Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-555:J2EE Misconfiguration: Plaintext Password in Configuration File
Weakness ID:555
Version:v4.17
Weakness Name:J2EE Misconfiguration: Plaintext Password in Configuration File
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The J2EE application stores a plaintext password in a configuration file.

▼Extended Description

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowedB260Password in Configuration File
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 260
Name: Password in Configuration File
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 731
Name: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism
N/A
Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:
N/A
▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not hardwire passwords into your software.

Note:

Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Use industry standard libraries to encrypt passwords before storage in configuration files.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
▼Demonstrative Examples
Example 1

Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.

Language: ( code)
N/A

Language: Java(Bad code)
webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found