Spring Boot Misconfiguration: MongoDB credentials stored in the properties file

Severity: Medium

Summary#

Invicti detected that the Spring Boot web application is storing MongoDB credentials in plain text in the properties files via spring.data.mongodb.password. It's not recommended to store plain text passwords in configuration files.

Impact#

An attacker that is able to read the properties files has access to all the credentials stored in this file and could use this information to conduct further attacks.

Actions To Take#

It's recommended to encrypt the credentials using a library like Jasypt. By using Jasypt, you can provide encryption for the property sources and the application can decrypt the encrypted properties and retrieve the original values.

Classifications#

OWASP 2013-A5, CWE-16, CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N, OWASP 2017-A6

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Related Vulnerabilities

Spring Boot Misconfiguration: MongoDB credentials stored in the properties file

Related Articles

Build your resistance to threats. And save hundreds of hours each month.