Tag Archives: CWE- 260

CWE-260 – Password in Configuration File

Read Time:35 Second

Description

The software stores a password in a configuration file that might be accessible to actors who do not know the password.

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-522

 

Consequences

Access Control: Gain Privileges or Assume Identity

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid storing passwords in easily accessible locations.

Phase: Architecture and Design

Description: 

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

CVE References