Przykłady dla CWE-522: Insufficiently Protected Credentials - CXSecurity.com

	Tytuł	Data	Autor
Med.	WordPress Social-Stream 1.6.0 Twitter API Secret Disclosure	28.05.2017	Kyle Lovett
Med.	Sophos Web Appliance 4.2.1.3 Privilege Escalation	05.11.2016	Matt Bergin
Med.	Password Safe And Repository Enterprise 7.4.4 Build 2247 Crypto Issues	13.10.2015	Matthias Deeg
Med.	Netop Remote Control 11.52 / 12.11 Credential Issue	25.08.2015	Matthias Deeg
Low	PicsArt Photo Studio For Android Insecure Management	07.11.2014	Fundacion Dr. Manuel S...
High	Privoxy 3.0.20-1 Proxy Authentication Credential Exposure	12.03.2013	Chris John Riley

Common Weakness Enumeration (CWE)

CVE

Szczegóły

Opis

2022-04-20

Low

CVE-2022-27179

Updating...

A malicious actor having access to the exported configuration file may obtain the stored credentials and thereby gain access to the protected resource. If the same passwords were used for other resources, further such assets may be compromised.

2022-04-12

Low	CVE-2022-29052	Vendor: Jenkins Software: Google compu...	Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Medium	CVE-2022-22550	Vendor: DELL Software: Emc powersca...	Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.

2022-04-06

Low

CVE-2022-26850

Vendor: Apache
Software: NIFI

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

2022-04-05

Medium

CVE-2022-24978

Vendor: Zohocorp
Software: Manageengine...

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

2022-04-04

Medium

CVE-2022-1026

Vendor: Kyocera
Software: Net viewer

Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.

2022-04-01

Medium

CVE-2021-33024

Vendor: Philips
Software: Myvue

Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval.

2022-03-30

Medium

CVE-2022-26948

Vendor: RSA
Software: Archer

The Archer RSS feed integration for Archer 6.x through 6.9 SP1 (6.9.1.0) is affected by an insecure credential storage vulnerability. A malicious attacker may obtain access to credential information to use it in further attacks.

2022-03-29

Low

CVE-2022-28141

Vendor: Jenkins
Software: Proxmox

Jenkins Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

2022-03-23

Medium

CVE-2022-0859

Vendor: Mcafee
Software: Epolicy orch...

McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.

Copyright 2022, cxsecurity.com