Common Weakness Enumeration

CWE-547

Allowed

Use of Hard-coded, Security-relevant Constants

Abstraction: Base · Status: Draft

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

23 vulnerabilities reference this CWE, most recent first.

GHSA-QCP5-JCCP-3P6H

Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-07-17 15:32
VLAI
Details

MICROSENS NMP Web+ could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-547"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-25T17:15:37Z",
    "severity": "CRITICAL"
  },
  "details": "MICROSENS NMP Web+\u00a0could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.",
  "id": "GHSA-qcp5-jccp-3p6h",
  "modified": "2025-07-17T15:32:09Z",
  "published": "2025-06-26T21:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49151"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07"
    },
    {
      "type": "WEB",
      "url": "https://www.microsens.com/support/downloads/nmp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W7QG-J435-78QW

Vulnerability from github – Published: 2023-03-30 12:30 – Updated: 2023-04-06 22:53
VLAI
Summary
Use of hard-coded, security-relevant constants in deepset-ai/haystack
Details

Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack in version 1.15.0 and prior. A patch is available at commit 5fc84904f198de661d5b933fde756aa922bf09f1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "farm-haystack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-547"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-30T22:55:51Z",
    "nvd_published_at": "2023-03-30T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack in version 1.15.0 and prior. A patch is available at commit 5fc84904f198de661d5b933fde756aa922bf09f1.",
  "id": "GHSA-w7qg-j435-78qw",
  "modified": "2023-04-06T22:53:10Z",
  "published": "2023-03-30T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1712"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deepset-ai/haystack/pull/4535"
    },
    {
      "type": "WEB",
      "url": "https://github.com/deepset-ai/haystack/commit/5fc84904f198de661d5b933fde756aa922bf09f1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/deepset-ai/haystack"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/9a6b1fb4-ec9b-4cfa-af1e-9ce304924829"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of hard-coded, security-relevant constants in deepset-ai/haystack"
}

GHSA-XQ6H-7HWW-F48M

Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.

This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-547"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T12:15:20Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Mendix Encryption (All versions \u003e= V10.0.0 \u003c V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.\n\nThis could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.",
  "id": "GHSA-xq6h-7hww-f48m",
  "modified": "2024-07-09T12:30:58Z",
  "published": "2024-07-09T12:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39888"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation

Avoid using hard-coded constants. Configuration files offer a more flexible solution.

No CAPEC attack patterns related to this CWE.