SYM_PY_0004 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Insufficiently Protected Credentials
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-522: Insufficiently Protected Credentials |
| OWASP | A02:2017 - Broken Authentication |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
Storing a user's password inside a JWT token exposes it in plaintext, as JWT payloads are not encrypted and can be easily read by anyone with access to the token. Passwords should never be included in JWTs.
Impact
If exploited, attackers who obtain a JWT can directly access user passwords, leading to account compromise, credential reuse attacks, and potential data breaches. This exposes both users and the organization to serious security and privacy risks.