VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 17 of 29
  • CVE-2025-6227Jul 18, 2025
    risk 0.00cvss epss 0.00

    Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

  • CVE-2025-53743Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53667Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53666Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53665Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53664Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53663Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53662Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53661Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53660Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53657Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them.

  • CVE-2025-53656Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins…

  • CVE-2025-53654Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2025-53653Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

  • CVE-2025-53650Jul 9, 2025
    risk 0.00cvss epss 0.00

    Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log.

  • CVE-2025-27192Apr 8, 2025
    risk 0.00cvss epss 0.00

    Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain…

  • CVE-2025-30197Mar 19, 2025
    risk 0.00cvss epss 0.00

    Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.

  • CVE-2024-47529Oct 2, 2024
    risk 0.00cvss epss 0.00

    OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via…

  • CVE-2024-47805Oct 2, 2024
    risk 0.00cvss epss 0.01

    Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.

  • CVE-2024-5657Jun 6, 2024
    risk 0.00cvss epss 0.01

    The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.