DerScanner
Home / Vulnerability Database / Config files : Unsafe password management
Config files

Config files : Unsafe password management

Classification

OWASP Top 10 2013
A2-Broken Authentication and Session ManagementA6-Sensitive Data Exposure
OWASP Top 10 2017
A2-Broken AuthenticationA3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic FailuresA4-Insecure DesignA7-Identification and Authentication Failures
OWASP MASVS
V2: 2.2.(L1/L2/L1+R/L2+R)V8: 8.11.(L1+R/L2+R)
OWASP ASVS
Authentication
PCI DSS 4.0
6.2.48.3.28.6
HIPAA
§164.312 (a)(1)§164.312 (a)(2)(iv)
CWE
CWE-256CWE-260CWE-261CWE-522CWE-1028CWE-1032
CWE/SANS Top 25 2021
CWE-522

Overview

The application uses a password stored in plaintext or a bad hashed password in the configuration file. This can lead to the application data being compromised.

Developers often believe that the data stored in the configuration file is securely protected. This assumption simplifies the attacker’s job. Good password management guidelines require that a password never be stored in plaintext.

References

  1. OWASP Top 10 2017-A2-Broken Authentication
  2. OWASP Top 10 2017-A3-Sensitive Data Exposure
  3. OWASP Top 10 2013-A5-Security Misconfiguration
  4. OWASP Top 10 2013-A6-Sensitive Data Exposure
  5. CWE-261: Weak Encoding for Password
  6. CWE CATEGORY: OWASP Top Ten 2017 Category A2 - Broken Authentication
  7. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  8. CWE-256: Unprotected Storage of Credentials
  9. CWE-260: Password in Configuration File
MEDIUM

DerScanner Severity Score

Do you want to fix Config files : Unsafe password management in your application?

See also

Config files

Config files : Text4Shell Vulnerability

Config files

Config files : Incorrect directory deletion

Config files

Config files : Code injection