The J2EE application stores a plaintext password in a configuration file.
View on MITREStoring a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.
Do not hardwire passwords into your software.
Use industry standard libraries to encrypt passwords before storage in configuration files.
No detection method information available for this CWE.
Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.
CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The J2EE application stores a plaintext password in a configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.
If exploited, CWE-555 (J2EE Misconfiguration: Plaintext Password in Configuration File) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.
Recommended mitigations for CWE-555 include: Do not hardwire passwords into your software. Use industry standard libraries to encrypt passwords before storage in configuration files.
A CWE (Common Weakness Enumeration) like CWE-555 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.