Summary:
I've stumbled upon a github repository used by the US Navy SPAWAR.
It is unclear if this repository is currently in use, however it has credentials that appear to be for administrative users. I cannot tell if these credentials are only used for testing, and I apologize if that's the case. I just stumbled upon them and thought they warranted reporting.
Description:
The entire repository is littered with credentials. A list of some of the files containing passwords:
https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/core/src/main/resources/ldif-files/swif_users_groups_roles.ldif
Search for the userPassword attribute
https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/services/src/main/resources/swif-production.properties
cn=manager,dc=swif2,dc=sd,dc=spawar,dc=navy,dc=mil
Impact
Step-by-step Reproduction Instructions
Use the passwords identified in the source files linked above.
Product, Version, and Configuration (If applicable)
n/a
Suggested Mitigation/Remediation Actions
Remove plaintext passwords
Impact
If the administrative credentials are in use by SPARWAR, complete administrative access to all systems, degrading any confidentiality integrity or availability of the system.
Summary:
I've stumbled upon a github repository used by the US Navy SPAWAR.
It is unclear if this repository is currently in use, however it has credentials that appear to be for administrative users. I cannot tell if these credentials are only used for testing, and I apologize if that's the case. I just stumbled upon them and thought they warranted reporting.
Description:
The entire repository is littered with credentials. A list of some of the files containing passwords:
https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/core/src/main/resources/ldif-files/swif_users_groups_roles.ldif
Search for the userPassword attribute
https://github.com/sscpac/swif/blob/0b882444b8dbfbf88716b369b473781c3a030d17/services/src/main/resources/swif-production.properties
cn=manager,dc=swif2,dc=sd,dc=spawar,dc=navy,dc=mil
Impact
Step-by-step Reproduction Instructions
Use the passwords identified in the source files linked above.
Product, Version, and Configuration (If applicable)
n/a
Suggested Mitigation/Remediation Actions
Remove plaintext passwords
Impact
If the administrative credentials are in use by SPARWAR, complete administrative access to all systems, degrading any confidentiality integrity or availability of the system.