VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 21 of 29
  • CVE-2022-34800Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34799Jun 30, 2022
    risk 0.00cvss epss 0.01

    Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34796Jun 30, 2022
    risk 0.00cvss epss 0.01

    A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

  • CVE-2022-34213Jun 22, 2022
    risk 0.00cvss epss 0.01

    Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-34199Jun 22, 2022
    risk 0.00cvss epss 0.01

    Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2020-28865Jun 16, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in PowerJob through 3.2.2, allows attackers to change arbitrary user passwords via the id parameter to /appinfo/save.

  • CVE-2022-31033Jun 9, 2022
    risk 0.00cvss epss 0.01

    The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port…

  • CVE-2022-30952May 17, 2022
    risk 0.00cvss epss 0.01

    Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

  • CVE-2022-1715May 13, 2022
    risk 0.00cvss epss 0.01

    Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07.

  • CVE-2021-36778May 2, 2022
    risk 0.00cvss epss 0.01

    A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.

  • CVE-2022-29052Apr 12, 2022
    risk 0.00cvss epss 0.01

    Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-26850Apr 6, 2022
    risk 0.00cvss epss 0.01

    When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi…

  • CVE-2022-28141Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-28135Mar 29, 2022
    risk 0.00cvss epss 0.01

    Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller…

  • CVE-2022-27218Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-27217Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

  • CVE-2022-27216Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-27206Mar 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

  • CVE-2022-25187Feb 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle.

  • CVE-2022-25184Feb 15, 2022
    risk 0.00cvss epss 0.01

    Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.