The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Use an appropriate security mechanism to protect the credentials.
Make appropriate use of cryptography to protect the credentials.
Use industry standards to protect the credentials (e.g. LDAP, keystore, etc.).
An attacker could gain access to user accounts and access sensitive data used by the user accounts.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2022-30018A messaging platform serializes all elements of User/Group objects, making private information available to adversaries
CVE-2022-29959Initialization file contains credentials that can be decoded using a "simple string transformation"
CVE-2022-35411Python-based RPC framework enables pickle functionality by default, allowing clients to unpickle untrusted data.
CVE-2022-29519Programmable Logic Controller (PLC) sends sensitive information in plaintext, including passwords and session tokens.
CVE-2022-30312Building Controller uses a protocol that transmits authentication credentials in plaintext.