VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 26 of 29
  • CVE-2019-10423Sep 25, 2019
    risk 0.00cvss epss 0.00

    Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10413Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10419Sep 25, 2019
    risk 0.00cvss epss 0.00

    Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10422Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10414Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10415Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10420Sep 25, 2019
    risk 0.00cvss epss 0.00

    Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10416Sep 25, 2019
    risk 0.00cvss epss 0.01

    Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10398Sep 12, 2019
    risk 0.00cvss epss 0.00

    Jenkins Beaker Builder Plugin 1.9 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10379Aug 7, 2019
    risk 0.00cvss epss 0.00

    Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10378Aug 7, 2019
    risk 0.00cvss epss 0.01

    Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10385Aug 7, 2019
    risk 0.00cvss epss 0.01

    Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10361Jul 31, 2019
    risk 0.00cvss epss 0.00

    Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

  • CVE-2019-10366Jul 31, 2019
    risk 0.00cvss epss 0.01

    Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

  • CVE-2019-10345Jul 31, 2019
    risk 0.00cvss epss 0.00

    Jenkins Configuration as Code Plugin 1.20 and earlier did not treat the proxy password as a secret to be masked when logging or encrypted for export.

  • CVE-2019-1010241Jul 19, 2019
    risk 0.00cvss epss 0.01

    Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker…

  • CVE-2019-10347Jul 11, 2019
    risk 0.00cvss epss 0.02

    Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-11272Jun 26, 2019
    risk 0.00cvss epss 0.01

    Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password,…

  • CVE-2019-10329May 31, 2019
    risk 0.00cvss epss 0.02

    Jenkins InfluxDB Plugin 1.21 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-12452May 29, 2019
    risk 0.00cvss epss 0.03

    types/types.go in Containous Traefik 1.7.x through 1.7.11, when the --api flag is used and the API is publicly reachable and exposed without sufficient access control (which is contrary to the API documentation), allows remote authenticated users to discover password hashes by…