Administrative Credentials found in US Navy Github Repositories (please remove credentials)

[winterseas]

Summary:

I've stumbled upon a github repository used by the US Navy SPAWAR.

It is unclear if this repository is currently in use, however it has credentials that appear to be for administrative users. I cannot tell if these credentials are only used for testing, and I apologize if that's the case. I just stumbled upon them and thought they warranted reporting.

Description:

The entire repository is littered with credentials. A list of some of the files containing passwords:

https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/core/src/main/resources/ldif-files/swif_users_groups_roles.ldif
Search for the userPassword attribute
https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/services/src/main/resources/swif-production.properties
cn=manager,dc=swif2,dc=sd,dc=spawar,dc=navy,dc=mil
Impact
Step-by-step Reproduction Instructions
Use the passwords identified in the source files linked above.
Product, Version, and Configuration (If applicable)
n/a

Suggested Mitigation/Remediation Actions
Remove plaintext passwords

Impact
If the administrative credentials are in use by SPARWAR, complete administrative access to all systems, degrading any confidentiality integrity or availability of the system.

[luchua-bc]

I noticed the same issue. Please consider removing credentials like the LDAP password stored in swif-production.properties or encrypting them. Thanks.