Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
View on MITRECredentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
No detection method information available for this CWE.
The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database, but the pair is stored in plaintext.
Username and password information should not be included in a configuration file or a properties file in plaintext as this will allow anyone who can read the file access to the resource. If possible, encrypt this information.
No relationship information available for this CWE.
CWE-13: ASP.NET Misconfiguration: Password in Configuration File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
If exploited, CWE-13 (ASP.NET Misconfiguration: Password in Configuration File) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.
Recommended mitigations for CWE-13 include: Credentials stored in configuration files should be encrypted, Use standard APIs and industry accepted algorithms to encrypt the credentials stored in configuration files.
A CWE (Common Weakness Enumeration) like CWE-13 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.