CWE-258 Variante Incompleto High likelihood

Empty Password in Configuration File

This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.

Definición

What is CWE-258?

This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.
Using a blank password is a critical security misconfiguration that leaves systems wide open to attack. It bypasses the fundamental purpose of authentication, allowing anyone with network or local access to log in without needing to guess or crack a password. This is often the result of oversight during deployment, automated scripting errors, or reliance on default configurations that are never properly secured. To prevent this, developers and system administrators must enforce policies that reject empty passwords during configuration and setup. Automated security scanning tools should flag empty credential fields, and all deployment processes must include a verification step to ensure strong, unique passwords are set for all accounts and services before they go into production.
Impacto en el mundo real

Real-world CVEs caused by CWE-258

  • CVE-2022-26117

    Network access control (NAC) product has a configuration file with an empty password

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    The following examples show a portion of properties and configuration files for Java and ASP.NET applications. The files include username and password information but the password is provided as an empty string.

  2. 2

    This Java example shows a properties file with an empty password string.

  3. 3

    The following example shows a portion of a configuration file for an ASP.Net application. This configuration file includes username and password information for a connection to a database and the password is provided as an empty string.

  4. 4

    An empty string should never be used as a password as this can allow unauthorized access to the application. Username and password information should not be included in a configuration file or a properties file in clear text. If possible, encrypt this information and avoid CWE-260 and CWE-13.

Ejemplo de código vulnerable

Vulnerable Java

This Java example shows a properties file with an empty password string.

Vulnerable Java 
```
# Java Web App ResourceBundle properties file* 
  ...
  webapp.ldap.username=secretUsername
  webapp.ldap.password=
  ...
Ejemplo de código seguro

Secure pseudo

Seguro pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-258

  • System Configuration Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat to c@t, ca+, (@+, or anything similar. Finally, it is never appropriate to use an empty string as a password.
Señales de detección

How to detect CWE-258

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-258 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-258?

This vulnerability occurs when a configuration file, script, or application uses an empty string as a password, effectively disabling authentication for a service or account.

¿Qué gravedad tiene CWE-258?

MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.

¿Qué lenguajes o plataformas se ven afectados por CWE-258?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-258?

Passwords should be at least eight characters long -- the longer the better. Avoid passwords that are in any way similar to other passwords you have. Avoid using words that may be found in a dictionary, names book, on a map, etc. Consider incorporating numbers and/or punctuation into your password. If you do use common words, consider replacing letters in that word with numbers and punctuation. However, do not use "similar-looking" punctuation. For example, it is not a good idea to change cat…

¿Cómo detecta y corrige Plexicus CWE-258?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-258 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-258?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/258.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-258

CWE-260 Padre

Password in Configuration File

This vulnerability occurs when an application stores sensitive passwords directly within a configuration file, making them easily readable…

CWE-13 Hermano

ASP.NET Misconfiguration: Password in Configuration File

This vulnerability occurs when an ASP.NET application stores passwords or other sensitive credentials in plaintext within configuration…

CWE-555 Hermano

J2EE Misconfiguration: Plaintext Password in Configuration File

A J2EE application insecurely stores an unprotected password within a configuration file.

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo