FortiProxy 安全漏洞 — FortiOS 7.5 High2024-04-09
CVE-2023-50311 IBM CICS Transaction Gateway for Multiplatforms information disclosure — CICS Transaction Gateway for Multiplatforms 3.1 Low2024-03-31
CVE-2021-38938 IBM Host Access Transformation Services information disclosure — Host Access Transformation Services 6.2 Medium2024-03-15
CVE-2024-0368 Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys — Hustle – Email Marketing, Lead Generation, Optins, Popups 8.6 High2024-03-13
CVE-2024-28110 Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials — sdk-go 7.5 High2024-03-06
CVE-2024-21815 Gallagher Command Centre 安全漏洞 — Command Centre Server 9.1 Critical2024-03-05
CVE-2023-6259 Local Access to Sensitive Data in Brivo ACS100 and ACS300 — ACS100, ACS300 7.1 High2024-02-19
CVE-2023-4538 Shared Key in Comarch ERP XL — ERP XL 6.2 Medium2024-02-15
CVE-2023-27975 Schneider Electric Modicon M340 安全漏洞 — EcoStruxure Control Expert 7.1 High2024-02-14
CVE-2024-23306 BIG-IP Next CNF & SPK vulnerability — BIG-IP Next SPK 7.1 High2024-02-14
CVE-2022-34311 IBM CICS TX session fixation — CICS TX Standard 4.3 Medium2024-02-12
CVE-2023-50291 Apache Solr: System Property redaction logic inconsistency can lead to leaked passwords — Apache Solr 7.5 -2024-02-09
CVE-2024-24595 Allegro AI ClearML 安全漏洞 — ClearML 6.0 Medium2024-02-05
CVE-2023-29055 Apache Kylin: Insufficiently protected credentials in config file — Apache Kylin 9.8 -2024-01-29
CVE-2023-29447 Insufficiently Protected Credentials in PTC's Kepware KEPServerEX — Kepware KEPServerEX 5.7 Medium2024-01-10
CVE-2023-32268 Administrator equivalent Filr user can access proxy administrator credentials — Filr 7.2 High2023-12-06
CVE-2023-49280 Data leak of password hash through xwiki change request — application-changerequest 7.7 High2023-12-04
CVE-2023-6254 Password is send back to client — OTRS 8.1 High2023-11-27
CVE-2023-26221 TIBCO Spotfire Insufficiently Protected Credential vulnerability — Spotfire Analyst 5.0 Medium2023-11-08
CVE-2023-23370 QVPN Device Client — QVPN Windows 6.7 Medium2023-10-06
CVE-2023-44158 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 15 7.5 -2023-09-27
CVE-2023-43631 SSH as Root Unlockable Without Triggering Measured Boot — EVE OS 8.8 High2023-09-21
CVE-2023-43633 Debug Functions Unlockable Without Triggering Measured Boot — EVE OS 8.8 High2023-09-21

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 374 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.