CWE-256: Plaintext Storage of a Password
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product stores a password in plaintext within resources such as memory or files.
常见后果
影响范围: Access Control
技术影响: Gain Privileges or Assume Identity
说明: Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resource. In some contexts, even storage of a plaintext password in memory is considered a security risk if the password is not cleared immediately after it is used.
潜在缓解措施
阶段: Architecture and Design
描述: Avoid storing passwords in easily accessible locations.
阶段: Architecture and Design
描述: Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
描述: A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.
有效性: None
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2022-30275
Remote Terminal Unit (RTU) uses a driver that relies on a password stored in plaintext.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Architecture and Design | Developers sometimes believe that they cannot defend the application from someone who has access to the configuration, but this belief makes an attacker's job easier. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Password Management | - |
| Software Fault Patterns | SFP23 | Exposed Data | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.5 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 1.5 | - |