Password in Maven pom.xml
ID |
maven_pom_secret |
Severity |
high |
Vendor |
Apache Maven |
Family |
Password |
Description
Passwords for external servers could be specified in the pom.xml Maven descriptors. Imagine that a database-access plugin needs to perform database operations during the build: The credentials for authentication with the database could be placed in a pom.xml file, which is typically under version control.
Security
Any hardcoded password in pom.xml files is a potential secret reported by this detector.
The severity of the leak depends highly on the target system.
Examples
<project>
<properties>
<!-- secret leak -->
<database.password>P4zzw0rk leaked!</database.password>
<!--
Used elsewhere e.g. in a database maven plugin,
using ${database.password} substitutions
-->
</properties>
</project>
To fix, replace the clear-text password with the encrypted version, as documented in Maven Password Encryption:
<project>
<properties>
<!-- encrypted password -->
<database.password>{oyka1WTGSR0HE0mwMAqJYYQgr3SME3Jf...}</database.password>
</properties>
</project>
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).
-
Check in the target system logs for unintended accesses during the exposure window, when possible.
-
Replace the leaked password with the new, renewed, password in encrypted form. You may follow the guidelines from Maven Password Encryption.