The Wayback Machine - https://web.archive.org/web/20240525023324/https://codeql.github.com/codeql-query-help/csharp/cs-password-in-configuration/
CodeQL documentation
CodeQL resources

Password in configuration file

ID: cs/password-in-configuration
Kind: problem
Security severity: 7.5
Severity: warning
Precision: medium
Tags:
   - security
   - external/cwe/cwe-13
   - external/cwe/cwe-256
   - external/cwe/cwe-313
Query suites:
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

Storing a plaintext password in a configuration file allows anyone who can read the file to access the password-protected resources. Therefore it is a common attack vector.

Recommendation

Passwords stored in configuration files should be encrypted.

References

  • Common Weakness Enumeration: CWE-13.

  • Common Weakness Enumeration: CWE-256.

  • Common Weakness Enumeration: CWE-313.