Missing Database Authentication
Description
The application does not provide authentication when communicating with a database server. It is strongly recommended that the database server be configured with authentication and restrict what queries users can execute. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).
Examples
Insecure Code
java
java.sql.DriverManager.getConnection($URI, $USR, "");Secure Code
java
java.sql.DriverManager.getConnection($URI, $USR, System.getenv("DB_PASSWORD"));Remediation
Configure the database server with authentication and load passwords from a secure location such as a Key Management System (KMS).
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0715 |
| Category | Auth |
| Severity | CRITICAL |
| CWE | CWE-306 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | database, authentication |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |