Description
The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
Potential Impact
Access Control
Bypass Protection Mechanism
Mitigations & Prevention
Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2025-0148 | Jenkins plugin for a video meeting product does not mask passwords |
Related Weaknesses
Frequently Asked Questions
What is CWE-549?
CWE-549 (Missing Password Field Masking) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords.
How can CWE-549 be exploited?
Attackers can exploit CWE-549 (Missing Password Field Masking) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-549?
Key mitigations include: Recommendations include requiring all password fields in your web application be masked to prevent other users from seeing this information.
What is the severity of CWE-549?
CWE-549 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.