CWE-522— Insufficiently Protected Credentials
1,427 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-522page 2 of 29
- CVE-2017-18695MEDIUMCVSS 6.5EG 6.52020-04-07
An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/5.1), M(6.0), and N(7.0) software. Attackers (who control a certain subdomain) can discover a user's credentials, during an email account login, via an EAS autodiscover …
- CVE-2017-18777HIGHCVSS 7.8EG 7.82020-04-22
Certain NETGEAR devices are affected by administrative password disclosure. This affects D6220 before V1.0.0.28, D6400 before V1.0.0.60, D8500 before V1.0.3.29, DGN2200v4 before 1.0.0.82, DGN2200Bv4 before 1.0.0.82, R6300v2 before 1.0.4.8,…
- CVE-2017-18843HIGHCVSS 7.8EG 7.82020-04-20
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50.
- CVE-2017-18844HIGHCVSS 7.8EG 7.82020-04-20
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38, R6800 before 1.1.0.38, and D7000 before 1.0.1.50.
- CVE-2017-18845HIGHCVSS 7.8EG 7.82020-04-20
Certain NETGEAR devices are affected by disclosure of administrative credentials. This affects R6700v2 before 1.1.0.38 and R6800 before 1.1.0.38.
- CVE-2017-2665MEDIUMCVSS 4.8EG 7.02018-07-06
The skyring-setup command creates random password for mongodb skyring database but it writes password in plain text to /etc/skyring/skyring.conf file which is owned by root but read by local user. Any local user who has access to system ru…
- CVE-2017-2751MEDIUMCVSS 4.6EG 4.62018-10-03
A BIOS password extraction vulnerability has been reported on certain consumer notebooks with firmware F.22 and others. The BIOS password was stored in CMOS in a way that allowed it to be extracted. This applies to consumer notebooks launc…
- CVE-2017-5189MEDIUMCVSS 4.3EG 7.52018-03-02
NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance.
- CVE-2017-5704MEDIUMCVSS 6.7EG 6.72018-07-10
Platform sample code firmware included with 4th Gen Intel Core Processor, 5th Gen Intel Core Processor, 6th Gen Intel Core Processor, and 7th Gen Intel Core Processor potentially exposes password information in memory to a local attacker w…
- CVE-2017-7510HIGHCVSS 8.8EG 8.82019-03-25
In ovirt-engine 4.1, if a host was provisioned with cloud-init, the root password could be revealed through the REST interface.
- CVE-2017-7933CRITICALCVSS 9.8EG 9.82018-06-06
In ABB IP GATEWAY 3.39 and prior, some configuration files contain passwords stored in plain-text, which may allow an attacker to gain unauthorized access.
- CVE-2017-9248CRITICALCVSS 9.8EG 9.8⚠ KEV2017-07-03
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote atta…
- CVE-2017-9637MEDIUMCVSS 4.1EG 4.12018-05-18
Schneider Electric Ampla MES 6.4 provides capability to interact with data from third party databases. When connectivity to those databases is configured to use a SQL user name and password, an attacker may be able to sniff details from th…
- CVE-2017-9654HIGHCVSS 8.8EG 8.82018-04-24
The Philips DoseWise Portal web-based application versions 1.1.7.333 and 2.1.1.3069 stores login credentials in clear text within backend system files. CVSS v3 base score: 6.5, CVSS vector string: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
- CVE-2017-9969MEDIUMCVSS 6.7EG 6.72018-02-12
An information disclosure vulnerability exists in Schneider Electric's IGSS Mobile application version 3.01 and prior. Passwords are stored in clear text in the configuration which can result in exposure of sensitive information.
- CVE-2018-0335HIGHCVSS 7.8EG 7.82018-06-07
A vulnerability in the web portal authentication process of Cisco Prime Collaboration Provisioning could allow an unauthenticated, local attacker to view sensitive data. The vulnerability is due to improper logging of authentication data. …
- CVE-2018-0474HIGHCVSS 8.8EG 8.82019-01-10
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an authenticated, remote attacker to view digest credentials in clear text. The vulnerability is due to the incorrect inclusion of sa…
- CVE-2018-0828HIGHCVSS 7.8EG 7.82018-02-15
Windows 10 version 1607 and Windows Server 2016 allow an elevation of privilege vulnerability due to how the MultiPoint management account password is stored, aka "Windows Elevation of Privilege Vulnerability".
- CVE-2018-1000057MEDIUMCVSS 4.3EG 4.32018-02-09
Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result…
- CVE-2018-1000104HIGHCVSS 7.8EG 7.82018-03-13
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malici…
- CVE-2018-1000401HIGHCVSS 7.8EG 7.82018-07-09
Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitab…
- CVE-2018-1000403HIGHCVSS 7.8EG 7.82018-07-09
Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploit…
- CVE-2018-1000404HIGHCVSS 7.8EG 7.82018-07-09
Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to…
- CVE-2018-1000423HIGHCVSS 7.8EG 7.82019-01-09
An insufficiently protected credentials vulnerability exists in Jenkins Crowd 2 Integration Plugin 2.0.0 and earlier in CrowdSecurityRealm.java, CrowdConfigurationService.java that allows attackers with local file system access to obtain t…
- CVE-2018-1000424HIGHCVSS 7.8EG 7.82019-01-09
An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials …
- CVE-2018-1000425HIGHCVSS 7.8EG 7.82019-01-09
An insufficiently protected credentials vulnerability exists in Jenkins SonarQube Scanner Plugin 2.8 and earlier in SonarInstallation.java that allows attackers with local file system access to obtain the credentials used to connect to Son…
- CVE-2018-1000608HIGHCVSS 7.2EG 7.22018-06-26
A exposure of sensitive information vulnerability exists in Jenkins z/OS Connector Plugin 1.2.6.1 and earlier in SCLMSCM.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. m…
- CVE-2018-1000610HIGHCVSS 8.8EG 8.82018-06-26
A exposure of sensitive information vulnerability exists in Jenkins Configuration as Code Plugin 0.7-alpha and earlier in DataBoundConfigurator.java, Attribute.java, BaseConfigurator.java, ExtensionConfigurator.java that allows attackers w…
- CVE-2018-1000627CRITICALCVSS 9.8EG 9.82018-12-28
Battelle V2I Hub 2.5.1 could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to the API key file. An attacker could exploit this vulnerability to obtain the current API key to gain unauthor…
- CVE-2018-1000851CRITICALCVSS 9.8EG 9.82018-12-20
Copay Bitcoin Wallet version 5.01 to 5.1.0 included. contains a Other/Unknown vulnerability in wallet private key storage that can result in Users' private key can be compromised. . This attack appear to be exploitable via Affected version…
- CVE-2018-10024CRITICALCVSS 9.8EG 9.82018-04-11
ubiQuoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with the user credentials in cleartext when a failed login attempt occurs. The file can be reached via an HTTP request. The credentials can be used to access the system via S…
- CVE-2018-10286HIGHCVSS 8.8EG 8.82018-04-22
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be ab…
- CVE-2018-10327HIGHCVSS 7.0EG 7.02018-05-17
PrinterOn Enterprise 4.1.3 stores the Active Directory bind credentials using base64 encoding, which allows local users to obtain credentials for a domain user by reading the cps_config.xml file.
- CVE-2018-10355HIGHCVSS 7.0EG 7.02018-05-23
An authentication weakness vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to recover user passwords on vulnerable installations due to a flaw in the DBCrypto class. An attacker must first obtain access to…
- CVE-2018-10622MEDIUMCVSS 6.8EG 7.12018-08-10
Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data.
- CVE-2018-1074HIGHCVSS 7.7EG 7.22018-04-26
ovirt-engine API and administration web portal before versions 4.2.2.5, 4.1.11.2 is vulnerable to an exposure of Power Management credentials, including cleartext passwords to Host Administrators. A Host Administrator could use this flaw t…
- CVE-2018-1075MEDIUMCVSS 5.0EG 7.82018-06-12
ovirt-engine up to version 4.2.3 is vulnerable to an unfiltered password when choosing manual db provisioning. When engine-setup was run and one chooses to provision the database manually or connect to a remote database, the password input…
- CVE-2018-10814HIGHCVSS 7.8EG 7.82018-09-14
Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for SMTP credentials.
- CVE-2018-10824CRITICALCVSS 9.8EG 9.82018-10-17
An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrat…
- CVE-2018-11050HIGHCVSS 8.8EG 8.82018-08-01
Dell EMC NetWorker versions between 9.0 and 9.1.1.8 through 9.2.1.3, and the version 18.1.0.1 contain a Clear-Text authentication over network vulnerability in the Rabbit MQ Advanced Message Queuing Protocol (AMQP) component. User credenti…
- CVE-2018-11079MEDIUMCVSS 5.5EG 7.82018-10-18
Dell EMC Secure Remote Services, versions prior to 3.32.00.08, contains a Plaintext Password Storage vulnerability. Database credentials are stored in plaintext in a configuration file. An authenticated malicious user with access to the co…
- CVE-2018-1139HIGHCVSS 8.1EG 8.12018-08-22
A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details pass…
- CVE-2018-11544CRITICALCVSS 9.8EG 9.82018-05-29
The Olive Tree Ftp Server application 1.32 for Android has Insecure Data Storage because a username and password are stored in the /data/data/com.theolivetree.ftpserver/shared_prefs/com.theolivetree.ftpserver_preferences.xml file as the pr…
- CVE-2018-11634HIGHCVSS 7.8EG 7.82018-07-03
Plaintext Storage of Passwords in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows local users to access the web application's user passwords in cleartext by reading /var/www/xms/xmsdb/default.db.
- CVE-2018-11639HIGHCVSS 8.1EG 8.12018-07-03
Plaintext Storage of Passwords within Cookies in /var/www/xms/application/controllers/verifyLogin.php in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to access a user's password in cleartext.
- CVE-2018-11742CRITICALCVSS 9.8EG 9.82018-12-26
NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.
- CVE-2018-11746HIGHCVSS 8.6EG 9.82018-07-03
In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being us…
- CVE-2018-11748HIGHCVSS 7.8EG 7.82018-10-02
Previous releases of the Puppet device_manager module creates configuration files containing credentials that are world readable. This issue has been resolved as of device_manager 2.7.0.
- CVE-2018-11752MEDIUMCVSS 5.5EG 5.52018-10-02
Previous releases of the Puppet cisco_ios module output SSH session debug information including login credentials to a world readable file on every run. These issues have been resolved in the 0.4.0 release.
- CVE-2018-12038MEDIUMCVSS 4.2EG 4.22018-11-20
An issue was discovered on Samsung 840 EVO devices. Vendor-specific commands may allow access to the disk-encryption key.
Map vulnerabilities like CWE-522 to your infrastructure
EchelonGraph correlates every CVE — across CWE-522 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →