Vulnerabilities (CVE)

Filtered by CWE-522
Total 782 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-40845 1 Tenda 2 Ac1200 V-w15ev2, W15e Firmware 2023-01-27 N/A 6.5 MEDIUM
The Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576) is affected by a password exposure vulnerability. When combined with the improper authorization/improper session management vulnerability, an attacker with access to the router may be able to expose sensitive information which they're not explicitly authorized to have.
CVE-2021-22798 1 Schneider-electric 2 Conext Combox, Conext Combox Firmware 2023-01-25 5.0 MEDIUM 7.5 HIGH
A CWE-522: Insufficiently Protected Credentials vulnerability exists that could cause Sensitive data such as login credentials being exposed when a Network is sniffed. Affected Product: Conext? ComBox (All Versions)
CVE-2022-41859 1 Freeradius 1 Freeradius 2023-01-24 N/A 7.5 HIGH
In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.
CVE-2021-36204 1 Johnsoncontrols 3 Metasys Application And Data Server, Metasys Extended Application And Data Server, Metasys Open Application Server 2023-01-23 N/A 7.5 HIGH
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
CVE-2019-11402 1 Gradle 1 Enterprise 2023-01-20 5.0 MEDIUM 9.8 CRITICAL
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
CVE-2021-36783 1 Suse 1 Rancher 2023-01-18 N/A 8.8 HIGH
A Insufficiently Protected Credentials vulnerability in SUSE Rancher allows authenticated Cluster Owners, Cluster Members, Project Owners and Project Members to read credentials, passwords and API tokens that have been stored in cleartext and exposed via API endpoints. This issue affects: SUSE Rancher Rancher versions prior to 2.6.4; Rancher versions prior to 2.5.13.
CVE-2022-23538 2023-01-17 N/A N/A
github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when communicating with a Singularity Enterprise 1.x installation, or third party server implementing this flow. Interaction with Singularity Enterprise 2.x, and Singularity Container Services (cloud.sylabs.io), does not trigger the vulnerable flow. We encourage all users to update. Users who interact with a Singularity Enterprise 1.x installation, using a 3rd party S3 storage service, are advised to revoke and recreate their authentication tokens within Singularity Enterprise. There is no workaround available at this time.
CVE-2016-15014 1 Cesnet 1 Theme-cesnet 2023-01-12 N/A 5.5 MEDIUM
A vulnerability has been found in CESNET theme-cesnet up to 1.x and classified as problematic. Affected by this vulnerability is an unknown functionality of the file cesnet/core/lostpassword/templates/resetpassword.php. The manipulation leads to insufficiently protected credentials. Attacking locally is a requirement. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is 2b857f2233ce5083b4d5bc9bfc4152f933c3e4a6. It is recommended to upgrade the affected component. The identifier VDB-217633 was assigned to this vulnerability.
CVE-2022-2967 1 Prosysopc 2 Ua Modbus Server, Ua Simulation Server 2023-01-10 N/A 7.5 HIGH
Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data.
CVE-2021-22923 5 Fedoraproject, Haxx, Netapp and 2 more 22 Fedora, Curl, Cloud Backup and 19 more 2023-01-05 2.6 LOW 5.3 MEDIUM
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2022-27774 4 Brocade, Debian, Haxx and 1 more 16 Fabric Operating System, Debian Linux, Curl and 13 more 2023-01-05 3.5 LOW 5.7 MEDIUM
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVE-2022-27776 5 Brocade, Debian, Fedoraproject and 2 more 17 Fabric Operating System, Debian Linux, Fedora and 14 more 2023-01-05 4.3 MEDIUM 6.5 MEDIUM
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
CVE-2022-45423 1 Dahuasecurity 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more 2023-01-05 N/A 7.5 HIGH
Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specific crafted packet to the vulnerable interface (the credentials cannot be directly exploited).
CVE-2022-45424 1 Dahuasecurity 8 Dhi-dss4004-s2, Dhi-dss4004-s2 Firmware, Dhi-dss7016d-s2 and 5 more 2023-01-05 N/A 5.3 MEDIUM
Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specific crafted packet to the vulnerable interface.
CVE-2022-22458 2 Ibm, Linux 2 Security Verify Governance, Linux Kernel 2022-12-28 N/A 6.5 MEDIUM
IBM Security Verify Governance, Identity Manager 10.0.1 stores user credentials in plain clear text which can be read by a remote authenticated user. IBM X-Force ID: 225009.
CVE-2022-4612 1 Clickstudios 1 Passwordstate 2022-12-23 N/A 6.5 MEDIUM
A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome and classified as problematic. This vulnerability affects unknown code. The manipulation leads to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216274 is the identifier assigned to this vulnerability.
CVE-2022-46142 1 Siemens 202 Ruggedcom Rm1224 Lte\(4g\) Eu, Ruggedcom Rm1224 Lte\(4g\) Eu Firmware, Ruggedcom Rm1224 Lte\(4g\) Nam and 199 more 2022-12-19 N/A 4.6 MEDIUM
Affected devices store the CLI user passwords encrypted in flash memory. Attackers with physical access to the device could retrieve the file and decrypt the CLI user passwords.
CVE-2022-42445 1 Hcltechsw 1 Hcl Launch 2022-12-14 N/A 4.9 MEDIUM
HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches.
CVE-2022-29839 2 Linux, Westerndigital 12 Linux Kernel, My Cloud, My Cloud Dl2100 and 9 more 2022-12-12 N/A 5.5 MEDIUM
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
CVE-2022-30944 1 Intel 2 Active Management Technology, Standard Manageability 2022-12-09 N/A 5.5 MEDIUM
Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.