CWE-555 – J2EE Misconfiguration: Plaintext Password in Configuration File

Read Time:28 Second

Description

The J2EE application stores a plaintext password in a configuration file.

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-260

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Do not hardwire passwords into your software.

Phase: Architecture and Design

Description: 

Use industry standard libraries to encrypt passwords before storage in configuration files.

CVE References