CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2178 vulnerabilities reference this CWE, most recent first.
GHSA-6762-8X76-3VRF
Vulnerability from github – Published: 2025-04-29 18:30 – Updated: 2025-04-29 18:30{
"affected": [],
"aliases": [
"CVE-2025-23179"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T16:15:30Z",
"severity": "MODERATE"
},
"details": "CWE-798: Use of Hard-coded Credentials",
"id": "GHSA-6762-8x76-3vrf",
"modified": "2025-04-29T18:30:57Z",
"published": "2025-04-29T18:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23179"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-676R-WMG9-6WW8
Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-21 18:30Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN.
{
"affected": [],
"aliases": [
"CVE-2023-21426"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Hardcoded AES key to encrypt cardemulation PINs in NFC prior to SMR Jan-2023 Release 1 allows attackers to access cardemulation PIN.",
"id": "GHSA-676r-wmg9-6ww8",
"modified": "2023-02-21T18:30:25Z",
"published": "2023-02-09T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21426"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-67X4-QR35-QVRM
Vulnerability from github – Published: 2022-10-05 21:26 – Updated: 2024-05-20 21:35Impact
Users who enable the default Flyte’s authorization server without changing the default clientid hashes will be exposed to the public internet.
In an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin’s configuration may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Using an external auth server automatically turns off this default configuration is not susceptible to this vulnerability.
Patches
1.1.44
Workarounds
Users should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin’s internal auth server.
References
https://github.com/flyteorg/flyteadmin/pull/478 https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
For more information
If you have any questions or comments about this advisory: * Open an issue in Flyte * Email us here
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/flyteorg/flyteadmin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.44"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39273"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-05T21:26:26Z",
"nvd_published_at": "2022-10-06T18:16:00Z",
"severity": "HIGH"
},
"details": "### Impact\nUsers who enable the default [Flyte\u2019s authorization server](https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server) without changing the default clientid hashes will be exposed to the public internet.\n\nIn an effort to make enabling authentication easier for Flyte administrators, the default configuration for Flyte Admin allows access for Flyte Propeller even after turning on authentication via a hardcoded hashed password. This password is also set on the default Flyte Propeller configmap in the various Flyte Helm charts. Users who enable auth but do not override this setting in Flyte Admin\u2019s configuration may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller. This only applies to users who have not specified the ExternalAuthorizationServer setting. Using an external auth server automatically turns off this default configuration is not susceptible to this vulnerability.\n\n### Patches\n1.1.44\n\n### Workarounds\nUsers should manually set the staticClients in the selfAuthServer section of their configuration if they intend to rely on Admin\u2019s internal auth server. \n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/478\nhttps://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server \n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Flyte](https://github.com/flyteorg/flyte/issues)\n* Email us [here](mailto:admin@flyte.org)",
"id": "GHSA-67x4-qr35-qvrm",
"modified": "2024-05-20T21:35:54Z",
"published": "2022-10-05T21:26:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-67x4-qr35-qvrm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39273"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/pull/478"
},
{
"type": "WEB",
"url": "https://github.com/flyteorg/flyteadmin/commit/281172edf55fe6800959238fc128964ead6d9101"
},
{
"type": "WEB",
"url": "https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server"
},
{
"type": "PACKAGE",
"url": "https://github.com/flyteorg/flyteadmin"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "FlyteAdmin\u0027s Default OAuth Authorization Server secret must be rotated"
}
GHSA-68FF-Q375-8PHX
Vulnerability from github – Published: 2023-06-01 06:30 – Updated: 2024-04-04 04:27Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.
{
"affected": [],
"aliases": [
"CVE-2023-33778"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-01T04:15:10Z",
"severity": "CRITICAL"
},
"details": "Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their own account. Attackers are then able to create WCF and DrayDDNS licenses and synchronize them from the website.",
"id": "GHSA-68ff-q375-8phx",
"modified": "2024-04-04T04:27:41Z",
"published": "2023-06-01T06:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33778"
},
{
"type": "WEB",
"url": "https://gist.github.com/Ji4n1ng/6d028709d39458f5ab95b3ea211225ef"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68QM-WH67-JRC3
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:12WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the 'forgot password' feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access.
{
"affected": [],
"aliases": [
"CVE-2019-13352"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-05T20:15:00Z",
"severity": "CRITICAL"
},
"details": "WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic secret for generating support PINs for the \u0027forgot password\u0027 feature. By knowing this static secret and the corresponding algorithm for calculating support PINs, an attacker can reset the ADMIN password and thus gain remote access.",
"id": "GHSA-68qm-wh67-jrc3",
"modified": "2024-04-04T01:12:22Z",
"published": "2022-05-24T16:49:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13352"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-021.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/153530/WolfVision-Cynap-1.18g-1.28j-Hardcoded-Credential.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Jul/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68R9-5XR5-XJ6J
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-34795"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-04T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Multiple vulnerabilities in the web-based management interface of the Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminal (ONT) could allow an unauthenticated, remote attacker to perform the following actions: Log in with a default credential if the Telnet protocol is enabled Perform command injection Modify the configuration For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-68r9-5xr5-xj6j",
"modified": "2022-05-24T19:19:46Z",
"published": "2022-05-24T19:19:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34795"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catpon-multivulns-CE3DSYGr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6925-Q744-QCX6
Vulnerability from github – Published: 2022-05-05 00:00 – Updated: 2022-05-17 00:01Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.
{
"affected": [],
"aliases": [
"CVE-2022-23724"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-288",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials.",
"id": "GHSA-6925-q744-qcx6",
"modified": "2022-05-17T00:01:43Z",
"published": "2022-05-05T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23724"
},
{
"type": "WEB",
"url": "https://docs.pingidentity.com/bundle/pingid/page/xqz1597139945488.html"
},
{
"type": "WEB",
"url": "https://www.pingidentity.com/en/resources/downloads/pingid.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6935-M9Q3-2P9X
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34EasyLobby Solo contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.
{
"affected": [],
"aliases": [
"CVE-2018-17492"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-21T16:00:00Z",
"severity": "HIGH"
},
"details": "EasyLobby Solo contains default administrative credentials. An attacker could exploit this vulnerability to gain full access to the application.",
"id": "GHSA-6935-m9q3-2p9x",
"modified": "2022-05-13T01:34:04Z",
"published": "2022-05-13T01:34:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17492"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/149652"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-697P-2497-7M42
Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2023-02-04 00:30The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.
{
"affected": [],
"aliases": [
"CVE-2019-15017"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-09T21:15:00Z",
"severity": "HIGH"
},
"details": "The SSH service is enabled on the Zingbox Inspector versions 1.294 and earlier, exposing SSH to the local network. When combined with PAN-SA-2019-0027, this can allow an attacker to authenticate to the service using hardcoded credentials.",
"id": "GHSA-697p-2497-7m42",
"modified": "2023-02-04T00:30:27Z",
"published": "2022-05-24T16:58:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15017"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2019-15017"
},
{
"type": "WEB",
"url": "https://securityadvisories.paloaltonetworks.com/Home/Detail/176"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-697P-5M9W-JHMW
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A hard-coded password vulnerability exists in the SFTP Log Collection Server function of Trend Micro Inc.’s Home Network Security 6.1.567. A specially crafted network request can lead to arbitrary authentication. An attacker can send an unauthenticated message to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-32459"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T11:15:00Z",
"severity": "MODERATE"
},
"details": "A hard-coded password vulnerability exists in the SFTP Log Collection Server function of Trend Micro Inc.\u2019s Home Network Security 6.1.567. A specially crafted network request can lead to arbitrary authentication. An attacker can send an unauthenticated message to trigger this vulnerability.",
"id": "GHSA-697p-5m9w-jhmw",
"modified": "2022-05-24T22:28:17Z",
"published": "2022-05-24T22:28:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32459"
},
{
"type": "WEB",
"url": "https://helpcenter.trendmicro.com/en-us/article/TMKA-10337"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1241"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1241"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.