{"@ID": "522", "@Name": "Insufficiently Protected Credentials", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "287", "@View_ID": "1003", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "668", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Web Based", "@Prevalence": "Undetermined"}, {"@Class": "ICS/OT", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Gain Privileges or Assume Identity", "Note": "An attacker could gain access to user accounts and access sensitive data used by the user accounts."}}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Use an appropriate security mechanism to protect the credentials."}, {"Phase": "Architecture and Design", "Description": "Make appropriate use of cryptography to protect the credentials."}, {"Phase": "Implementation", "Description": "Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.)."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-56", "Intro_Text": "This code changes a user's password.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:br": [null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "SetUserPassword($user, $pass);"}, "#text": "$user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {}"}}, "Body_Text": "While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account."}, {"@Demonstrative_Example_ID": "DX-57", "Intro_Text": "The following code reads a password from a properties file and uses the password to connect to a database.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "#text": "...Properties prop = new Properties();prop.load(new FileInputStream(\"config.properties\"));String password = prop.getProperty(\"password\");DriverManager.getConnection(url, usr, password);..."}}, "Body_Text": "This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system."}, {"@Demonstrative_Example_ID": "DX-58", "Intro_Text": "The following code reads a password from the registry and uses the password to create a new network credential.", "Example_Code": {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null], "#text": "...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);..."}}, "Body_Text": "This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system"}, {"@Demonstrative_Example_ID": "DX-59", "Intro_Text": "Both of these examples verify a password by comparing it to a stored compressed version.", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "printf(\"Incorrect Password!\\n\");return(0);"}, "xhtml:br": [null, null], "#text": "if (strcmp(compress(password), compressed_password)) {}printf(\"Entering Diagnostic Mode...\\n\");return(1);"}, "#text": "int VerifyAdmin(char *password) {}"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"@style": "margin-left:1em;", "#text": "return(0);"}, "xhtml:br": [null, null], "xhtml:i": "//Diagnostic Mode", "#text": "if (passwd.Equals(compress(password), compressed_password)) {}\n                        \n                        return(1);"}, "#text": "int VerifyAdmin(String password) {}"}}], "Body_Text": "Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database."}, {"@Demonstrative_Example_ID": "DX-43", "Intro_Text": "The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.", "Body_Text": ["This Java example shows a properties file with a cleartext username / password pair.", "The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database but the pair is stored in cleartext.", "Username and password information should not be included in a configuration file or a properties file in cleartext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information."], "Example_Code": [{"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "# Java Web App ResourceBundle properties file", "#text": "...webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPassword..."}}, {"@Nature": "Bad", "@Language": "ASP.NET", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "<add name=\"ud_DEV\" connectionString=\"connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;\" providerName=\"System.Data.Odbc\" />"}, "#text": "...<connectionStrings></connectionStrings>..."}}]}, {"@Demonstrative_Example_ID": "DX-153", "Intro_Text": "In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were \"insecure by design\" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these products were often used in industries such as power, electrical, water, and others, there could even be safety implications.", "Body_Text": "Multiple vendors used cleartext transmission or storage of passwords in their OT products."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2022-30018", "Description": "A messaging platform serializes all elements of User/Group objects, making private information available to adversaries", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-30018"}, {"Reference": "CVE-2022-29959", "Description": "Initialization file contains  credentials that can be decoded using a \"simple string transformation\"", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29959"}, {"Reference": "CVE-2022-35411", "Description": "Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-35411"}, {"Reference": "CVE-2022-29519", "Description": "Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-29519"}, {"Reference": "CVE-2022-30312", "Description": "Building Controller uses a protocol that transmits authentication credentials in plaintext.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-30312"}, {"Reference": "CVE-2022-31204", "Description": "Programmable Logic Controller (PLC) sends password in plaintext.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-31204"}, {"Reference": "CVE-2022-30275", "Description": "Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-30275"}, {"Reference": "CVE-2007-0681", "Description": "Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-0681"}, {"Reference": "CVE-2000-0944", "Description": "Web application password change utility doesn't check the original password.", "Link": "https://www.cve.org/CVERecord?id=CVE-2000-0944"}, {"Reference": "CVE-2005-3435", "Description": "product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-3435"}, {"Reference": "CVE-2005-0408", "Description": "chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-0408"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "OWASP Top Ten 2007", "Entry_ID": "A7", "Entry_Name": "Broken Authentication and Session Management", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A3", "Entry_Name": "Broken Authentication and Session Management", "Mapping_Fit": "CWE More Specific"}]}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "102"}, {"@CAPEC_ID": "474"}, {"@CAPEC_ID": "50"}, {"@CAPEC_ID": "509"}, {"@CAPEC_ID": "551"}, {"@CAPEC_ID": "555"}, {"@CAPEC_ID": "560"}, {"@CAPEC_ID": "561"}, {"@CAPEC_ID": "600"}, {"@CAPEC_ID": "644"}, {"@CAPEC_ID": "645"}, {"@CAPEC_ID": "652"}, {"@CAPEC_ID": "653"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-44", "@Section": "\"Sin 19: Use of Weak Password-Based Systems.\" Page 279"}, {"@External_Reference_ID": "REF-1283"}]}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "Anonymous Tool Vendor (under NDA)", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Potential_Mitigations, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-05-27", "Modification_Version": "1.4", "Modification_ReleaseDate": "2009-05-27", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-03-29", "Modification_Version": "1.12", "Modification_ReleaseDate": "2011-03-30", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Common_Consequences, Demonstrative_Examples, Observed_Examples, References, Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-06-23", "Modification_Version": "2.7", "Modification_ReleaseDate": "2014-06-23", "Modification_Comment": "updated Other_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Demonstrative_Examples, Modes_of_Introduction, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Description, Relationships, Type"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-07-20", "Modification_Version": "4.5", "Modification_ReleaseDate": "2021-07-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Demonstrative_Examples, Observed_Examples, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Observed_Examples, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships, Weakness_Ordinalities"}]}}
