Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-258 (配置文件中缺省空口令) — Vulnerability Class 9

9 vulnerabilities classified as CWE-258 (配置文件中缺省空口令). AI Chinese analysis included.

CWE-258 represents a critical configuration weakness where systems allow authentication using an empty string as a password. This flaw typically arises when developers fail to enforce password policies or inadvertently leave default credentials unchanged during deployment. Attackers exploit this vulnerability by attempting to access sensitive resources or administrative interfaces without providing any credentials, effectively bypassing security controls entirely. Such unauthorized access can lead to data breaches, system compromise, or lateral movement within a network. To prevent this, developers must implement robust validation mechanisms that reject empty or null password inputs during both configuration and runtime. Enforcing strong password complexity requirements, utilizing multi-factor authentication, and regularly auditing configuration files for default or blank credentials are essential practices. Additionally, automated security scanning tools should be integrated into the development lifecycle to detect and flag these insecure configurations before they reach production environments.

MITRE CWE Description
Using an empty string as a password is insecure.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity
Mitigations (1)
System ConfigurationPasswords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. Ho…
Examples (1)
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.
# Java Web App ResourceBundle properties file ... webapp.ldap.username=secretUsername webapp.ldap.password= ...
Bad · Java
... <connectionStrings> <add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=; dbalias=uDB;" providerName="System.Data.Odbc" /> </connectionStrings> ...
Bad · ASP.NET
CVE IDTitleCVSSSeverityPublished
CVE-2025-9276 Cockroach Labs cockroach-k8s-request-cert Empty Root Password Authentication Bypass Vulnerability — cockroach-k8s-request-cert 9.8 -2025-09-02
CVE-2025-4395 Medtronic MyCareLink Patient Monitor Empty Password Vulnerability — MyCareLink Patient Monitor 24950 6.8 Medium2025-07-24
CVE-2024-35137 IBM Security Access Manager Docker information disclosure — Security Verify Access Docker 6.2 Medium2024-06-28
CVE-2024-4106 Yokogawa FAST/TOOLS 安全漏洞 — FAST/TOOLS 5.3 Medium2024-06-26
CVE-2023-43016 IBM Security Access Manager Container unauthorized access — Security Verify Access Appliance 7.3 High2024-02-03
CVE-2023-39439 SAP Commerce accepts empty passphrases. — SAP Commerce 8.8 High2023-08-08
CVE-2020-29478 Broadcom CA Service Catalog 安全漏洞 — CA Service Catalog 7.5 -2021-01-05
CVE-2019-5021 Alpine Linux Docker 安全漏洞 — Alpine Linux 9.8 -2019-05-08
CVE-2018-17914 Schneider Electric InduSoft Web Studio和InTouch Edge HMI 安全漏洞 — InduSoft Web Studio, and InTouch Edge HMI (formerly InTouch Machine Edition) 9.8 -2018-11-02

Vulnerabilities classified as CWE-258 (配置文件中缺省空口令) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.