CWE-798
Allowed-with-ReviewUse of Hard-coded Credentials
Abstraction: Base · Status: Draft
The product contains hard-coded credentials, such as a password or cryptographic key.
2178 vulnerabilities reference this CWE, most recent first.
GHSA-MF4V-QWJ2-CJM6
Vulnerability from github – Published: 2023-04-16 03:30 – Updated: 2024-04-04 03:30TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.
{
"affected": [],
"aliases": [
"CVE-2022-37255"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-16T02:15:00Z",
"severity": "HIGH"
},
"details": "TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.",
"id": "GHSA-mf4v-qwj2-cjm6",
"modified": "2024-04-04T03:30:00Z",
"published": "2023-04-16T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37255"
},
{
"type": "WEB",
"url": "https://www.tp-link.com"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171540/Tapo-C310-RTSP-Server-1.3.0-Unauthorized-Video-Stream-Access.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MFPF-XPQG-F44W
Vulnerability from github – Published: 2022-05-17 00:47 – Updated: 2022-05-17 00:47On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:"root" password:"root") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not).
{
"affected": [],
"aliases": [
"CVE-2017-8772"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-20T14:29:00Z",
"severity": "CRITICAL"
},
"details": "On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (which is open by default) with default credentials as root (username:\"root\" password:\"root\") and can: 1. Read the entire file system; 2. Write to the file system; or 3. Execute any code that attacker desires (malicious or not).",
"id": "GHSA-mfpf-xpqg-f44w",
"modified": "2022-05-17T00:47:11Z",
"published": "2022-05-17T00:47:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8772"
},
{
"type": "WEB",
"url": "http://www.digitalwhisper.co.il/files/Zines/0x56/DW86-1-RepeaterHack.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MGMW-CPXG-GC2F
Vulnerability from github – Published: 2026-01-08 00:31 – Updated: 2026-01-08 00:31FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.
{
"affected": [],
"aliases": [
"CVE-2017-20214"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T00:15:56Z",
"severity": "CRITICAL"
},
"details": "FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains hard-coded SSH credentials that cannot be changed through normal camera operations. Attackers can leverage these persistent, unmodifiable credentials to gain unauthorized remote access to the thermal camera system.",
"id": "GHSA-mgmw-cpxg-gc2f",
"modified": "2026-01-08T00:31:14Z",
"published": "2026-01-08T00:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20214"
},
{
"type": "WEB",
"url": "https://cxsecurity.com/issue/WLB-2017090205"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/144324"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20171011125811/https://www.flir.com/security/blog/details/?ID=87043"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42787"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5436.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MGWH-8478-G6WJ
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03IBM Security Guardium 11.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 196313.
{
"affected": [],
"aliases": [
"CVE-2021-20426"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-24T14:15:00Z",
"severity": "CRITICAL"
},
"details": "IBM Security Guardium 11.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 196313.",
"id": "GHSA-mgwh-8478-g6wj",
"modified": "2022-05-24T19:03:02Z",
"published": "2022-05-24T19:03:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20426"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196313"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6455281"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MH4R-H7XH-H5PF
Vulnerability from github – Published: 2022-06-12 00:00 – Updated: 2022-06-18 00:00A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been classified as very critical. This affects an unknown part. The manipulation leads to weak authentication. It is possible to initiate the attack remotely.
{
"affected": [],
"aliases": [
"CVE-2017-20039"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-11T10:15:00Z",
"severity": "CRITICAL"
},
"details": "A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been classified as very critical. This affects an unknown part. The manipulation leads to weak authentication. It is possible to initiate the attack remotely.",
"id": "GHSA-mh4r-h7xh-h5pf",
"modified": "2022-06-18T00:00:22Z",
"published": "2022-06-12T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20039"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.98907"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Mar/25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH8C-RXRQ-FMQ3
Vulnerability from github – Published: 2022-05-13 01:18 – Updated: 2022-05-13 01:18Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication.
{
"affected": [],
"aliases": [
"CVE-2018-11635"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication.",
"id": "GHSA-mh8c-rxrq-fmq3",
"modified": "2022-05-13T01:18:57Z",
"published": "2022-05-13T01:18:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11635"
},
{
"type": "WEB",
"url": "https://d3adend.org/blog/?p=1398"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MH8G-HPRG-8363
Vulnerability from github – Published: 2020-01-30 21:21 – Updated: 2021-10-20 18:03Impact
The security configuration in etc/security/mh_default_org.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:
<sec:remember-me key="opencast" user-service-ref="userDetailsService" />
This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.
Such an attack will usually not work on different installations – assuming that safe, unique passwords are used – but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.
Patches
This problem is fixed in Opencast 7.6 and Opencast 8.1
Workarounds
We strongly recommend updating to the patched version. Still, as a workaround for older versions, in etc/security/mh_default_org.xml, set a custom key for each server:
<sec:remember-me key="CUSTOM_RANDOM_KEY" user-service-ref="userDetailsService" />
References
- Relevant lines in the security configuration
- Spring Security Remember-Me Authentication Documentation
For more information
If you have any questions or comments about this advisory: - Open an issue in opencast/opencast - For security-relevant information, email us at security@opencast.org
Thanks
Thanks to @LukasKalbertodt for reporting the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "8.0"
},
{
"fixed": "8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5222"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-30T20:48:17Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe security configuration in `etc/security/mh_default_org.xml` enables a remember-me cookie based on a hash created from the [username, password, and an additional system key](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html). Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring that all systems use the same key:\n\n```xml\n\u003csec:remember-me key=\"opencast\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\nThis means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. For example, a remember-me token obtained from develop.opencast.org can be used on stable.opencast.org without actually knowing the log-in credentials.\n\nSuch an attack will usually not work on different installations \u2013 assuming that safe, unique passwords are used \u2013 but it is basically guaranteed to work to get access to all machines of one cluster if a token from one machine is compromised.\n\n### Patches\n\nThis problem is fixed in Opencast 7.6 and Opencast 8.1\n\n### Workarounds\n\nWe strongly recommend updating to the patched version. Still, as a workaround for older versions, in `etc/security/mh_default_org.xml`, set a custom key for each server:\n\n```xml\n\u003csec:remember-me key=\"CUSTOM_RANDOM_KEY\" user-service-ref=\"userDetailsService\" /\u003e\n```\n\n### References\n\n- [Relevant lines in the security configuration](https://github.com/opencast/opencast/blob/161ee619382f144dc35eea211fc6b556025b98e1/etc/security/mh_default_org.xml#L335-L336)\n- [Spring Security Remember-Me Authentication Documentation](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/remember-me.html#remember-me-hash-token)\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [opencast/opencast](https://github.com/opencast/opencast/issues)\n- For security-relevant information, email us at [security@opencast.org](mailto:security@opencast.org)\n\n### Thanks\nThanks to @LukasKalbertodt for reporting the issue.",
"id": "GHSA-mh8g-hprg-8363",
"modified": "2021-10-20T18:03:56Z",
"published": "2020-01-30T21:21:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5222"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hard-Coded Key Used For Remember-me Token in Opencast"
}
GHSA-MH9R-MH3M-PCGQ
Vulnerability from github – Published: 2024-02-02 00:31 – Updated: 2024-02-02 00:31Multiple MachineSense devices have credentials unable to be changed by the user or administrator.
{
"affected": [],
"aliases": [
"CVE-2023-46706"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-01T23:15:09Z",
"severity": "CRITICAL"
},
"details": "\n\n\nMultiple MachineSense devices have credentials unable to be changed by the user or administrator.\n\n\n\n",
"id": "GHSA-mh9r-mh3m-pcgq",
"modified": "2024-02-02T00:31:26Z",
"published": "2024-02-02T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46706"
},
{
"type": "WEB",
"url": "https://machinesense.com/pages/about-machinesense"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MHH7-F9XC-4FMH
Vulnerability from github – Published: 2022-05-14 03:39 – Updated: 2022-05-14 03:39IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. IBM X-Force ID: 75041.
{
"affected": [],
"aliases": [
"CVE-2012-2166"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-08T23:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM XIV Storage System 2810-A14 and 2812-A14 devices before level 10.2.4.e-2 and 2810-114 and 2812-114 devices before level 11.1.1 have hardcoded passwords for unspecified accounts, which allows remote attackers to gain user access via unknown vectors. IBM X-Force ID: 75041.",
"id": "GHSA-mhh7-f9xc-4fmh",
"modified": "2022-05-14T03:39:14Z",
"published": "2022-05-14T03:39:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2166"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75041"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004256"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MJ5W-W588-J6XG
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-30 20:19Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "AgileConfig.Client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35540"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-30T20:19:47Z",
"nvd_published_at": "2022-08-18T23:15:00Z",
"severity": "CRITICAL"
},
"details": "Hardcoded JWT Secret in AgileConfig \u003c1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.",
"id": "GHSA-mj5w-w588-j6xg",
"modified": "2022-08-30T20:19:47Z",
"published": "2022-08-19T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35540"
},
{
"type": "WEB",
"url": "https://github.com/dotnetcore/AgileConfig/issues/91"
},
{
"type": "PACKAGE",
"url": "https://github.com/dotnetcore/AgileConfig"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Use of Hard-coded Credentials in AgileConfig.Client"
}
Mitigation
- For outbound authentication: store passwords, keys, and other credentials outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible [REF-7].
- In Windows environments, the Encrypted File System (EFS) may provide some protection.
Mitigation
For inbound authentication: Rather than hard-code a default username and password, key, or other authentication credentials for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password or key.
Mitigation
If the product must contain hard-coded credentials or they cannot be removed, perform access control checks and limit which entities can access the feature that requires the hard-coded credentials. For example, a feature might only be enabled through the system console instead of through a network connection.
Mitigation
- For inbound authentication using passwords: apply strong one-way hashes to passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash that is generated. This increases the amount of computation that an attacker needs to conduct a brute-force attack, possibly limiting the effectiveness of the rainbow table method.
Mitigation
- For front-end to back-end connections: Three solutions are possible, although none are complete.
- The first suggestion involves the use of generated passwords or keys that are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals.
- Next, the passwords or keys should be limited at the back end to only performing actions valid for the front end, as opposed to having full access.
- Finally, the messages sent should be tagged and checksummed with time sensitive values so as to prevent replay-style attacks.
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.