目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-260 配置文件中存储口令 类漏洞列表 23

CWE-260 配置文件中存储口令 类弱点 23 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-260指在配置文件中明文存储密码的漏洞。若配置文件权限设置不当,未授权攻击者可读取该文件获取敏感凭证,甚至篡改密码以接管系统,导致严重的安全 compromise。为避免此类风险,开发者应避免在配置文件中硬编码密码,转而采用环境变量、密钥管理服务或加密存储机制,并严格限制配置文件的访问权限,确保仅授权进程可读取。

MITRE CWE 官方描述
CWE:CWE-260 Password in Configuration File 英文:The product stores a password in a configuration file that might be accessible to actors who do not know the password. This can result in compromise of the system for which the password is used. An attacker could gain access to this file and learn the stored password or worse yet, change the password to one of their choosing.
常见影响 (1)
Access ControlGain Privileges or Assume Identity
缓解措施 (2)
Architecture and DesignAvoid storing passwords in easily accessible locations.
Architecture and DesignConsider storing cryptographic hashes of passwords as an alternative to storing in plaintext.
代码示例 (2)
Below is a snippet from a Java properties file.
webapp.ldap.username = secretUsername webapp.ldap.password = secretPassword
Bad · Java
The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but they are stored in cleartext.
# Java Web App ResourceBundle properties file ... webapp.ldap.username=secretUsername webapp.ldap.password=secretPassword ...
Bad · Java
... <connectionStrings> <add name="ud_DEV" connectionString="connectDB=uDB; uid=db2admin; pwd=password; dbalias=uDB;" providerName="System.Data.Odbc" /> </connectionStrings> ...
Bad · ASP.NET
CVE ID标题CVSS风险等级Published
CVE-2019-25465 Hisilicon HiIpcam 安全漏洞 — HiIpcam 7.5 High2026-03-11
CVE-2025-15151 Lin-CMS 安全漏洞 — Lin-CMS 3.7 Low2025-12-28
CVE-2023-53770 MiniDVBLinux 安全漏洞 — MiniDVBLinux(TM) Distribution (MLD) 9.1AICriticalAI2025-12-09
CVE-2023-53739 Tinycontrol LAN Controller 安全漏洞 — Tinycontrol LAN Controller v 9.1AICriticalAI2025-12-09
CVE-2025-33119 IBM QRadar SIEM 安全漏洞 — QRadar Security Information and Event Management 6.5 Medium2025-11-12
CVE-2025-36002 IBM Sterling B2B Integrator和IBM Sterling File Gateway 安全漏洞 — Sterling B2B Integrator 5.5 Medium2025-10-16
CVE-2025-36100 IBM MQ 安全漏洞 — MQ 5.1 Medium2025-09-07
CVE-2025-57754 eslint-ban-moment 安全漏洞 — eslint-ban-moment 9.8 Critical2025-08-21
CVE-2025-6513 Bizerba BRAIN2 安全漏洞 — BRAIN2 9.3 Critical2025-06-23
CVE-2025-25022 IBM Cloud Pak for Security和IBM QRadar Suite 安全漏洞 — QRadar Suite Software 9.6 Critical2025-06-03
CVE-2025-33093 IBM Sterling Partner Engagement Manager 安全漏洞 — Sterling Partner Engagement Manager 7.5 High2025-05-07
CVE-2025-32111 acme.sh 安全漏洞 — acme.sh 8.7 High2025-04-04
CVE-2024-45673 IBM Security Verify Bridge和IBM Security Verify Gateway 安全漏洞 — Security Verify Bridge Directory Sync 5.5 Medium2025-02-21
CVE-2024-49817 IBM Security Guardium Key Lifecycle Manager 安全漏洞 — Security Guardium Key Lifecycle Manager 4.4 Medium2024-12-17
CVE-2023-34128 SonicWALL Analytics和GMS 安全漏洞 — GMS 9.8 -2023-07-13
CVE-2023-2790 TOTOLINK N200RE 安全漏洞 — N200RE 2.3 Low2023-05-18
CVE-2021-35033 多款Zyxel产品授权问题漏洞 — NBG6818 series firmware 7.8 High2021-11-23
CVE-2020-5721 MikroTik WinBox 安全漏洞 — MikroTik WinBox 7.1 -2020-04-15
CVE-2016-7043 KIE Server和Busitess Central 信任管理问题漏洞 — kie-server 9.8 -2019-05-15
CVE-2019-3780 Pivotal Software PKS 权限许可和访问控制问题漏洞 — Cloud Foundry Container Runtime (CFCR) 8.8 -2019-03-08
CVE-2017-7925 多款大华产品安全漏洞 — Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras 9.8 -2017-05-06
CVE-2017-7923 多款Hikvision产品安全漏洞 — Hikvision Cameras 9.8 -2017-05-06
CVE-2014-5400 Hospira MedNet 信息泄露漏洞 — MedNet 8.4 -2015-04-03

CWE-260(配置文件中存储口令) 是常见的弱点类别,本平台收录该类弱点关联的 23 条 CVE 漏洞。