CWE-260
AllowedPassword in Configuration File
Abstraction: Base · Status: Incomplete
The product stores a password in a configuration file that might be accessible to actors who do not know the password.
42 vulnerabilities reference this CWE, most recent first.
GHSA-JGP4-2VPQ-MM78
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:05Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
{
"affected": [],
"aliases": [
"CVE-2023-34128"
],
"database_specific": {
"cwe_ids": [
"CWE-260",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T01:15:08Z",
"severity": "CRITICAL"
},
"details": "Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.",
"id": "GHSA-jgp4-2vpq-mm78",
"modified": "2024-04-04T06:05:48Z",
"published": "2023-07-13T03:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34128"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010"
},
{
"type": "WEB",
"url": "https://www.sonicwall.com/support/notices/230710150218060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JQJR-322M-7MJW
Vulnerability from github – Published: 2025-06-03 18:30 – Updated: 2025-06-03 18:30IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.
{
"affected": [],
"aliases": [
"CVE-2025-25022"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T16:15:24Z",
"severity": "CRITICAL"
},
"details": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 could allow an unauthenticated user in the environment to obtain highly sensitive information in configuration files.",
"id": "GHSA-jqjr-322m-7mjw",
"modified": "2025-06-03T18:30:41Z",
"published": "2025-06-03T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25022"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7235432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M7R5-29R2-M6XH
Vulnerability from github – Published: 2022-05-17 00:13 – Updated: 2024-12-27 21:30A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The password in configuration file vulnerability could allow a malicious user to escalate privileges or assume the identity of another user and access sensitive information.
{
"affected": [],
"aliases": [
"CVE-2017-7923"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-06T00:29:00Z",
"severity": "HIGH"
},
"details": "A Password in Configuration File issue was discovered in Hikvision DS-2CD2xx2F-I Series V5.2.0 build 140721 to V5.4.0 build 160530, DS-2CD2xx0F-I Series V5.2.0 build 140721 to V5.4.0 Build 160401, DS-2CD2xx2FWD Series V5.3.1 build 150410 to V5.4.4 Build 161125, DS-2CD4x2xFWD Series V5.2.0 build 140721 to V5.4.0 Build 160414, DS-2CD4xx5 Series V5.2.0 build 140721 to V5.4.0 Build 160421, DS-2DFx Series V5.2.0 build 140805 to V5.4.5 Build 160928, and DS-2CD63xx Series V5.0.9 build 140305 to V5.3.5 Build 160106 devices. The password in configuration file vulnerability could allow a malicious user to escalate privileges or assume the identity of another user and access sensitive information.",
"id": "GHSA-m7r5-29r2-m6xh",
"modified": "2024-12-27T21:30:30Z",
"published": "2022-05-17T00:13:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7923"
},
{
"type": "WEB",
"url": "https://ghostbin.com/paste/q2vq2"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-124-01"
},
{
"type": "WEB",
"url": "https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/20170314"
},
{
"type": "WEB",
"url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-notification--privilege-escalating-vulnerability-in-cer"
},
{
"type": "WEB",
"url": "https://www.hikvision.com/us-en/support/document-center/special-notices/privilege-escalating-vulnerability-in-certain-hikvision-ip-cameras"
},
{
"type": "WEB",
"url": "http://www.hikvision.com/us/about_10807.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MVVR-M63M-HJ6G
Vulnerability from github – Published: 2025-10-16 15:30 – Updated: 2025-10-16 15:30IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-36002"
],
"database_specific": {
"cwe_ids": [
"CWE-256",
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T15:15:33Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator 6.2.0.0 through 6.2.0.5, and 6.2.1.0 and IBM Sterling File Gateway 6.2.0.0 through 6.2.0.5, and 6.2.1.0 stores user credentials in configuration files which can be read by a local user.",
"id": "GHSA-mvvr-m63m-hj6g",
"modified": "2025-10-16T15:30:43Z",
"published": "2025-10-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36002"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7248129"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MX46-G635-GJJG
Vulnerability from github – Published: 2025-12-09 21:31 – Updated: 2025-12-19 21:30MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with 'action=getconfig' to retrieve a complete system configuration archive containing sensitive credentials.
{
"affected": [],
"aliases": [
"CVE-2023-53770"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-09T21:15:52Z",
"severity": "HIGH"
},
"details": "MiniDVBLinux 5.4 contains an unauthenticated configuration download vulnerability that allows remote attackers to access sensitive system configuration files through a direct object reference. Attackers can exploit the backup download endpoint by sending a GET request with \u0027action=getconfig\u0027 to retrieve a complete system configuration archive containing sensitive credentials.",
"id": "GHSA-mx46-g635-gjjg",
"modified": "2025-12-19T21:30:15Z",
"published": "2025-12-09T21:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53770"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51091"
},
{
"type": "WEB",
"url": "https://www.minidvblinux.de"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/minidvblinux-unauthenticated-configuration-download-via-backup-endpoint"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P986-VG8J-HHH7
Vulnerability from github – Published: 2024-12-17 18:33 – Updated: 2024-12-17 18:33IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.
{
"affected": [],
"aliases": [
"CVE-2024-49817"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-17T18:15:23Z",
"severity": "MODERATE"
},
"details": "IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.",
"id": "GHSA-p986-vg8j-hhh7",
"modified": "2024-12-17T18:33:50Z",
"published": "2024-12-17T18:33:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49817"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175067"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PJW3-C74J-M9FJ
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-02-14 00:57It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.kie.server:kie-server-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.21.0.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-7043"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T00:57:31Z",
"nvd_published_at": "2019-05-15T16:29:00Z",
"severity": "CRITICAL"
},
"details": "It has been reported that KIE server and Busitess Central before version 7.21.0.Final contain username and password as plaintext Java properties. Any app deployed on the same server would have access to these properties, thus granting access to ther services.",
"id": "GHSA-pjw3-c74j-m9fj",
"modified": "2023-02-14T00:57:31Z",
"published": "2022-05-24T16:45:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7043"
},
{
"type": "WEB",
"url": "https://github.com/kiegroup/droolsjbpm-integration/pull/1273"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Password in config file in KIE server"
}
GHSA-QWJ8-22QG-X6QF
Vulnerability from github – Published: 2025-04-04 09:30 – Updated: 2025-04-04 09:30The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks "persist-credentials: false" for actions/checkout.
{
"affected": [],
"aliases": [
"CVE-2025-32111"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-04T07:15:42Z",
"severity": "HIGH"
},
"details": "The Docker image from acme.sh before 40b6db6 is based on a .github/workflows/dockerhub.yml file that lacks \"persist-credentials: false\" for actions/checkout.",
"id": "GHSA-qwj8-22qg-x6qf",
"modified": "2025-04-04T09:30:33Z",
"published": "2025-04-04T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32111"
},
{
"type": "WEB",
"url": "https://github.com/acmesh-official/acme.sh/commit/40b6db6a2715628aa977ed1853fe5256704010ae"
},
{
"type": "WEB",
"url": "https://github.com/acmesh-official/acme.sh/commit/a1de13657e79c5471dbc8fa3539ea39160937389"
},
{
"type": "WEB",
"url": "https://github.com/actions/checkout/blob/85e6279cec87321a52edac9c87bce653a07cf6c2/README.md?plain=1#L70-L72"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RFVR-JPH4-C6J4
Vulnerability from github – Published: 2025-08-19 18:31 – Updated: 2025-08-19 21:30EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183.
{
"affected": [],
"aliases": [
"CVE-2025-51540"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-19T16:15:28Z",
"severity": "MODERATE"
},
"details": "EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183.",
"id": "GHSA-rfvr-jph4-c6j4",
"modified": "2025-08-19T21:30:36Z",
"published": "2025-08-19T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51540"
},
{
"type": "WEB",
"url": "https://ballpoint.fr/en/blog/ezged3-preauth-file-read-admin-takeover"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V736-7QXC-59QF
Vulnerability from github – Published: 2025-09-07 03:30 – Updated: 2025-12-19 15:31IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0 Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-36100"
],
"database_specific": {
"cwe_ids": [
"CWE-260"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-07T01:15:32Z",
"severity": "MODERATE"
},
"details": "IBM MQ LTS 9.1.0.0 through 9.1.0.29, 9.2.0.0 through 9.2.0.36, 9.3.0.0 through 9.3.0.30 and 9.4.0.0 through 9.4.0.12 and IBM MQ CD 9.3.0.0 through 9.3.5.1 and 9.4.0.0 through 9.4.3.0\u00a0 Java and JMS stores a password in client configuration files when trace is enabled which can be read by a local user.",
"id": "GHSA-v736-7qxc-59qf",
"modified": "2025-12-19T15:31:17Z",
"published": "2025-09-07T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36100"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7243544"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid storing passwords in easily accessible locations.
Mitigation
Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
No CAPEC attack patterns related to this CWE.