目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%
请我们喝杯咖啡

CWE-259 使用硬编码的口令 类漏洞列表 122

CWE-259 使用硬编码的口令 类弱点 122 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-259 指软件在入站认证或出站通信中硬编码密码的漏洞。攻击者常通过逆向工程提取源码中的明文凭证,进而伪装合法用户或横向渗透外部系统。开发者应避免此类做法,改用环境变量、密钥管理服务或配置文件存储敏感信息,确保密码动态生成且与代码分离,从而降低凭证泄露风险。

MITRE CWE 官方描述
CWE:CWE-259 使用硬编码密码 (Use of Hard-coded Password) 英文:该产品包含一个硬编码密码 (hard-coded password),用于其自身的入站认证 (inbound authentication) 或与外部组件进行出站通信 (outbound communication)。 硬编码密码 (hard-coded password) 主要有两种变体:入站 (Inbound):该产品包含一种认证机制,用于检查硬编码密码 (hard-coded password)。出站 (Outbound):该产品连接到另一个系统或组件,并包含用于连接该组件的硬编码密码 (hard-coded password)。
常见影响 (2)
Access ControlGain Privileges or Assume Identity
If hard-coded passwords are used, it is almost certain that malicious users can gain access through the account in question.
Access ControlGain Privileges or Assume Identity, Hide Activities, Reduce Maintainability
A hard-coded password typically leads to a significant authentication failure that can be difficult for the system administrator to detect. Once detected, it can be difficult to fix, so the administrator may be forced into disabling the product entirely.
缓解措施 (5)
Architecture and DesignFor outbound authentication: store passwords outside of the code in a strongly-protected, encrypted configuration file or database that is protected from access by all outsiders, including other local users on the same system. Properly protect the key (CWE-320). If you cannot use encryption to protect the file, then make sure that the permissions are as restrictive as possible.
Architecture and DesignFor inbound authentication: Rather than hard-code a default username and password for first time logins, utilize a "first login" mode that requires the user to enter a unique strong password.
Architecture and DesignPerform access control checks and limit which entities can access the feature that requires the hard-coded password. For example, a feature might only be enabled through the system console instead of through a network connection.
Architecture and DesignFor inbound authentication: apply strong one-way hashes to your passwords and store those hashes in a configuration file or database with appropriate access control. That way, theft of the file/database still requires the attacker to try to crack the password. When receiving an incoming password during authentication, take the hash of the password and compare it to the hash that you have saved. Us…
Architecture and DesignFor front-end to back-end connections: Three solutions are possible, although none are complete. The first suggestion involves the use of generated passwords which are changed automatically and must be entered at given time intervals by a system administrator. These passwords will be held in memory and only be valid for the time intervals. Next, the passwords used should be limited at the back end…
代码示例 (2)
The following code uses a hard-coded password to connect to a database:
... DriverManager.getConnection(url, "scott", "tiger"); ...
Bad · Java
javap -c ConnMngr.class 22: ldc #36; //String jdbc:mysql://ixne.com/rxsql 24: ldc #38; //String scott 26: ldc #17; //String tiger
Attack
The following code is an example of an internal hard-coded password in the back-end:
int VerifyAdmin(char *password) { if (strcmp(password, "Mew!")) { printf("Incorrect Password!\n"); return(0); } printf("Entering Diagnostic Mode...\n"); return(1); }
Bad · C
int VerifyAdmin(String password) { if (!password.equals("Mew!")) { return(0); } //Diagnostic Mode return(1); }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2025-2555 Audi Universal Traffic Recorder App 安全漏洞 — Universal Traffic Recorder App 2.9 Low2025-03-20
CVE-2024-48831 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 8.4 High2025-03-17
CVE-2025-1100 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 9.8 Critical2025-02-12
CVE-2022-26388 Hillrom Welch Allyn ELI 安全漏洞 — ELI 380 Resting Electrocardiograph 6.4 Medium2025-02-07
CVE-2024-4996 Asseco Business Solutions Wapro ERP 安全漏洞 — Wapro ERP Desktop 7.5 -2024-12-18
CVE-2024-11026 Intelligent Freenow 安全漏洞 — Freenow App 3.7 Low2024-11-08
CVE-2024-20412 Cisco Firepower Threat Defense 安全漏洞 — Cisco Firepower Threat Defense Software 9.3 Critical2024-10-23
CVE-2024-43423 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE 安全漏洞 — ProGauge MAGLINK LX CONSOLE 9.8 Critical2024-09-24
CVE-2024-8580 TOTOLINK AC1200 安全漏洞 — AC1200 T8 8.1 High2024-09-08
CVE-2024-39585 Dell SmartFabric OS10 安全漏洞 — SmartFabric OS10 Software 7.9 High2024-09-06
CVE-2024-7332 TOTOLINK CP450 安全漏洞 — CP450 9.8 Critical2024-08-01
CVE-2024-7216 TOTOLINK LR1200GB 安全漏洞 — LR1200 2.6 Low2024-07-30
CVE-2024-7170 TOTOLINK A3000Ru 安全漏洞 — A3000RU 3.5 Low2024-07-28
CVE-2024-7159 TOTOLINK A3600R 安全漏洞 — A3600R 5.5 Medium2024-07-28
CVE-2024-7155 TOTOLINK A3300R 安全漏洞 — A3300R 2.5 Low2024-07-28
CVE-2023-46685 LevelOne WBR-6013 安全漏洞 — WBR-6013 9.8 Critical2024-07-08
CVE-2024-4708 mySCADA myPRO 安全漏洞 — myPRO 9.8 Critical2024-07-02
CVE-2024-5275 FileCatalyst Workflow 安全漏洞 — FileCatalyst Direct 7.8 High2024-06-18
CVE-2024-27164 Toshiba e-STUDIO 安全漏洞 — Toshiba Tec e-Studio multi-function peripheral (MFP) 7.1 High2024-06-14
CVE-2024-28023 Hitachi FOXMAN-UN 安全漏洞 — FOXMAN-UN 5.7 Medium2024-06-11
CVE-2024-3700 Estomed Sp. z o.o. Simple Care 安全漏洞 — Simple Care 7.5 -2024-06-10
CVE-2024-3699 drEryk Gabinet 安全漏洞 — drEryk Gabinet 7.5 -2024-06-10
CVE-2024-1228 Eurosoft Przychodnia 安全漏洞 — Eurosoft Przychodnia 7.5 -2024-06-10
CVE-2024-2420 NetBox 安全漏洞 — NetBox 9.8AICriticalAI2024-05-30
CVE-2024-2038 WordPress plugin Atarim 安全漏洞 — Atarim – Visual Feedback, Review & AI Collaboration 7.5 High2024-05-23
CVE-2024-33625 Cyber Power Systems PowerPanel Business Edition 安全漏洞 — PowerPanel business 9.8 Critical2024-05-15
CVE-2024-34025 Cyber Power Systems PowerPanel Business Edition 安全漏洞 — PowerPanel business 9.8 Critical2024-05-15
CVE-2024-32741 Siemens SIMATIC CN 4100 安全漏洞 — SIMATIC CN 4100 10.0 Critical2024-05-14
CVE-2023-51629 D-Link DCS-8300LHV2 安全漏洞 — DCS-8300LHV2 8.8 -2024-05-03
CVE-2023-32145 D-Link DAP-1360 安全漏洞 — DAP-1360 8.8 -2024-05-03

CWE-259(使用硬编码的口令) 是常见的弱点类别,本平台收录该类弱点关联的 122 条 CVE 漏洞。