CWE-522
Insufficiently Protected Credentials
ClassIncomplete
Description
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (204)
page 3 of 11| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-45157 | Cri | 0.59 | 9.1 | 0.00 | Nov 13, 2024 | A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. | |
| CVE-2026-32171 | Hig | 0.57 | 8.8 | 0.00 | Apr 14, 2026 | Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |
| CVE-2025-42933 | Hig | 0.57 | 8.8 | 0.00 | Sep 9, 2025 | When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and availability of the application. | |
| CVE-2025-41682 | Hig | 0.57 | 8.8 | 0.00 | Sep 8, 2025 | An authenticated, low-privileged attacker can obtain credentials stored on the charge controller including the manufacturer password. | |
| CVE-2025-54428 | Cri | 0.57 | 9.8 | 0.00 | Jul 28, 2025 | RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity. | |
| CVE-2025-34139 | Hig | 0.57 | — | 0.00 | Jul 25, 2025 | A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. | |
| CVE-2025-3079 | Hig | 0.57 | 8.7 | 0.00 | May 20, 2025 | A passback vulnerability which relates to office/small office multifunction printers and laser printers. | |
| CVE-2025-3078 | Hig | 0.57 | 8.7 | 0.00 | May 20, 2025 | A passback vulnerability which relates to production printers and office multifunction printers. | |
| CVE-2024-49396 | Hig | 0.57 | — | 0.00 | Oct 17, 2024 | The affected product is vulnerable due to insufficiently protected credentials, which may allow an attacker to impersonate Elvaco and send false information. | |
| CVE-2023-49233 | Hig | 0.57 | 8.8 | 0.00 | Sep 3, 2024 | Insufficient access checks in Visual Planning Admin Center 8 before v.1 Build 240207 allow attackers in possession of a non-administrative Visual Planning account to utilize functions normally reserved for administrators. The affected functions allow attackers to obtain different types of configured credentials and potentially elevate their privileges to administrator level. | |
| CVE-2023-41926 | Hig | 0.57 | 8.8 | 0.00 | Jul 2, 2024 | The webserver utilizes basic authentication for its user login to the configuration interface. As encryption is disabled on port 80, it enables potential eavesdropping on user traffic, making it possible to intercept their credentials. | |
| CVE-2024-29071 | Hig | 0.57 | 8.8 | 0.00 | Mar 25, 2024 | HGW BL1500HM Ver 002.001.013 and earlier contains a use of week credentials issue. A network-adjacent unauthenticated attacker may change the system settings. | |
| CVE-2017-16731 | Hig | 0.57 | 8.8 | 0.00 | Dec 20, 2017 | An Unprotected Transport of Credentials issue was discovered in ABB Ellipse 8.3 through Ellipse 8.9 released prior to December 2017 (including Ellipse Select). A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol. An attacker could exploit the vulnerability by sniffing local network traffic, allowing the discovery of authentication credentials. | |
| CVE-2017-7547 | Hig | 0.57 | 8.8 | 0.01 | Aug 16, 2017 | PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. | |
| CVE-2026-23658 | Hig | 0.56 | 8.6 | 0.00 | Mar 19, 2026 | Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | |
| CVE-2024-0368 | Hig | 0.56 | 8.6 | 0.02 | Mar 13, 2024 | The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII. | |
| CVE-2017-6528 | Hig | 0.56 | 8.1 | 0.07 | Mar 9, 2017 | An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affected by plaintext password storage (the /home/dna/spool/.pfile file). | |
| CVE-2025-2908 | Hig | 0.55 | — | 0.00 | Mar 28, 2025 | The exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files. | |
| CVE-2024-43812 | Hig | 0.55 | 8.4 | 0.00 | Oct 22, 2024 | Kieback & Peter's DDC4000 series has an insufficiently protected credentials vulnerability, which may allow an unauthenticated attacker with access to /etc/passwd to read the password hashes of all users on the system. | |
| CVE-2024-28981 | Hig | 0.55 | 8.5 | 0.00 | Sep 12, 2024 | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when searching metadata injectable fields. |