CWE-547
AllowedUse of Hard-coded, Security-relevant Constants
Abstraction: Base · Status: Draft
The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.
23 vulnerabilities reference this CWE, most recent first.
GHSA-QCP5-JCCP-3P6H
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-07-17 15:32MICROSENS NMP Web+ could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2025-49151"
],
"database_specific": {
"cwe_ids": [
"CWE-547"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-25T17:15:37Z",
"severity": "CRITICAL"
},
"details": "MICROSENS NMP Web+\u00a0could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.",
"id": "GHSA-qcp5-jccp-3p6h",
"modified": "2025-07-17T15:32:09Z",
"published": "2025-06-26T21:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49151"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07"
},
{
"type": "WEB",
"url": "https://www.microsens.com/support/downloads/nmp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W7QG-J435-78QW
Vulnerability from github – Published: 2023-03-30 12:30 – Updated: 2023-04-06 22:53Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack in version 1.15.0 and prior. A patch is available at commit 5fc84904f198de661d5b933fde756aa922bf09f1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "farm-haystack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.15.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1712"
],
"database_specific": {
"cwe_ids": [
"CWE-547"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-30T22:55:51Z",
"nvd_published_at": "2023-03-30T10:15:00Z",
"severity": "CRITICAL"
},
"details": "Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack in version 1.15.0 and prior. A patch is available at commit 5fc84904f198de661d5b933fde756aa922bf09f1.",
"id": "GHSA-w7qg-j435-78qw",
"modified": "2023-04-06T22:53:10Z",
"published": "2023-03-30T12:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1712"
},
{
"type": "WEB",
"url": "https://github.com/deepset-ai/haystack/pull/4535"
},
{
"type": "WEB",
"url": "https://github.com/deepset-ai/haystack/commit/5fc84904f198de661d5b933fde756aa922bf09f1"
},
{
"type": "PACKAGE",
"url": "https://github.com/deepset-ai/haystack"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/9a6b1fb4-ec9b-4cfa-af1e-9ce304924829"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of hard-coded, security-relevant constants in deepset-ai/haystack"
}
GHSA-XQ6H-7HWW-F48M
Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.
This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.
{
"affected": [],
"aliases": [
"CVE-2024-39888"
],
"database_specific": {
"cwe_ids": [
"CWE-547"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-09T12:15:20Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Mendix Encryption (All versions \u003e= V10.0.0 \u003c V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified.\n\nThis could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.",
"id": "GHSA-xq6h-7hww-f48m",
"modified": "2024-07-09T12:30:58Z",
"published": "2024-07-09T12:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39888"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-998949.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Avoid using hard-coded constants. Configuration files offer a more flexible solution.
No CAPEC attack patterns related to this CWE.