169 – Insecure service configuration - Keys
Description
The source code repository stores cipher keys directly. Allowing an attacker with access to the source code to compromise the keys to impersonate the application or decrypt the communications between server and client.
Impact
Obtain cypher keys to craft new attack vectors.
Recommendation
Store the cipher keys in a secured Keystore.
Threat
Authenticated attacker from Internet with access to the source code.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P