CVEbaza.plSłownik CWECWE-547
Common Weakness Enumeration

CWE-547

Use of Hard-coded, Security-relevant Constants

Kategoria: BaseCVE: 11
Opis

Produkt używa sztywno zakodowanych stałych zamiast nazw symbolicznych dla wartości krytycznych dla bezpieczeństwa, co zwiększa prawdopodobieństwo błędów podczas konserwacji kodu lub zmiany polityki bezpieczeństwa. To utrudnia aktualizację i zarządzanie parametrami bezpieczeństwa w aplikacji.

Description (EN)

The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change.

Podatności CVE z CWE-547 (11)
9.8
CVSS
CRITICAL
CVE-2025-30206

Dpanel, panel do wizualizacji i zarządzania kontenerami Docker, zawiera w domyślnej konfiguracji zakodowany na stałe sekret JWT. Atakujący może go odkryć analizując kod źródłowy, a następnie sfałszować prawidłowe tokeny JWT i uzyskać pełną kontrolę nad hostem bez żadnych uprawnień.

pub. 2025-04-15
9.8
CVSS
CRITICAL
CVE-2023-1712

Use of Hard-coded, Security-relevant Constants in GitHub repository deepset-ai/haystack prior to 0.1.30.

pub. 2023-03-30
9.3
CVSS
CRITICAL
CVE-2025-49151

Nieuwierzytelniony atakujący może generować sfałszowane tokeny JSON Web Token (JWT), umożliwiając ominięcie mechanizmów uwierzytelnienia. Podatność posiada ocenę CVSS 9.3 (CRITICAL) i nie wymaga żadnej interakcji ani uprawnień po stronie atakującego.

pub. 2025-06-25
9.1
CVSS
CRITICAL
CVE-2019-14837

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

pub. 2020-01-07
8.7
CVSS
HIGH
CVE-2025-2079

Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.

pub. 2025-03-13
8.7
CVSS
HIGH
CVE-2025-2081

Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.

pub. 2025-03-13
8.7
CVSS
HIGH
CVE-2024-39888

A vulnerability has been identified in Mendix Encryption (All versions >= V10.0.0 < V10.0.2). Affected versions of the module define a specific hard-coded default value for the EncryptionKey constant, which is used in projects where no individual EncryptionKey was specified. This could allow to an attacker to decrypt any encrypted project data, as the default encryption key can be considered compromised.

pub. 2024-07-09
6.9
CVSS
MEDIUM
CVE-2026-28256

A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

pub. 2026-03-12
5.6
CVSS
MEDIUM
CVE-2024-41885

Team ENVY, a Security Research TEAM has found a flaw that allows for a remote code execution on the NVR. The seed string for the encrypt key was hardcoding. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds.

pub. 2024-12-24
3.9
CVSS
LOW
CVE-2024-32021

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

pub. 2024-05-14
2.5
CVSS
LOW
CVE-2025-23253

NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

pub. 2025-04-22
Informacje
ID: CWE-547
Typ: Base
Podatności: 11
MITRE CWE ↗
← Słownik CWE