Description
The J2EE application stores a plaintext password in a configuration file.
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.
Potential Impact
Access Control
Bypass Protection Mechanism
Demonstrative Examples
webapp.ldap.username=secretUsernamewebapp.ldap.password=secretPasswordMitigations & Prevention
Do not hardwire passwords into your software.
Use industry standard libraries to encrypt passwords before storage in configuration files.
Related Weaknesses
Frequently Asked Questions
What is CWE-555?
CWE-555 (J2EE Misconfiguration: Plaintext Password in Configuration File) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The J2EE application stores a plaintext password in a configuration file.
How can CWE-555 be exploited?
Attackers can exploit CWE-555 (J2EE Misconfiguration: Plaintext Password in Configuration File) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design, Implementation phase of software development.
How do I prevent CWE-555?
Key mitigations include: Do not hardwire passwords into your software.
What is the severity of CWE-555?
CWE-555 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.