CWE-522: Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
View on MITRETechnical Details
- Structure
- Simple
Applicable To
🏆 CWE Top 25 Historical Ranking
Security Consequences
Scope
Impact
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Mitigation Strategies
Phase
Description
Use an appropriate security mechanism to protect the credentials.
Phase
Description
Make appropriate use of cryptography to protect the credentials.
Phase
Description
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This code changes a user's password.
While the code confirms that the requesting user typed the same new password twice, it does not confirm that the user requesting the password change is the same user whose password will be changed. An attacker can request a change of another user's password and gain control of the victim's account.
The following code reads a password from a properties file and uses the password to connect to a database.
This code will run successfully, but anyone who has access to config.properties can read the value of password. If a devious employee has access to this information, they can use it to break into the system.
The following code reads a password from the registry and uses the password to create a new network credential.
This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system
Both of these examples verify a password by comparing it to a stored compressed version.
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.
Both of these examples verify a password by comparing it to a stored compressed version.
Because a compression algorithm is used instead of a one way hashing algorithm, an attacker can recover compressed passwords stored in the database.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
Observed CVE Examples (10)
A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
View DetailsInitialization file contains credentials that can be decoded using a "simple string transformation"
View DetailsPython-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
View DetailsProgrammable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
View DetailsBuilding Controller uses a protocol that transmits authentication credentials in plaintext.
View DetailsRemote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
View DetailsWeb app allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions.
View DetailsWeb application password change utility doesn't check the original password.
View Detailschain: product generates predictable MD5 hashes using a constant value combined with username, allowing authentication bypass.
View DetailsCWE Relationships
Frequently Asked Questions
What is CWE-522: Insufficiently Protected Credentials?+
CWE-522: Insufficiently Protected Credentials is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Is CWE-522 in the CWE Top 25 Most Dangerous Software Weaknesses?+
Yes. CWE-522 ranked #25 in the CWE Top 25 for 2024, associated with 283 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.
What are the security consequences of Insufficiently Protected Credentials?+
If exploited, CWE-522 (Insufficiently Protected Credentials) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.
How do you prevent or mitigate Insufficiently Protected Credentials?+
Recommended mitigations for CWE-522 include: Use an appropriate security mechanism to protect the credentials. Make appropriate use of cryptography to protect the credentials. Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
Which programming languages are affected by Insufficiently Protected Credentials?+
CWE-522 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Insufficiently Protected Credentials?+
MITRE documents real CVEs mapped to CWE-522, including CVE-2022-30018, CVE-2022-29959, CVE-2022-35411, CVE-2022-29519 and CVE-2022-30312. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-522 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.
Learn More
Search for vulnerabilities that exploit CWE-522
See how this weakness ranks against others
Understanding vulnerabilities vs weaknesses
How vulnerability severity is measured
Complete technical details and references