CWE WEAKNESSES  /  CWE-522

CWE-522

Insufficiently Protected Credentials

What it is

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Impact

Mitigations

• [Architecture and Design] Use an appropriate security mechanism to protect the credentials.
• [Architecture and Design] Make appropriate use of cryptography to protect the credentials.
• [Implementation] Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).

Real-world CVE examples

• CVE-2022-30018 — A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
• CVE-2022-29959 — Initialization file contains credentials that can be decoded using a "simple string transformation"
• CVE-2022-35411 — Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
• CVE-2022-29519 — Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
• CVE-2022-30312 — Building Controller uses a protocol that transmits authentication credentials in plaintext.
• CVE-2022-31204 — Programmable Logic Controller (PLC) sends password in plaintext.
• CVE-2022-30275 — Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
• CVE-2007-0681 — Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized acti
• CVE-2000-0944 — Web application password change utility doesn't check the original password.
• CVE-2005-3435 — product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
• CVE-2005-0408 — chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →