2021年12月16日16:31:11评论88 views字数 2143阅读7分8秒阅读模式

CWE-214 通过处理环境导致的信息暴露

Information Exposure Through Process Environment

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.

扩展描述

Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Confidentiality	Read Application Data

示例代码

例

In the example below, the password for a keystore file is read from a system property.

bad Java

String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");
if (keystorePass == null) {

System.err.println("ERROR: Keystore password not specified.");
System.exit(-1);

}

...

If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

分析过的案例

标识	说明	链接
CVE-2005-1387	password passed on command line	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1387
CVE-2005-2291	password passed on command line	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2291
CVE-2001-1565	username/password on command line allows local users to view via "ps" or other process listing programs	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1565
CVE-2004-1948	Username/password on command line allows local users to view via "ps" or other process listing programs.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1948
CVE-1999-1270	PGP passphrase provided as command line argument.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270
CVE-2004-1058	Kernel race condition allows reading of environment variables of a process that is still spawning.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1058

Notes

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Process information infoleak to other processes
Software Fault Patterns	SFP23		Exposed Data

文章来源于互联网:scap中文网

左青龙
微信扫一扫

右白虎
微信扫一扫

CWE-214 通过处理环境导致的信息暴露

CWE-214 通过处理环境导致的信息暴露

Information Exposure Through Process Environment

基本描述

扩展描述

相关缺陷

适用平台

常见的影响

示例代码

例

分析过的案例

Notes

分类映射

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

发表评论

在线咨询

微信