CWE-258
AllowedEmpty Password in Configuration File
Abstraction: Variant · Status: Incomplete
Using an empty string as a password is insecure.
16 vulnerabilities reference this CWE, most recent first.
GHSA-C745-QW8J-JHVX
Vulnerability from github – Published: 2023-08-08 03:30 – Updated: 2024-04-04 06:37SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
{
"affected": [],
"aliases": [
"CVE-2023-39439"
],
"database_specific": {
"cwe_ids": [
"CWE-1390",
"CWE-258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-08T01:15:19Z",
"severity": "CRITICAL"
},
"details": "SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.\n\n",
"id": "GHSA-c745-qw8j-jhvx",
"modified": "2024-04-04T06:37:35Z",
"published": "2023-08-08T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39439"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3346500"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F2XW-W9GH-Q2H9
Vulnerability from github – Published: 2025-09-02 21:30 – Updated: 2025-09-02 21:30Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image.
The specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22195.
{
"affected": [],
"aliases": [
"CVE-2025-9276"
],
"database_specific": {
"cwe_ids": [
"CWE-258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-02T20:15:40Z",
"severity": "CRITICAL"
},
"details": "Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability. This vulnerability could allow remote attackers to bypass authentication on systems that use the affected version of the Cockroach Labs cockroach-k8s-request-cert container image.\n\nThe specific flaw exists within the configuration of the system shadow file. The issue results from a blank password setting for the root user. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22195.",
"id": "GHSA-f2xw-w9gh-q2h9",
"modified": "2025-09-02T21:30:59Z",
"published": "2025-09-02T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9276"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-855"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHRR-7GGP-3GV3
Vulnerability from github – Published: 2024-06-28 18:31 – Updated: 2025-11-04 00:30IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 292413.
{
"affected": [],
"aliases": [
"CVE-2024-35137"
],
"database_specific": {
"cwe_ids": [
"CWE-258",
"CWE-521"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-28T16:15:04Z",
"severity": "MODERATE"
},
"details": "IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. IBM X-Force ID: 292413.",
"id": "GHSA-jhrr-7ggp-3gv3",
"modified": "2025-11-04T00:30:50Z",
"published": "2024-06-28T18:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35137"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/292413"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7158790"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVV5-7GWV-CVMF
Vulnerability from github – Published: 2024-02-03 03:30 – Updated: 2025-11-04 00:30IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.
{
"affected": [],
"aliases": [
"CVE-2023-43016"
],
"database_specific": {
"cwe_ids": [
"CWE-258",
"CWE-521"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-03T01:15:09Z",
"severity": "HIGH"
},
"details": "IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. IBM X-Force ID: 266154.",
"id": "GHSA-pvv5-7gwv-cvmf",
"modified": "2025-11-04T00:30:45Z",
"published": "2024-02-03T03:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43016"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/266154"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7106586"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Nov/0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RCCF-3GFP-FHPV
Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2024-08-01 15:31The password is empty in the initial configuration of ACERA 9010-08 firmware v02.04 and earlier, and ACERA 9010-24 firmware v02.04 and earlier. An unauthenticated attacker may log in to the product with no password, and obtain and/or alter information such as network configuration and user information. The products are affected only when running in non MS mode with the initial configuration.
{
"affected": [],
"aliases": [
"CVE-2024-28744"
],
"database_specific": {
"cwe_ids": [
"CWE-258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T01:15:56Z",
"severity": "HIGH"
},
"details": "The password is empty in the initial configuration of ACERA 9010-08 firmware v02.04 and earlier, and ACERA 9010-24 firmware v02.04 and earlier. An unauthenticated attacker may log in to the product with no password, and obtain and/or alter information such as network configuration and user information. The products are affected only when running in non MS mode with the initial configuration.",
"id": "GHSA-rccf-3gfp-fhpv",
"modified": "2024-08-01T15:31:37Z",
"published": "2024-04-08T03:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28744"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU99285099"
},
{
"type": "WEB",
"url": "https://www.furunosystems.co.jp/news/info/vulner20240401.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RXFJ-GVQJ-6MMM
Vulnerability from github – Published: 2025-07-25 15:30 – Updated: 2026-03-27 21:31Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality.
This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025
{
"affected": [],
"aliases": [
"CVE-2025-4395"
],
"database_specific": {
"cwe_ids": [
"CWE-258"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T07:15:53Z",
"severity": "MODERATE"
},
"details": "Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. \n\nThis issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025",
"id": "GHSA-rxfj-gvqj-6mmm",
"modified": "2026-03-27T21:31:31Z",
"published": "2025-07-25T15:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4395"
},
{
"type": "WEB",
"url": "https://global.medtronic.com/xg-en/product-security/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01"
},
{
"type": "WEB",
"url": "https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.
No CAPEC attack patterns related to this CWE.