logo

Database

Non-encrypted confidential information - Credentials

Description

The passwords are in plain text in the source code of the application allowing an attacker to view it without any encryption.

Impact

Obtain sensitive information to compromise resources or services

Recommendation

Verify that sensitive information, API keys and passwords are not included in the source code, nor in online code repositories.

Threat

Authenticated attacker from the Internet with access to the source code

Expected Remediation Time

⏱️ 120 minutes.

Requirements

134 - Store passwords with salt135 - Passwords with random salt185 - Encrypt sensitive information229 - Request access credentials264 - Request authentication300 - Mask sensitive data

Fixes

CsharpDartElixirGoJavaPythonScalaTypescript

Score

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

Attack vector

N

Attack complexity

L

Attack requirements

N

Privileges required

L

User interaction

N

Confidentiality (VC)

L

Integrity (VI)

N

Availability (VA)

N

Confidentiality (SC)

N

Integrity (SI)

N

Availability (SA)

N

Threat 4.0

Exploit maturity

P

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P