CWE-214: Invocation of Process Using Visible Sensitive Information

Description

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.

Example Vulnerable Codes

Example - 1

In the example below, the password for a keystore file is read from a system property.



System.err.println("ERROR: Keystore password not specified.");System.exit(-1);
String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");if (keystorePass == null) {}...

If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Go to

CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable

Go to

Visit http://cwe.mitre.org/ for more details.