CWE-214 通过处理环境导致的信息暴露

Information Exposure Through Process Environment

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.

扩展描述

Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 200 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Confidentiality Read Application Data

示例代码

In the example below, the password for a keystore file is read from a system property.

bad Java

String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");
if (keystorePass == null) {
System.err.println("ERROR: Keystore password not specified.");
System.exit(-1);
}

...

If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

分析过的案例

标识 说明 链接
CVE-2005-1387 password passed on command line https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1387
CVE-2005-2291 password passed on command line https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2291
CVE-2001-1565 username/password on command line allows local users to view via "ps" or other process listing programs https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1565
CVE-2004-1948 Username/password on command line allows local users to view via "ps" or other process listing programs. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1948
CVE-1999-1270 PGP passphrase provided as command line argument. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270
CVE-2004-1058 Kernel race condition allows reading of environment variables of a process that is still spawning. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1058

Notes

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
PLOVER Process information infoleak to other processes
Software Fault Patterns SFP23 Exposed Data