Use of Hard-coded Credentials

Property
Languagehcl
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

AWS credentials are being hard-coded directly in the Terraform configuration file. Storing secrets like access keys in source code makes them easy to accidentally expose or leak.

Impact

If these credentials are leaked, anyone with access could control your AWS resources, potentially leading to data loss, service disruption, or financial loss from unauthorized usage. Attackers could exploit these keys to compromise your cloud infrastructure.

Use of Hard-coded Credentials

Property
Languagegeneric
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.

Use of Hard-coded Credentials

Property
Languageregex
Severitylow
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

A Google Cloud API key has been found hard-coded in the codebase. Storing sensitive credentials like API keys directly in code makes them easy to extract and misuse.

Impact

If an attacker gains access to this API key, they could use your Google Cloud resources, incur unexpected costs, access sensitive data, or disrupt services. This could lead to data breaches, service downtime, and financial loss for your organization.

Use of Hard-coded Credentials

Property
Languagegeneric
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The AWS Account ID is hardcoded directly into the source code. While not as sensitive as a password, exposing account identifiers in code can make it easier for attackers to target your AWS resources.

Impact

If the code is shared or leaked, attackers could use the AWS Account ID to launch phishing attacks, enumerate resources, or attempt unauthorized access. This increases the risk of your AWS environment being targeted, potentially leading to data breaches or service disruptions.

Use of Hard-coded Credentials

Property
Languageregex
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

A bcrypt password hash was found directly in the codebase or configuration files. Storing hashed credentials in source code is insecure, as it can expose sensitive authentication data if the code is leaked or shared.

Impact

If attackers gain access to the repository, they could use the exposed hashes to attempt offline attacks or leverage them to compromise user accounts. This can lead to unauthorized access, data breaches, and reputational damage for the organization.

Use of Hard-coded Credentials

Property
Languageregex
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

An Artifactory token appears to be present directly in the codebase. Storing authentication tokens in source code exposes sensitive credentials to anyone with code access, including version control history.

Impact

If an attacker obtains this token, they could gain unauthorized access to your Artifactory repositories, potentially allowing them to read, modify, or delete artifacts. This could lead to code theft, tampering with build artifacts, or disruption of your software supply chain.

Use of Hard-coded Credentials

Property
Languageregex
Severitymedium
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

An Artifactory API token or password has been found directly in the codebase. Storing sensitive credentials in source code exposes them to anyone with code access, making it easy to accidentally leak secrets.

Impact

If an attacker obtains this token, they could gain unauthorized access to your Artifactory instance, potentially allowing them to read, modify, or delete artifacts and sensitive data. This can lead to compromise of build pipelines, distribution of malicious packages, and significant organizational risk.

Use of Hard-coded Credentials

Property
Languageregex
Severitylow
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

A Square OAuth secret key has been found directly in the codebase. Storing sensitive credentials like API secrets in code exposes them to anyone with code access and risks accidental leaks.

Impact

If an attacker obtains this secret, they could impersonate your application, gain unauthorized access to Square APIs, and potentially access or manipulate sensitive payment data. This could lead to financial loss, service disruptions, or compromise of customer information.

Use of Hard-coded Credentials

Property
Languageregex
Severitylow
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

An API key appears to be hardcoded directly into the codebase. Storing sensitive credentials in source code makes them easy to accidentally expose or leak.

Impact

If an attacker obtains this API key, they could gain unauthorized access to external services or systems, potentially leading to data breaches, service abuse, or financial loss for the organization.

Use of Hard-coded Credentials

Property
Languageregex
Severitylow
CWECWE-798: Use of Hard-coded Credentials
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

A Slack webhook URL has been found in the code, which exposes a secret endpoint that can be used to send messages to your Slack workspace. Hardcoding such webhooks in code can lead to unauthorized access if the code is leaked or shared.