VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 20 of 29
  • CVE-2022-36077Nov 8, 2022
    risk 0.00cvss epss 0.01

    The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When following a redirect, Electron delays a…

  • CVE-2022-3644Oct 25, 2022
    risk 0.00cvss epss 0.00

    The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

  • CVE-2022-43419Oct 19, 2022
    risk 0.00cvss epss 0.01

    Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-31130Oct 13, 2022
    risk 0.00cvss epss 0.01

    Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impacts data source and plugin proxy…

  • CVE-2022-41255Sep 21, 2022
    risk 0.00cvss epss 0.01

    Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-41247Sep 21, 2022
    risk 0.00cvss epss 0.00

    Jenkins BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2021-36783Sep 7, 2022
    risk 0.00cvss epss 0.01

    A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This…

  • CVE-2022-0718Aug 29, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.

  • CVE-2022-38665Aug 23, 2022
    risk 0.00cvss epss 0.01

    Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-38663Aug 23, 2022
    risk 0.00cvss epss 0.01

    Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

  • CVE-2021-3513Aug 22, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

  • CVE-2022-35411Jul 8, 2022
    risk 0.00cvss epss 0.46

    rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the data to be processed with unpickle.

  • CVE-2022-34816Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34809Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34808Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34807Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34806Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-34805Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34803Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file…

  • CVE-2022-34802Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.