Common Weakness Enumeration

CWE-321

Allowed

Use of Hard-coded Cryptographic Key

Abstraction: Variant · Status: Draft

The product uses a hard-coded, unchangeable cryptographic key.

503 vulnerabilities reference this CWE, most recent first.

GHSA-7M5H-J2PG-2JR2

Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2026-06-03 15:30
VLAI
Details

Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-6990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-16T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, The cryptographic key utilized to help protect the account password is hard coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.",
  "id": "GHSA-7m5h-j2pg-2jr2",
  "modified": "2026-06-03T15:30:33Z",
  "published": "2022-05-24T17:11:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6990"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-070-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7RV4-G7QG-Q4MX

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the HTTP API. The issue results from using a hard-coded cryptographic key. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24170.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5722"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the HTTP API. The issue results from using a hard-coded cryptographic key. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24170.",
  "id": "GHSA-7rv4-g7qg-q4mx",
  "modified": "2024-11-22T21:32:16Z",
  "published": "2024-11-22T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5722"
    },
    {
      "type": "WEB",
      "url": "https://support.logsign.net/hc/en-us/articles/19316621924754-03-06-2024-Version-6-4-8-Release-Notes"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-614"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W44-CFPH-XHH9

Vulnerability from github – Published: 2025-02-11 09:30 – Updated: 2025-02-11 09:30
VLAI
Details

SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-11T08:15:30Z",
    "severity": "MODERATE"
  },
  "details": "SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.",
  "id": "GHSA-7w44-cfph-xhh9",
  "modified": "2025-02-11T09:30:33Z",
  "published": "2025-02-11T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28989"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-5_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28989"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7W8F-Q3M3-PFJ7

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2025-01-31 21:32
VLAI
Details

Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user's account by crafting a custom "Remember Me" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user.  Score 6.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T18:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "Code Dx versions prior to 2023.4.2 are vulnerable to user impersonation attack where a malicious actor is able to gain access to another user\u0027s account by crafting a custom \"Remember Me\" token. This is possible due to the use of a hard-coded cipher which was used when generating the token. A malicious actor who creates this token can supply it to a separate Code Dx system, provided they know the username they want to impersonate, and impersonate the user.\u00a0\u00a0Score\u00a06.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C\n\n",
  "id": "GHSA-7w8f-q3m3-pfj7",
  "modified": "2025-01-31T21:32:44Z",
  "published": "2023-07-06T19:24:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2158"
    },
    {
      "type": "WEB",
      "url": "https://community.synopsys.com/s/question/0D5Hr00006VdZblKAF/announcement-changelog-code-dx-202342"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-82VJ-CRX8-GVP9

Vulnerability from github – Published: 2024-07-17 18:31 – Updated: 2024-07-17 18:31
VLAI
Details

A vulnerability in Cisco Intelligent Node (iNode) Software could allow an unauthenticated, remote attacker to hijack the TLS connection between Cisco iNode Manager and associated intelligent nodes and send arbitrary traffic to an affected device.

This vulnerability is due to the presence of hard-coded cryptographic material. An attacker in a man-in-the-middle position between Cisco iNode Manager and associated deployed nodes could exploit this vulnerability by using the static cryptographic key to generate a trusted certificate and impersonate an affected device. A successful exploit could allow the attacker to read data that is meant for a legitimate device, modify the startup configuration of an associated node, and, consequently, cause a denial of service (DoS) condition for downstream devices that are connected to the affected node.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-17T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in Cisco Intelligent Node (iNode) Software could allow an unauthenticated, remote attacker to hijack the TLS connection between Cisco iNode Manager and associated intelligent nodes and send arbitrary traffic to an affected device.\n\n This vulnerability is due to the presence of hard-coded cryptographic material. An attacker in a man-in-the-middle position between Cisco iNode Manager and associated deployed nodes could exploit this vulnerability by using the static cryptographic key to generate a trusted certificate and impersonate an affected device. A successful exploit could allow the attacker to read data that is meant for a legitimate device, modify the startup configuration of an associated node, and, consequently, cause a denial of service (DoS) condition for downstream devices that are connected to the affected node.",
  "id": "GHSA-82vj-crx8-gvp9",
  "modified": "2024-07-17T18:31:00Z",
  "published": "2024-07-17T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20323"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-inode-static-key-VUVCeynn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83VR-2Q27-PM8V

Vulnerability from github – Published: 2026-01-24 03:30 – Updated: 2026-01-26 21:30
VLAI
Details

Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-24T01:15:50Z",
    "severity": "CRITICAL"
  },
  "details": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.",
  "id": "GHSA-83vr-2q27-pm8v",
  "modified": "2026-01-26T21:30:36Z",
  "published": "2026-01-24T03:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22586"
    },
    {
      "type": "WEB",
      "url": "https://help.salesforce.com/s/articleView?id=005299346\u0026type=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-849R-HJ58-P84G

Vulnerability from github – Published: 2026-05-20 21:31 – Updated: 2026-05-20 21:31
VLAI
Details

NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-20T20:16:36Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where  the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service.",
  "id": "GHSA-849r-hj58-p84g",
  "modified": "2026-05-20T21:31:30Z",
  "published": "2026-05-20T21:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24218"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5835"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84C3-J8R2-MCM8

Vulnerability from github – Published: 2024-02-26 20:10 – Updated: 2024-02-26 20:10
VLAI
Summary
@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys
Details

Problem

User sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key 535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control.

Solution

Using version >1.0.1 of @dfinity/auth-client and @dfinity/identity packages, or @nfid/embed >0.10.1-alpha.6 includes patched versions of the issue.

User sessions will be automatically fixed when they re-authenticate.

Why this happened

The DFINITY auth client library provides a function, Ed25519KeyIdentity.generate, for generating an Ed25519 key pair. This function includes an optional parameter to supply a 32-byte seed value, which will be utilized as the secret key. In cases where no seed value is provided, the library is expected to generate the secret key using secure randomness. However, a recent update of DFINITY libraries has compromised this assurance by employing an insecure seed for key pair generation.

References

AgentJS CVE

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@nfid/embed"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.10.1-alpha.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-26T20:10:10Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Problem\nUser sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key `535yc-uxytb-gfk7h-tny7p-vjkoe-i4krp-3qmcl-uqfgr-cpgej-yqtjq-rqe`. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control.\n\n### Solution\nUsing version \u003e1.0.1 of @dfinity/auth-client and @dfinity/identity packages, or @nfid/embed \u003e0.10.1-alpha.6 includes patched versions of the issue.\n\nUser sessions will be automatically fixed when they re-authenticate.\n\n### Why this happened\nThe DFINITY auth client library provides a function, `Ed25519KeyIdentity.generate`, for generating an Ed25519 key pair. This function includes an optional parameter to supply a 32-byte seed value, which will be utilized as the secret key. In cases where no seed value is provided, the library is expected to generate the secret key using secure randomness. However, a recent update of DFINITY libraries has compromised this assurance by employing an insecure seed for key pair generation.\n\n### References\n[AgentJS CVE ](https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3)\n",
  "id": "GHSA-84c3-j8r2-mcm8",
  "modified": "2024-02-26T20:10:10Z",
  "published": "2024-02-26T20:10:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dfinity/agent-js/security/advisories/GHSA-c9vv-fhgv-cjc3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/internet-identity-labs/sdk-ts/security/advisories/GHSA-84c3-j8r2-mcm8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/internet-identity-labs/sdk-ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys"
}

GHSA-86F3-HF24-76Q4

Vulnerability from github – Published: 2022-02-22 19:40 – Updated: 2026-05-19 16:06
VLAI
Summary
Use of Hard-coded Cryptographic Key in Netmaker
Details

Impact

There is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients.

Patches

This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to perform the following:

  1. docker-compose down
  2. docker pull gravitl/netmaker:( version )
  3. docker-compose up -d

Additional Information

If you are running any other version, you will need to upgrade to one of these three versions. If you have a special circumstance that requires running a different version, let us know and we may be able to build a custom patch.

For more information

If you have any questions or comments about this advisory: * Email us at info@gravitl.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-798"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-22T19:40:23Z",
    "nvd_published_at": "2022-02-18T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nThere is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients.\n\n### Patches\nThis has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to perform the following:\n\n1. docker-compose down\n2. docker pull gravitl/netmaker:( version )\n3. docker-compose up -d\n\n#### Additional Information\nIf you are running **any other version**, you will need to upgrade to one of these three versions. If you have a special circumstance that requires running a different version, let us know and we may be able to build a custom patch.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [info@gravitl.com](mailto:info@gravitl.com)",
  "id": "GHSA-86f3-hf24-76q4",
  "modified": "2026-05-19T16:06:11Z",
  "published": "2022-02-22T19:40:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gravitl/netmaker"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of Hard-coded Cryptographic Key in Netmaker"
}

GHSA-8PJ9-C2GQ-JHW8

Vulnerability from github – Published: 2024-02-06 21:30 – Updated: 2024-04-29 12:30
VLAI
Details

A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1258"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T21:15:08Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in Juanpao JPShop up to 1.5.02. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file api/config/params.php of the component API. The manipulation of the argument JWT_KEY_ADMIN leads to use of hard-coded cryptographic key\n . The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-252997 was assigned to this vulnerability.",
  "id": "GHSA-8pj9-c2gq-jhw8",
  "modified": "2024-04-29T12:30:34Z",
  "published": "2024-02-06T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1258"
    },
    {
      "type": "WEB",
      "url": "https://note.zhaoj.in/share/XblX1My7jNV7"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.252997"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.252997"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.277418"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Prevention schemes mirror that of hard-coded password storage.

No CAPEC attack patterns related to this CWE.