CWE-522
Insufficiently Protected Credentials
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (561)
page 21 of 29| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-34800 | 0.00 | — | 0.01 | Jun 30, 2022 | Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-34799 | 0.00 | — | 0.01 | Jun 30, 2022 | Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-34796 | 0.00 | — | 0.01 | Jun 30, 2022 | A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||
| CVE-2022-34213 | 0.00 | — | 0.01 | Jun 22, 2022 | Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-34199 | — | 0.00 | — | 0.01 | Jun 22, 2022 | Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | ||
| CVE-2020-28865 | 0.00 | — | 0.01 | Jun 16, 2022 | An issue was discovered in PowerJob through 3.2.2, allows attackers to change arbitrary user passwords via the id parameter to /appinfo/save. | |||
| CVE-2022-31033 | — | 0.00 | — | 0.01 | Jun 9, 2022 | The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port… | ||
| CVE-2022-30952 | — | 0.00 | — | 0.01 | May 17, 2022 | Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. | ||
| CVE-2022-1715 | 0.00 | — | 0.01 | May 13, 2022 | Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07. | |||
| CVE-2021-36778 | 0.00 | — | 0.01 | May 2, 2022 | A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3. | |||
| CVE-2022-29052 | 0.00 | — | 0.01 | Apr 12, 2022 | Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | |||
| CVE-2022-26850 | 0.00 | — | 0.01 | Apr 6, 2022 | When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi… | |||
| CVE-2022-28141 | — | 0.00 | — | 0.01 | Mar 29, 2022 | Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | ||
| CVE-2022-28135 | — | 0.00 | — | 0.01 | Mar 29, 2022 | Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller… | ||
| CVE-2022-27218 | — | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | ||
| CVE-2022-27217 | — | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. | ||
| CVE-2022-27216 | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-27206 | 0.00 | — | 0.01 | Mar 15, 2022 | Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2022-25187 | 0.00 | — | 0.01 | Feb 15, 2022 | Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle. | |||
| CVE-2022-25184 | 0.00 | — | 0.01 | Feb 15, 2022 | Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs. |
- CVE-2022-34800Jun 30, 2022risk 0.00cvss —epss 0.01
Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34799Jun 30, 2022risk 0.00cvss —epss 0.01
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34796Jun 30, 2022risk 0.00cvss —epss 0.01
A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2022-34213Jun 22, 2022risk 0.00cvss —epss 0.01
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34199Jun 22, 2022risk 0.00cvss —epss 0.01
Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2020-28865Jun 16, 2022risk 0.00cvss —epss 0.01
An issue was discovered in PowerJob through 3.2.2, allows attackers to change arbitrary user passwords via the id parameter to /appinfo/save.
- CVE-2022-31033Jun 9, 2022risk 0.00cvss —epss 0.01
The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port…
- CVE-2022-30952May 17, 2022risk 0.00cvss —epss 0.01
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
- CVE-2022-1715May 13, 2022risk 0.00cvss —epss 0.01
Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07.
- CVE-2021-36778May 2, 2022risk 0.00cvss —epss 0.01
A Incorrect Authorization vulnerability in SUSE Rancher allows administrators of third-party repositories to gather credentials that are sent to their servers. This issue affects: SUSE Rancher Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3.
- CVE-2022-29052Apr 12, 2022risk 0.00cvss —epss 0.01
Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2022-26850Apr 6, 2022risk 0.00cvss —epss 0.01
When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi…
- CVE-2022-28141Mar 29, 2022risk 0.00cvss —epss 0.01
Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-28135Mar 29, 2022risk 0.00cvss —epss 0.01
Jenkins instant-messaging Plugin 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on Jenkins instant-messaging Plugin on the Jenkins controller where they can be viewed by users with access to the Jenkins controller…
- CVE-2022-27218Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins incapptic connect uploader Plugin 1.15 and earlier stores tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2022-27217Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2022-27216Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-27206Mar 15, 2022risk 0.00cvss —epss 0.01
Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-25187Feb 15, 2022risk 0.00cvss —epss 0.01
Jenkins Support Core Plugin 2.79 and earlier does not redact some sensitive information in the support bundle.
- CVE-2022-25184Feb 15, 2022risk 0.00cvss —epss 0.01
Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.