CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File
Official CWE-555 CWE context with Glexia analysis, remediation guidance, related CVEs, and ATT&CK context.
Glexia's Take
CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File
J2EE Misconfiguration: Plaintext Password in Configuration File represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Executive Impact
- Access Control: Bypass Protection Mechanism
Developer Pattern
CWE-555 is the kind of defect developers can usually prevent with explicit validation, safer framework defaults, and tests that exercise hostile input or unsafe state transitions.
Confidence
high confidence from CWE-555, 4.20.
Official CWE Definition
CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File
The J2EE application stores a plaintext password in a configuration file.
Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource, making it an easy target for attackers.
Developer And Remediation Guidance
How teams prevent and detect this weakness
Causes
- Below is a snippet from a Java properties file in which the LDAP server password is stored in plaintext.
Remediation
- Architecture and Design: Do not hardwire passwords into your software.
- Architecture and Design: Use industry standard libraries to encrypt passwords before storage in configuration files.
Detection
- Code review
- SAST
- DAST
- Focused regression tests
Mappings
Related CVEs, CWEs, and ATT&CK context
Related CWEs
ATT&CK Relevance
ATT&CK relevance is shown only when reviewed or responsibly inferred.