CWE-522
Insufficiently Protected Credentials
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (561)
page 23 of 29| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2314 | 0.00 | — | 0.00 | Nov 4, 2020 | Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2020-2312 | 0.00 | — | 0.01 | Nov 4, 2020 | Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs. | |||
| CVE-2020-15157 | 0.00 | — | 0.02 | Oct 16, 2020 | In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise… | |||
| CVE-2020-2297 | 0.00 | — | 0.00 | Oct 8, 2020 | Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2020-2291 | 0.00 | — | 0.00 | Oct 8, 2020 | Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system. | |||
| CVE-2020-26149 | — | 0.00 | — | 0.01 | Sep 30, 2020 | NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server. | ||
| CVE-2020-15841 | — | 0.00 | — | 0.02 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature. | ||
| CVE-2020-2218 | 0.00 | — | 0.00 | Jul 2, 2020 | Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||
| CVE-2020-2212 | 0.00 | — | 0.01 | Jul 2, 2020 | Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration. | |||
| CVE-2020-2213 | 0.00 | — | 0.01 | Jul 2, 2020 | Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system. | |||
| CVE-2020-2209 | 0.00 | — | 0.01 | Jul 2, 2020 | Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2020-2208 | 0.00 | — | 0.01 | Jul 2, 2020 | Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. | |||
| CVE-2020-10755 | 0.00 | — | 0.01 | Jun 10, 2020 | An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with… | |||
| CVE-2020-2198 | 0.00 | — | 0.01 | Jun 3, 2020 | Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure. | |||
| CVE-2020-2182 | 0.00 | — | 0.01 | May 6, 2020 | Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | |||
| CVE-2020-2181 | 0.00 | — | 0.01 | May 6, 2020 | Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | |||
| CVE-2020-5263 | 0.00 | — | 0.01 | Apr 9, 2020 | auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the… | |||
| CVE-2020-2164 | 0.00 | — | 0.01 | Mar 25, 2020 | Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system. | |||
| CVE-2020-2165 | 0.00 | — | 0.01 | Mar 25, 2020 | Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure. | |||
| CVE-2019-10682 | — | 0.00 | — | 0.01 | Mar 18, 2020 | django-nopassword before 5.0.0 stores cleartext secrets in the database. |
- CVE-2020-2314Nov 4, 2020risk 0.00cvss —epss 0.00
Jenkins AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2020-2312Nov 4, 2020risk 0.00cvss —epss 0.01
Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier does not mask a password provided as command line argument in build logs.
- CVE-2020-15157Oct 16, 2020risk 0.00cvss —epss 0.02
In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise…
- CVE-2020-2297Oct 8, 2020risk 0.00cvss —epss 0.00
Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2020-2291Oct 8, 2020risk 0.00cvss —epss 0.00
Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2020-26149Sep 30, 2020risk 0.00cvss —epss 0.01
NATS nats.js before 2.0.0-209, nats.ws before 1.0.0-111, and nats.deno before 1.0.0-9 allow credential disclosure from a client to a server.
- CVE-2020-15841Jul 20, 2020risk 0.00cvss —epss 0.02
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 89, 7.1 before fix pack 17, and 7.2 before fix pack 4, does not safely test a connection to a LDAP server, which allows remote attackers to obtain the LDAP server's password via the Test LDAP Connection feature.
- CVE-2020-2218Jul 2, 2020risk 0.00cvss —epss 0.00
Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2212Jul 2, 2020risk 0.00cvss —epss 0.01
Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system or read permissions on the system configuration.
- CVE-2020-2213Jul 2, 2020risk 0.00cvss —epss 0.01
Jenkins White Source Plugin 19.1.1 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission (config.xml), or access to the master file system.
- CVE-2020-2209Jul 2, 2020risk 0.00cvss —epss 0.01
Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-2208Jul 2, 2020risk 0.00cvss —epss 0.01
Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
- CVE-2020-10755Jun 10, 2020risk 0.00cvss —epss 0.01
An insecure-credentials flaw was found in all openstack-cinder versions before openstack-cinder 14.1.0, all openstack-cinder 15.x.x versions before openstack-cinder 15.2.0 and all openstack-cinder 16.x.x versions before openstack-cinder 16.1.0. When using openstack-cinder with…
- CVE-2020-2198Jun 3, 2020risk 0.00cvss —epss 0.01
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
- CVE-2020-2182May 6, 2020risk 0.00cvss —epss 0.01
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances.
- CVE-2020-2181May 6, 2020risk 0.00cvss —epss 0.01
Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
- CVE-2020-5263Apr 9, 2020risk 0.00cvss —epss 0.01
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the…
- CVE-2020-2164Mar 25, 2020risk 0.00cvss —epss 0.01
Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
- CVE-2020-2165Mar 25, 2020risk 0.00cvss —epss 0.01
Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2019-10682Mar 18, 2020risk 0.00cvss —epss 0.01
django-nopassword before 5.0.0 stores cleartext secrets in the database.