142 – Sensitive information in source code - API Key

Description

The encryption key is stored in the source code in plain text and is not obtained from a secure source that guarantees its confidentiality.

Impact

- Generate an elaborate brute-force attack on the applications encrypted messages. - Open easily information of a company, web and API security to sensitive data exposure.

Recommendation

It is recommended to load encryption keys from: - A key vault service. - A configuration file that is properly encrypted. - Administrative environment variables.

Threat

Unauthorized user obtaining the encryption key directly from the application repository or an application file.

Expected Remediation Time

45 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 145 - Protect system cryptographic keys
• 156 - Source code without sensitive information
• 266 - Disable insecure functionalities

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Kotlin
• Php
• Python
• Ruby
• Swift
• Typescript

Last updated

2024/02/14