DerScanner
Home / Vulnerability Database / Config files : Password hardcoded in configuration file
Config files

Config files : Password hardcoded in configuration file

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V2: 2.14.(L2/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Stored CryptographyStored CryptographyAuthenticationAuthenticationAuthenticationAuthenticationAuthenticationAuthentication
PCI DSS 4.0
6.5.66.2.48.3.28.6
HIPAA
§164.312 (a)(1)
CWE
CWE-256CWE-257CWE-259CWE-260CWE-522CWE-656CWE-798CWE-1028CWE-1032
CWE/SANS Top 25 2011
CWE-798
CWE/SANS Top 25 2021
CWE-522CWE-798

Overview

Saving a plaintext password inside the configuration file can lead to a system vulnerability.

References

  1. Password Plaintext Storage-OWASP
  2. CWE-798: Use of Hard-coded Credentials
  3. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  5. CWE-256: Unprotected Storage of Credentials
  6. CWE-260: Password in Configuration File
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Password hardcoded in configuration file in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection