V5326. OWASP. A password for a database connection should not be empty

The analyzer has detected that an empty password was used when connecting to a database. The empty password lacks basic security, which can lead to unauthorized data access.

This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:

• A07:2021 – Identification and Authentication Failures.

The example of an insecure configuration:

var dataSource = new PGSimpleDataSource();
dataSource.setDatabaseName("db");
dataSource.setUser("server");
dataSource.setPassword("");
// ....

Access parameters in the workspace should fulfill the following requirements:

• Use strong and unpredictable passwords that cannot be compromised through brute force attacks. They should be at least eight characters long and include a mix of uppercase and lowercase letters, numbers, and symbols.
• Grant only the necessary permissions to credential holders. For example, do not provide the write permissions if access is required for reading data only.
• Avoid storing access parameters in code. Instead, use properties, configuration classes, or environment variables.

The fixed code:

var dataSource = new PGSimpleDataSource();
dataSource.setDatabaseName("db");
dataSource.setUser(System.getProperty("db.user"));
dataSource.setPassword(System.getProperty("db.password"));
// ....