Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 374

374 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2023-43634 Config Partition Not Protected by Measured Boot — EVE OS 8.8 High2023-09-21
CVE-2023-43635 Vault Key Sealed With SHA1 PCRs — EVE OS 8.8 High2023-09-20
CVE-2023-43630 Config Partition Not Measured From 2 Fronts — EVE OS 8.8 High2023-09-20
CVE-2023-25532 NVIDIA DGX 安全漏洞 — DGX H100 BMC 6.5 Medium2023-09-20
CVE-2023-25531 NVIDIA DGX 安全漏洞 — DGX H100 BMC 7.6 High2023-09-20
CVE-2023-3251 Pass-back vulnerability in Nessus — Nessus 4.1 Medium2023-08-29
CVE-2023-40173 Unsalted passwords in fobybus/social-media-skeleton — social-media-skeleton 7.5 High2023-08-18
CVE-2023-4328 Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux — LSI Storage Authority (LSA) 5.5 -2023-08-15
CVE-2023-4327 Broadcom RAID Controller web interface is vulnerable to exposure of sensitive data and the keys used for encryption are accessible to any local user on Linux — LSI Storage Authority (LSA) 5.5 -2023-08-15
CVE-2023-37362 Weintek Weincloud Improper Authentication — Weincloud 7.2 High2023-07-19
CVE-2023-35348 Active Directory Federation Service Security Feature Bypass Vulnerability — Windows Server 2019 6.5 Medium2023-07-11
CVE-2023-29168 PTC Vuforia Studio Insufficiently Protected Credentials — Vuforia Studio 3.7 Low2023-06-07
CVE-2023-31187 Avaya IX Workforce Engagement - CWE-522: Insufficiently Protected Credentials — IX Workforce Engagement 6.5 Medium2023-05-30
CVE-2023-32687 Insufficiently Protected ChatBot Credentials in tgstation-server — tgstation-server 7.7 High2023-05-29
CVE-2023-31136 PostgresNIO processes unencrypted bytes from man-in-the-middle — postgres-nio 3.7 Low2023-05-09
CVE-2023-28764 Information Disclosure vulnerability in SAP BusinessObjects Platform — SAP BusinessObjects Platform 3.7 Low2023-05-09
CVE-2023-24506 Milesight NCR/Camera CWE-522: Insufficiently Protected Credentials — NCR/Camera 7.5 High2023-05-08
CVE-2022-45859 Fortinet FortiNAC 安全漏洞 — FortiNAC 3.9 Medium2023-05-03
CVE-2023-25495 Lenovo XClarity Controller 安全漏洞 — XClarity Controller 4.9 Medium2023-04-28
CVE-2023-30846 typed-rest-client vulnerable to potential leak of authentication data to 3rd parties — typed-rest-client 9.1 Critical2023-04-26
CVE-2023-28084 HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens — HPE OneView 7.5 -2023-04-25
CVE-2023-30776 Apache Superset: Database connection password leak — Apache Superset 4.9 Medium2023-04-24
CVE-2022-48433 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 6.1 Medium2023-03-29
CVE-2023-1518 CP Plus KVMS Pro 安全漏洞 — KVMS Pro 7.8 High2023-03-28
CVE-2022-40678 Fortinet FortiNAC 安全漏洞 — FortiNAC 7.4 High2023-02-16
CVE-2023-23463 Sunell DVR – Insufficiently Protected Credentials — DVR 5.3 Medium2023-02-15
CVE-2023-24498 Netgear ProSAFE 24 Port 10/100 FS726TP - CWE-522: Insufficiently Protected Credentials. — ProSAFE 24 Port 10/100 FS726TP 7.5 High2023-02-15
CVE-2022-32518 Schneider Electric StruxureWare Data Center Expert 安全漏洞 — Data Center Expert 8.0 High2023-01-30
CVE-2022-32520 Schneider Electric StruxureWare Data Center Expert 安全漏洞 — Data Center Expert 8.0 High2023-01-30
CVE-2022-23538 User credentials leaked to third-party service via HTTP redirect in scs-library-client — scs-library-client 5.2 Medium2023-01-17

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 374 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.