CWE-52238 advisories

Insufficiently Protected Credentials

What it is

Credentials are stored or transmitted without adequate protection, so they can be intercepted or read.

How to fix it

Upgrade, rotate the exposed credentials, and store them hashed/encrypted.

How to avoid it

Never log or store credentials in plaintext; use a secret manager and strong hashing.

Known Insufficiently Protected Credentials vulnerabilities

WEB3-PHEMEX-2025 — critical · Web3 · CEX/Phemex
OPSEC-INTERNET-ARCHIVE-2024 — high · SaaS/Internet Archive
CLOUD-ENVFILE-EXTORTION-2024 — high · Cloud · AWS/Exposed web servers / AWS IAM
SC-ARTIPACKED-2024 — high · CI/CD · GitHub Actions/GitHub Actions (actions/checkout, actions/upload-artifact)
PHISH-AITM — high · Phishing · AiTM/Adversary-in-the-middle (AiTM) phishing
OPSEC-SNOWFLAKE-2024 — critical · Cloud/Snowflake (customer tenants)
PHISH-SPEAR-PHISHING — high · Phishing · Spear phishing/Spear phishing
WEB3-PLAYDAPP-2024 — critical · Web3 · Ethereum/PlayDapp · exploited
OPSEC-MERCEDES-BENZ-2024 — high · Source control/Mercedes-Benz
OPSEC-MIDNIGHT-BLIZZARD-2024 — critical · Identity/Microsoft 365 / Entra ID
SC-PYTORCH-RUNNER-2024 — critical · CI/CD · GitHub Actions/pytorch/pytorch
CLOUD-IAC-TFSTATE-EXPOSURE — high · Cloud · IaC/Terraform state file (terraform.tfstate)
WEB3-ORBITCHAIN-2024 — critical · Web3 · Ethereum/Orbit Chain (Orbit Bridge) · exploited
WEB3-POLONIEX-2023 — critical · Web3 · CEX/Poloniex
OPSEC-OKTA-2023 — high · Identity/Okta
OPSEC-23ANDME-2023 — critical · Consumer/genomics/23andMe
WEB3-MIXIN-NETWORK-2023 — critical · Web3 · Ethereum/Mixin Network
OPSEC-MICROSOFT-SAS-2023 — high · Cloud/Microsoft Azure Storage
PHISH-RETOOL-2023 — high · Phishing · Smishing/Retool
WEB3-COINEX-2023 — critical · Web3 · CEX/CoinEx
OPSEC-SOURCEGRAPH-2023 — high · Source control/Sourcegraph
SC-DEPENDABOT-IMPERSONATION-2023 — high · CI/CD · GitHub/GitHub repositories (Dependabot impersonation)
WEB3-ATOMICWALLET-2023 — critical · Web3/Atomic Wallet · exploited
OPSEC-CIRCLECI-2023 — critical · CI/CD/CircleCI
OPSEC-LASTPASS-2022 — critical · Identity/LastPass
OPSEC-UBER-2022 — high · Identity/Uber
SC-CRED-HYGIENE-CICDSEC6-2023 — high · CI/CD/Insufficient CI credential hygiene
OPSEC-TWILIO-2022 — high · Communications/Twilio
OPSEC-GITHUB-OAUTH-2022 — high · Source control/GitHub / npm
CVE-2021-41077 — high · CI/CD · Travis CI/travis-ci/travis-ci
OPSEC-COLONIAL-PIPELINE-2021 — critical · Critical infrastructure/Colonial Pipeline
WEB3-KUCOIN-2020 — critical · Web3 · CEX/KuCoin
INFRA-TESLA-K8S-2018 — high · Kubernetes/Kubernetes admin console (Tesla AWS environment)
INFRA-NOTPETYA-2017 — critical · Windows · Wiper/NotPetya (global outbreak)
PHISH-DNC-PODESTA-2016 — high · Phishing · Spear phishing/Clinton campaign (John Podesta)
WEB3-BITFINEX-2016 — critical · Exchange · Custody/Bitfinex
OPSEC-ANTHEM-2015 — critical · Healthcare/Anthem
WEB3-MTGOX-2014 — critical · Web3 · CEX/Mt. Gox

Stateward flags Insufficiently Protected Credentials in your own code and dependencies on every pull request.

Scan my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.