CWE-522
Insufficiently Protected Credentials
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Common Consequences
Scope
Impact
Gain Privileges or Assume Identity
Potential Mitigations
Use an appropriate security mechanism to protect the credentials.
Make appropriate use of cryptography to protect the credentials.
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
CVE-2022-30018A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
CVE-2022-29959Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2022-35411Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
CVE-2022-29519Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
CVE-2022-30312Building Controller uses a protocol that transmits authentication credentials in plaintext.
CVE-2022-31204Programmable Logic Controller (PLC) sends password in plaintext.
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2007-0681Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
CVE-2000-0944Web application password change utility doesn't check the original password.
CVE-2005-3435product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
+1 more examples
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now