1. Home
  2. CWE Database
  3. CWE-522
Class · High

CWE-522: Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

CWE-522 · Class Level ·11 CVEs ·3 Mitigations

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Demonstrative Examples

This code changes a user's password.
Bad
$user = $_GET['user'];$pass = $_GET['pass'];$checkpass = $_GET['checkpass'];if ($pass == $checkpass) {SetUserPassword($user, $pass);}
While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.
The following code reads a password from a properties file and uses the password to connect to a database.
Bad
...Properties prop = new Properties();prop.load(new FileInputStream("config.properties"));String password = prop.getProperty("password");DriverManager.getConnection(url, usr, password);...
This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.
The following code reads a password from the registry and uses the password to create a new network credential.
Bad
...String password = regKey.GetValue(passKey).toString();NetworkCredential netCred = new NetworkCredential(username,password,domain);...
This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system
Both of these examples verify a password by comparing it to a stored compressed version.
Bad
int VerifyAdmin(char *password) {if (strcmp(compress(password), compressed_password)) {printf("Incorrect Password!\n");return(0);}printf("Entering Diagnostic Mode...\n");return(1);}
Bad
int VerifyAdmin(String password) {if (passwd.Equals(compress(password), compressed_password)) {return(0);}
                        //Diagnostic Mode
                        return(1);}
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.

Mitigations & Prevention

Architecture and Design

Use an appropriate security mechanism to protect the credentials.

Architecture and Design

Make appropriate use of cryptography to protect the credentials.

Implementation

Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-30018A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
CVE-2022-29959Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2022-35411Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
CVE-2022-29519Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
CVE-2022-30312Building Controller uses a protocol that transmits authentication credentials in plaintext.
CVE-2022-31204Programmable Logic Controller (PLC) sends password in plaintext.
CVE-2022-30275Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
CVE-2007-0681Web app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
CVE-2000-0944Web application password change utility doesn't check the original password.
CVE-2005-3435product authentication succeeds if user-provided MD5 hash matches the hash in its database; this can be subjected to replay attacks.
CVE-2005-0408chain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-287: Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is cor...

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Taxonomy Mappings

  • OWASP Top Ten 2007: A7 — Broken Authentication and Session Management
  • OWASP Top Ten 2004: A3 — Broken Authentication and Session Management

Frequently Asked Questions

What is CWE-522?

CWE-522 (Insufficiently Protected Credentials) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

How can CWE-522 be exploited?

Attackers can exploit CWE-522 (Insufficiently Protected Credentials) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.

How do I prevent CWE-522?

Key mitigations include: Use an appropriate security mechanism to protect the credentials.

What is the severity of CWE-522?

CWE-522 is classified as a Class-level weakness (High abstraction). It has been observed in 11 real-world CVEs.