CWE-260: Password in Configuration File
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
View on MITREExtended Description
This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Avoid storing passwords in easily accessible locations.
Phase
Description
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
Below is a snippet from a Java properties file.
Because the LDAP credentials are stored in plaintext, anyone with access to the file can gain access to the resource.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
This Java example shows a properties file with a cleartext username / password pair.
Observed CVE Examples (1)
A continuous delivery pipeline management tool stores an unencypted password in a configuration file.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-260: Password in Configuration File?+
CWE-260: Password in Configuration File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
What are the security consequences of Password in Configuration File?+
If exploited, CWE-260 (Password in Configuration File) it can compromise Access Control, leading to outcomes such as Gain Privileges or Assume Identity.
How do you prevent or mitigate Password in Configuration File?+
Recommended mitigations for CWE-260 include: Avoid storing passwords in easily accessible locations. Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
Which programming languages are affected by Password in Configuration File?+
CWE-260 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Password in Configuration File?+
MITRE documents real CVEs mapped to CWE-260, including CVE-2022-38665. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-260 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.