Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-522 (不充分的凭证保护机制) — Vulnerability Class 374

374 vulnerabilities classified as CWE-522 (不充分的凭证保护机制). AI Chinese analysis included.

CWE-522 represents a critical security weakness where authentication credentials are transmitted or stored using insecure methods, leaving them vulnerable to unauthorized interception or retrieval. Attackers typically exploit this flaw by employing network sniffing tools to capture unencrypted data in transit or by accessing poorly secured local storage to extract plaintext passwords. This exposure allows malicious actors to gain unauthorized access to user accounts, bypassing intended security controls and compromising system integrity. To prevent such vulnerabilities, developers must implement robust cryptographic standards, ensuring that all credentials are encrypted both during transmission via protocols like TLS and while at rest using strong hashing algorithms. Additionally, adhering to the principle of least privilege and regularly auditing authentication mechanisms helps mitigate the risk of credential theft, ensuring that sensitive data remains protected against common interception techniques.

MITRE CWE Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigations (3)
Architecture and DesignUse an appropriate security mechanism to protect the credentials.
Architecture and DesignMake appropriate use of cryptography to protect the credentials.
ImplementationUse industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Examples (2)
This code changes a user's password.
$user = $_GET['user']; $pass = $_GET['pass']; $checkpass = $_GET['checkpass']; if ($pass == $checkpass) { SetUserPassword($user, $pass); }
Bad · PHP
The following code reads a password from a properties file and uses the password to connect to a database.
... Properties prop = new Properties(); prop.load(new FileInputStream("config.properties")); String password = prop.getProperty("password"); DriverManager.getConnection(url, usr, password); ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2021-36204 Insufficiently Protected Credentials in Metasys — Metasys ADS/ADX/OAS 7.8 High2023-01-13
CVE-2016-15014 CESNET theme-cesnet resetpassword.php insufficiently protected credentials — theme-cesnet 3.3 Low2023-01-07
CVE-2022-2967 Prosys OPC UA Simulation Server 安全漏洞 — UA Simulation Server 6.5 Medium2023-01-03
CVE-2022-4612 Click Studios Passwordstate insufficiently protected credentials — Passwordstate 4.3 Medium2022-12-19
CVE-2022-29839 Remote Backups Application Discloses Stored Credentials — My Cloud 4.1 Medium2022-12-09
CVE-2022-46155 Airtable.js credentials exposed in browser builds — airtable.js 7.6 High2022-11-29
CVE-2022-29833 Mitsubishi Electric GX Works 安全漏洞 — GX Works3 6.8 Medium2022-11-24
CVE-2022-40751 IBM UrbanCode Deploy information disclosure — UrbanCode Deploy 4.9 Medium2022-11-17
CVE-2022-38121 POWERCOM CO., LTD. UPSMON PRO - Insufficiently Protected Credentials — UPSMON PRO 6.5 Medium2022-11-10
CVE-2022-36077 Electron subject to Exfiltration of hashed SMB credentials on Windows via file:// redirect — electron 7.2 High2022-11-08
CVE-2022-3474 Bazel leaks user credentials through the remote assets API — Bazel 4.3 -2022-10-26
CVE-2019-14840 Red Hat Descision Manager 7 安全漏洞 — Business-central 7.5 -2022-10-17
CVE-2022-28291 Tenable Network Security Nessus 安全漏洞 — Nessus Professional 6.5 -2022-10-17
CVE-2022-38465 多款Siemens产品安全漏洞 — SIMATIC Drive Controller family 9.3 Critical2022-10-11
CVE-2022-29089 Dell SmartFabric OS10 信息泄露漏洞 — Dell Networking OS10 6.4 Medium2022-09-28
CVE-2021-36783 Rancher: Failure to properly sanitize credentials in cluster template answers — Rancher 9.9 Critical2022-09-07
CVE-2022-27560 An insufficiently protected credential vulnerability affects HCL VersionVault Express — HCL VersionVault Express 6.0 Medium2022-08-30
CVE-2022-0718 Python-Oslo-Utils 日志信息泄露漏洞 — openstack/python-oslo.utils 6.5 -2022-08-29
CVE-2021-43767 Tyler Odyssey 信任管理问题漏洞 — Odyssey 5.9 -2022-08-25
CVE-2021-3513 Red Hat Keycloak 安全漏洞 — keycloak 5.3 -2022-08-22
CVE-2022-36307 Airspan AirVelocity 1500 安全漏洞 — AirVelocity 6.8 -2022-08-16
CVE-2020-10710 Red Hat Satellite 安全漏洞 — foreman-installer 4.9 -2022-08-16
CVE-2021-27785 HCL Commerce could allow a local attacker to obtain sensitive personal information (CVE-2021-27785) — HCL Commerce 3.9 Low2022-07-29
CVE-2022-1766 Anchor 安全漏洞 — Anchore Enterprise 9.1 -2022-07-20
CVE-2022-27544 HCL BigFix Web Reports authorized users may see sensitive information in clear text — HCL BigFix 5.0 Medium2022-07-19
CVE-2022-22998 Protecting AWS credentials stored in plaintext on My Cloud Home — My Cloud Home 8.0 High2022-07-12
CVE-2022-23725 PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances — PingID Windows Login 7.7 High2022-06-30
CVE-2022-1666 Secheron SEPCOS Control and Protection Relay — SEPCOS Control and Protection Relay firmware package 6.5 Medium2022-06-24
CVE-2022-27774 curl 信息泄露漏洞 — https://github.com/curl/curl 6.5 -2022-06-01
CVE-2022-27776 curl 信息泄露漏洞 — https://github.com/curl/curl 7.5 -2022-06-01

Vulnerabilities classified as CWE-522 (不充分的凭证保护机制) represent 374 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.