logo

CWE-798 - Use of Hard-coded Credentials

CWE-798 High

  • Abstraction:
  • Base
  • Structure:
  • Simple
  • Status:
  • Draft
Weakness Name

Use of Hard-coded Credentials

Description

The product contains hard-coded credentials, such as a password or cryptographic key.

There are two main variations:

Common Consequences

Scope: Access Control

Impact: Bypass Protection Mechanism

Notes: If hard-coded passwords are used, it is almost certain that malicious users will gain access to the account in question. Any user of the product that hard-codes passwords may be able to extract the password. Client-side systems with hard-coded passwords pose even more of a threat, since the extraction of a password from a binary is usually very simple.

Scope: Integrity, Confidentiality, Availability, Access Control, Other

Impact: Read Application Data, Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands, Other

Notes: This weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even execute arbitrary code. If the password is ever discovered or published (a common occurrence on the Internet), then anybody with knowledge of this password can access the product. Finally, since all installations of the product will have the same password, even across different organizations, this enables massive attacks such as worms to take place.

Related Weaknesses

CWE-287Improper AuthenticationHigh

CWE-344Use of Invariant Value in Dynamically Changing Context

CWE-671Lack of Administrator Control over Security

CWE-1391Use of Weak Credentials

CWE-257Storing Passwords in a Recoverable FormatHigh

  • Release Date:
  • 2010-02-16
  • Latest Modification Date:
  • 2024-07-16

Free security scan for your website