QwikSec

Security Database

CVE

CWE

Training

CWE Database
/

CWE-260

Back to CWE list

CWE-260

Password in Configuration File

Base
Incomplete

Description

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.

Common Consequences

Scope

Access Control

Impact

Gain Privileges or Assume Identity

Potential Mitigations

Architecture and Design

Avoid storing passwords in easily accessible locations.

Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

CVE-2022-38665

A continuous delivery pipeline management tool stores an unencypted password in a configuration file.

Applicable Platforms

Not Language-Specific

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now