249 – Non-encrypted confidential information - Credentials

Description

The passwords are in plain text in the source code of the application allowing an attacker to view it without any encryption.

Impact

Obtain sensitive information to compromise resources or services

Recommendation

Verify that sensitive information, API keys and passwords are not included in the source code, nor in online code repositories.

Threat

Authenticated attacker from the Internet with access to the source code

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 134 - Store passwords with salt
• 135 - Passwords with random salt
• 185 - Encrypt sensitive information
• 229 - Request access credentials
• 264 - Request authentication
• 300 - Mask sensitive data

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Scala
• Typescript

Last updated

2024/02/16