CWE-522— Insufficiently Protected Credentials
1,429 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-522page 19 of 29
- CVE-2022-30018HIGHCVSS 8.8EG 8.82022-05-19
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the …
- CVE-2022-30231MEDIUMCVSS 4.9EG 4.32022-06-14
A vulnerability has been identified in SICAM GridEdge (Classic) (All versions < V2.6.6). The affected application discloses password hashes of other users upon request. This could allow an authenticated user to retrieve another user's pass…
- CVE-2022-30285CRITICALCVSS 9.8EG 9.82022-08-02
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.
- CVE-2022-30296HIGHCVSS 7.5EG 7.52022-08-18
Insufficiently protected credentials in the Intel(R) Datacenter Group Event iOS application, all versions, may allow an unauthenticated user to potentially enable information disclosure via network access.
- CVE-2022-30587HIGHCVSS 7.5EG 7.52022-06-06
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.
- CVE-2022-30601CRITICALCVSS 9.8EG 9.82022-08-18
Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access.
- CVE-2022-30944MEDIUMCVSS 5.5EG 5.52022-08-18
Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.
- CVE-2022-30952MEDIUMCVSS 6.5EG 6.52022-05-17
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified …
- CVE-2022-31044HIGHCVSS 7.5EG 7.52022-06-15
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. The Key Storage converter plugin mechanism was not enabled correctly in Rundeck 4.2.0 and 4.2.1, resulting in use of the encryption layer for…
- CVE-2022-31085MEDIUMCVSS 6.1EG 6.12022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP O…
- CVE-2022-31130MEDIUMCVSS 4.9EG 4.92022-10-13
Grafana is an open source observability and data visualization platform. Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions. The vulnerability impa…
- CVE-2022-31205HIGHCVSS 7.5EG 7.52022-07-26
In Omron CS series, CJ series, and CP series PLCs through 2022-05-18, the password for access to the Web UI is stored in memory area D1449...D1452 and can be read out using the Omron FINS protocol without any further authentication.
- CVE-2022-31887CRITICALCVSS 9.8EG 9.82022-06-28
Marval MSM v14.19.0.12476 has a 0-Click Account Takeover vulnerability which allows an attacker to change any user's password in the organization, this means that the user can also escalate achieve Privilege Escalation by changing the admi…
- CVE-2022-3206MEDIUMCVSS 5.9EG 5.92022-10-17
The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.
- CVE-2022-32518HIGHCVSS 8.0EG 9.82023-01-30
A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32520. Affected Products…
- CVE-2022-32519HIGHCVSS 8.0EG 9.82023-01-30
A CWE-257: Storing Passwords in a Recoverable Format vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. Affected Products: Data Center Expert (Versions prio…
- CVE-2022-32520HIGHCVSS 8.0EG 9.82023-01-30
A CWE-522: Insufficiently Protected Credentials vulnerability exists that could result in unwanted access to a DCE instance when performed over a network by a malicious third-party. This CVE is unique from CVE-2022-32518. Affected Products…
- CVE-2022-33169MEDIUMCVSS 6.5EG 6.52022-08-01
IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 is vulnerable to insufficiently protected credentials for users created via a bulk upload. IBM X-Force ID: 228888.
- CVE-2022-33953MEDIUMCVSS 4.6EG 4.62022-06-24
IBM Robotic Process Automation 21.0.1 and 21.0.2 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected access tokens. IBM X-Force ID: 229198.
- CVE-2022-33954MEDIUMCVSS 4.6EG 4.62024-12-19
IBM Robotic Process Automation 21.0.1, 21.0.2, and 21.0.3 could allow a user with psychical access to the system to obtain sensitive information due to insufficiently protected credentials.
- CVE-2022-34199MEDIUMCVSS 6.5EG 4.32022-06-23
Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller f…
- CVE-2022-34202MEDIUMCVSS 6.5EG 3.32022-06-23
Jenkins EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34213MEDIUMCVSS 6.5EG 3.32022-06-23
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file syst…
- CVE-2022-34311MEDIUMCVSS 4.3EG 4.32024-02-12
IBM CICS TX Standard and Advanced 11.1 could allow a user with physical access to the web browser to gain access to the user's session due to insufficiently protected credentials. IBM X-Force ID: 229446.
- CVE-2022-34371HIGHCVSS 8.1EG 9.82022-09-02
Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3, contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker could potentially exploit this vul…
- CVE-2022-34445MEDIUMCVSS 6.0EG 4.42023-02-11
Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.
- CVE-2022-3474MEDIUMCVSS 4.3EG 4.32022-10-26
A bad credential handling in the remote assets API for Bazel versions prior to 5.3.2 and 4.2.3 sends all user-provided credentials instead of only the required ones for the requests. We recommend upgrading to versions later than or equal t…
- CVE-2022-34796MEDIUMCVSS 4.3EG 4.32022-06-30
A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
- CVE-2022-34799MEDIUMCVSS 4.3EG 3.32022-06-30
Jenkins Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34800MEDIUMCVSS 4.3EG 3.32022-06-30
Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34802MEDIUMCVSS 4.3EG 3.32022-06-30
Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller…
- CVE-2022-34803MEDIUMCVSS 4.3EG 4.32022-06-30
Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or acc…
- CVE-2022-34805MEDIUMCVSS 6.5EG 3.32022-06-30
Jenkins Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34806MEDIUMCVSS 6.5EG 3.32022-06-30
Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
- CVE-2022-34807MEDIUMCVSS 6.5EG 3.32022-06-30
Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34808MEDIUMCVSS 4.3EG 3.32022-06-30
Jenkins Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34809MEDIUMCVSS 6.5EG 3.32022-06-30
Jenkins RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34816MEDIUMCVSS 6.5EG 3.32022-06-30
Jenkins HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-34837MEDIUMCVSS 6.2EG 6.12022-08-24
Storing Passwords in a Recoverable Format vulnerability in ABB Zenon 8.20 allows an attacker who successfully exploit the vulnerability may add more network clients that may monitor various activities of the Zenon.
- CVE-2022-34838HIGHCVSS 8.1EG 8.42022-08-24
Storing Passwords in a Recoverable Format vulnerability in ABB Zenon 8.20 allows an attacker who successfully exploit the vulnerability may add or alter data points and corresponding attributes. Once such engineering data is used the data …
- CVE-2022-35411CRITICALCVSS 9.8EG 9.82022-07-08
rpc.py through 0.6.0 allows Remote Code Execution because an unpickle occurs when the "serializer: pickle" HTTP header is sent. In other words, although JSON (not Pickle) is the default data format, an unauthenticated client can cause the …
- CVE-2022-36077HIGHCVSS 7.2EG 7.22022-11-08
The Electron framework enables writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 21.0.0-beta.1, 20.0.1, 19.0.11, and 18.3.7, Electron is vulnerable to Exposure of Sensitive Information. When f…
- CVE-2022-36307MEDIUMCVSS 6.8EG 6.82022-08-16
The AirVelocity 1500 prints SNMP credentials on its physically accessible serial port during boot. This was fixed in AirVelocity 1500 software version 15.18.00.2511 and may affect other AirVelocity and AirSpeed models.
- CVE-2022-36308CRITICALCVSS 9.1EG 9.12022-08-16
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than 15.18.00.2511, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credent…
- CVE-2022-3644MEDIUMCVSS 5.5EG 5.52022-10-25
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
- CVE-2022-36524HIGHCVSS 7.5EG 7.52022-08-15
D-Link GO-RT-AC750 GORTAC750_revA_v101b03 & GO-RT-AC750_revB_FWv200b02 is vulnerable to Static Default Credentials via /etc/init0.d/S80telnetd.sh.
- CVE-2022-36617MEDIUMCVSS 4.9EG 4.92022-09-09
Arq Backup 7.19.5.0 and below stores backup encryption passwords using reversible encryption. This issue allows attackers with administrative privileges to recover cleartext passwords.
- CVE-2022-36901MEDIUMCVSS 6.5EG 6.52022-07-27
Jenkins HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
- CVE-2022-37109CRITICALCVSS 9.8EG 9.82022-11-14
patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFil…
- CVE-2022-37193HIGHCVSS 7.4EG 7.42022-09-27
Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials.
Map vulnerabilities like CWE-522 to your infrastructure
EchelonGraph correlates every CVE — across CWE-522 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →