Common Weakness Enumeration

CWE-260

Allowed

Password in Configuration File

Abstraction: Base · Status: Incomplete

The product stores a password in a configuration file that might be accessible to actors who do not know the password.

42 vulnerabilities reference this CWE, most recent first.

GHSA-JGP4-2VPQ-MM78

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:05
VLAI
Details

Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260",
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T01:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.",
  "id": "GHSA-jgp4-2vpq-mm78",
  "modified": "2024-04-04T06:05:48Z",
  "published": "2023-07-13T03:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34128"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
    },
    {
      "type": "WEB",
      "url": "https://www.sonicwall.com/support/notices/230710150218060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQJR-322M-7MJW

Vulnerability from github – Published: 2025-06-03 18:30 – Updated: 2025-06-03 18:30
VLAI
Details

IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T16:15:24Z",
    "severity": "CRITICAL"
  },
  "details": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.",
  "id": "GHSA-jqjr-322m-7mjw",
  "modified": "2025-06-03T18:30:41Z",
  "published": "2025-06-03T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25022"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7235432"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7R5-29R2-M6XH

Vulnerability from github – Published: 2022-05-17 00:13 – Updated: 2024-12-27 21:30
VLAI
Details

A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The password in configuration file vulnerability could allow a malicious user to escalate privileges or assume the identity of another user and access sensitive information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7923"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-06T00:29:00Z",
    "severity": "HIGH"
  },
  "details": "A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The password in configuration file vulnerability could allow a malicious user to escalate privileges or assume the identity of another user and access sensitive information.",
  "id": "GHSA-m7r5-29r2-m6xh",
  "modified": "2024-12-27T21:30:30Z",
  "published": "2022-05-17T00:13:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7923"
    },
    {
      "type": "WEB",
      "url": "https://ghostbin.com/paste/q2vq2"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01"
    },
    {
      "type": "WEB",
      "url": "https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/20170314"
    },
    {
      "type": "WEB",
      "url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification--privilege-escalating-vulnerability-in-cer"
    },
    {
      "type": "WEB",
      "url": "https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras"
    },
    {
      "type": "WEB",
      "url": "http://www.hikvision.com/us/about_10807.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98313"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MVVR-M63M-HJ6G

Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30
VLAI
Details

IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T15:15:33Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.",
  "id": "GHSA-mvvr-m63m-hj6g",
  "modified": "2025-10-16T15:30:43Z",
  "published": "2025-10-16T15:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36002"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7248129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX46-G635-GJJG

Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-19 21:30
VLAI
Details

MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T21:15:52Z",
    "severity": "HIGH"
  },
  "details": "MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with \u0027action=getconfig\u0027 to retrieve a complete system configuration archive containing sensitive credentials.",
  "id": "GHSA-mx46-g635-gjjg",
  "modified": "2025-12-19T21:30:15Z",
  "published": "2025-12-09T21:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53770"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51091"
    },
    {
      "type": "WEB",
      "url": "https://www.minidvblinux.de"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/minidvblinux-unauthenticated-configuration-download-via-backup-endpoint"
    },
    {
      "type": "WEB",
      "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-P986-VG8J-HHH7

Vulnerability from github – Published: 2024-12-17 18:33 – Updated: 2024-12-17 18:33
VLAI
Details

IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-17T18:15:23Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.",
  "id": "GHSA-p986-vg8j-hhh7",
  "modified": "2024-12-17T18:33:50Z",
  "published": "2024-12-17T18:33:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49817"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7175067"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJW3-C74J-M9FJ

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-02-14 00:57
VLAI
Summary
Password in config file in KIE server
Details

It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.kie.server:kie-server-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.21.0.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-7043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-14T00:57:31Z",
    "nvd_published_at": "2019-05-15T16:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.",
  "id": "GHSA-pjw3-c74j-m9fj",
  "modified": "2023-02-14T00:57:31Z",
  "published": "2022-05-24T16:45:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiegroup/droolsjbpm-integration/pull/1273"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7043"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password in config file in KIE server"
}

GHSA-QWJ8-22QG-X6QF

Vulnerability from github – Published: 2025-04-04 09:30 – Updated: 2025-04-04 09:30
VLAI
Details

The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32111"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T07:15:42Z",
    "severity": "HIGH"
  },
  "details": "The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks \"persist-credentials: false\" for actions/checkout.",
  "id": "GHSA-qwj8-22qg-x6qf",
  "modified": "2025-04-04T09:30:33Z",
  "published": "2025-04-04T09:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32111"
    },
    {
      "type": "WEB",
      "url": "https://github.com/acmesh-official/acme.sh/commit/40b6db6a2715628aa977ed1853fe5256704010ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/acmesh-official/acme.sh/commit/a1de13657e79c5471dbc8fa3539ea39160937389"
    },
    {
      "type": "WEB",
      "url": "https://github.com/actions/checkout/blob/85e6279cec87321a52edac9c87bce653a07cf6c2/README.md?plain=1#L70-L72"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RFVR-JPH4-C6J4

Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-08-19 21:30
VLAI
Details

EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-19T16:15:28Z",
    "severity": "MODERATE"
  },
  "details": "EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183.",
  "id": "GHSA-rfvr-jph4-c6j4",
  "modified": "2025-08-19T21:30:36Z",
  "published": "2025-08-19T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51540"
    },
    {
      "type": "WEB",
      "url": "https://ballpoint.fr/en/blog/ezged3-preauth-file-read-admin-takeover"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V736-7QXC-59QF

Vulnerability from github – Published: 2025-09-07 03:30 – Updated: 2025-12-19 15:31
VLAI
Details

IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0  Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-260"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-07T01:15:32Z",
    "severity": "MODERATE"
  },
  "details": "IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0\u00a0 Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.",
  "id": "GHSA-v736-7qxc-59qf",
  "modified": "2025-12-19T15:31:17Z",
  "published": "2025-09-07T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36100"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7243544"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

No CAPEC attack patterns related to this CWE.