- What is CWE-522?
- The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- What CVEs are caused by CWE-522?
- 521 recorded CVEs are attributed to CWE-522, including CVE-2021-30116, CVE-2020-29583, CVE-2017-9248. 5 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-522 part of the OWASP Top 10?
- CWE-522 maps to OWASP Top Ten 2007: Broken Authentication and Session Management (A7) in the OWASP security taxonomy.
- How do you prevent CWE-522?
- Use an appropriate security mechanism to protect the credentials.
- How is CWE-522 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-522?
- Exploiting CWE-522 can lead to: Gain Privileges or Assume Identity.
- Is CWE-522 actively exploited?
- Yes. 5 CWE-522 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 521 recorded CVEs.