Description

This Spring Boot web application is storing datasource credentials in plain text in the properties files via spring.datasource.password=. It's not recommended to store plain text passwords in configuration files.

Remediation

It's recommended to encrypt the credentials using a library like Jasypt. By using Jasypt, you can provide encryption for the property sources and the application can decrypt the encrypted properties and retrieve the original values.

References

Using Encrypted Property Placeholders in Spring Boot

Java Simplified Encryption

Jasypt integration for Spring boot

Related Vulnerabilities

Web Cache Poisoning via Host Header

Nuxt.js Running in Development Mode

Weak WordPress security key

Insecure Transportation Security Protocol Supported (SSLv2)

ASP.NET error message

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration