VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 24 of 29
  • CVE-2019-19135Mar 16, 2020
    risk 0.00cvss epss 0.01

    In OPC Foundation OPC UA .NET Standard codebase 1.4.357.28, servers do not create sufficiently random numbers in OPCFoundation.NetStandard.Opc.Ua before 1.4.359.31, which allows man in the middle attackers to reuse encrypted user credentials sent over the network.

  • CVE-2020-2145Mar 9, 2020
    risk 0.00cvss epss 0.00

    Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text on the Jenkins master file system.

  • CVE-2020-5404Mar 3, 2020
    risk 0.00cvss epss 0.01

    The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured…

  • CVE-2014-4659Feb 20, 2020
    risk 0.00cvss epss 0.00

    Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

  • CVE-2020-2133Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2131Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Harvest SCM Plugin 0.5.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2132Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2130Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Harvest SCM Plugin 0.5.1 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2129Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2128Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2126Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2125Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

  • CVE-2020-2127Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2020-2124Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2020-2119Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2020-2114Feb 12, 2020
    risk 0.00cvss epss 0.01

    Jenkins S3 publisher Plugin 0.11.4 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2020-2107Jan 29, 2020
    risk 0.00cvss epss 0.01

    Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-12423Jan 16, 2020
    risk 0.00cvss epss 0.06

    Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore…

  • CVE-2020-2095Jan 15, 2020
    risk 0.00cvss epss 0.01

    Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-12418Dec 23, 2019
    risk 0.00cvss epss 0.01

    When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle…