CWE-214: Invocation of Process Using Visible Sensitive Information

Description

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.

Example Vulnerable Codes

Example - 1

In the example below, the password for a keystore file is read from a system property.



System.err.println("ERROR: Keystore password not specified.");System.exit(-1);
String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");if (keystorePass == null) {}...

If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Nov. 21, 2024 22:22