1. Home
  2. CWE Database
  3. CWE-526
Variant · Low-Medium

CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable

The product uses an environment variable to store unencrypted sensitive information.

CWE-526 · Variant Level ·3 CVEs ·2 Mitigations

Description

The product uses an environment variable to store unencrypted sensitive information.

Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.

Potential Impact

Confidentiality

Read Application Data

Mitigations & Prevention

Architecture and Design

Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to w

Implementation

If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-43691CMS shows sensitive server-side information from environment variables when run in Debug mode.
CVE-2022-27195Plugin for an automation server inserts environment variable contents into build XML files.
CVE-2022-25264CI/CD tool logs environment variables related to passwords add Contribution to content history.

CWE-312: Cleartext Storage of Sensitive Information

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphe...

CWE-214: Invocation of Process Using Visible Sensitive Information

A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by...

Taxonomy Mappings

  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-526?

CWE-526 (Cleartext Storage of Sensitive Information in an Environment Variable) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product uses an environment variable to store unencrypted sensitive information.

How can CWE-526 be exploited?

Attackers can exploit CWE-526 (Cleartext Storage of Sensitive Information in an Environment Variable) to read application data. This weakness is typically introduced during the Architecture and Design, Implementation, Operation phase of software development.

How do I prevent CWE-526?

Key mitigations include: Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of th

What is the severity of CWE-526?

CWE-526 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 3 real-world CVEs.