Description

This Spring Boot web application is storing MongoDB credentials in plain text in the properties files via spring.data.mongodb.password=. It's not recommended to store plain text passwords in configuration files.

Remediation

It's recommended to encrypt the credentials using a library like Jasypt. By using Jasypt, you can provide encryption for the property sources and the application can decrypt the encrypted properties and retrieve the original values.

References

Using Encrypted Property Placeholders in Spring Boot

Java Simplified Encryption

Jasypt integration for Spring boot

Related Vulnerabilities

The DROWN attack (SSLv2 supported)

Yii2 Gii extension

ASP.NET WCF metadata enabled for behavior

GlassFish admin console weak credentials

Oracle applications logs publicy available

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration