CWE-260 - Password in Configuration File

Read Time:35 Second

Description

The software stores a password in a configuration file that might be accessible to actors who do not know the password.

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Modes of Introduction:

– Architecture and Design

Related Weaknesses

CWE-522

Consequences

Access Control: Gain Privileges or Assume Identity

Potential Mitigations

Phase: Architecture and Design

Description:

Avoid storing passwords in easily accessible locations.

Phase: Architecture and Design

Description:

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

CVE References

InCWE- 260, Password in Configuration File

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java...

rocco

February 19, 2023February 19, 2023

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access...

rocco

February 19, 2023February 19, 2023

CWE-669 – Incorrect Resource Transfer Between Spheres

Description The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere,...

rocco

May 26, 2022