Information Exposure Through Process EnvironmentID: 214 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
A process is invoked with sensitive arguments, environment
variables, or other elements that can be seen by other processes on the
operating system.
Extended DescriptionMany operating systems allow a user to list information about processes
that are owned by other users. This information could include command line
arguments or environment variable settings. When this data contains
sensitive information such as credentials, it might allow other users to
launch an attack against the software or related resources.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Common Consequences
Scope | Technical Impact | Notes |
---|
Confidentiality | Read application
data | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
| | Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-214 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the Java example below, the password for a keystore file is read
from a system property. If the property is defined on the command line when
the program is invoked (using the -D... syntax), the password may be
displayed in the OS process list.
Observed Examples
- CVE-2005-1387 : password passed on command line
- CVE-2005-2291 : password passed on command line
- CVE-2001-1565 : username/password on command line allows local users to view via "ps" or other process listing programs
- CVE-2004-1948 : Username/password on command line allows local users to view via "ps" or other process listing programs.
- CVE-1999-1270 : PGP passphrase provided as command line argument.
- CVE-2004-1058 : Kernel race condition allows reading of environment variables of a process that is still spawning.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
PLOVER | | Process information infoleak to other
processes | |
References:None