CWE-214: Invocation of Process Using Visible Sensitive Information
Description
A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
Example - 1
In the example below, the password for a keystore file is read from a system property.
System.err.println("ERROR: Keystore password not specified.");System.exit(-1);
String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");if (keystorePass == null) {}...
If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.