SYM_JAVA_0155 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Hard-coded Credentials
| Property | Value |
|---|---|
| Language | java |
| Severity |  |
| CWE | CWE-798: Use of Hard-coded Credentials |
| OWASP | A07:2021 - Identification and Authentication Failures |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The code stores a JWT secret key directly in the source code as a hard-coded string. This exposes sensitive credentials and makes it easy for attackers to find and misuse them if the code is leaked or shared.
Impact
If an attacker gains access to the hard-coded secret, they can forge or manipulate JWT tokens, potentially bypassing authentication and gaining unauthorized access to protected resources. This can lead to data breaches, privilege escalation, and compromise of the entire application.