2021年12月16日16:31:11评论91 views字数 2143阅读7分8秒阅读模式

CWE-214 通过处理环境导致的信息暴露

Information Exposure Through Process Environment

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.

扩展描述

Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围	影响	注释
Confidentiality	Read Application Data

示例代码

例

In the example below, the password for a keystore file is read from a system property.

bad Java

String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");
if (keystorePass == null) {

System.err.println("ERROR: Keystore password not specified.");
System.exit(-1);

}

...

If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

分析过的案例

标识	说明	链接
CVE-2005-1387	password passed on command line	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1387
CVE-2005-2291	password passed on command line	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2291
CVE-2001-1565	username/password on command line allows local users to view via "ps" or other process listing programs	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1565
CVE-2004-1948	Username/password on command line allows local users to view via "ps" or other process listing programs.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1948
CVE-1999-1270	PGP passphrase provided as command line argument.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1270
CVE-2004-1058	Kernel race condition allows reading of environment variables of a process that is still spawning.	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1058

Notes

分类映射

映射的分类名	ImNode ID	Fit	Mapped Node Name
PLOVER			Process information infoleak to other processes
Software Fault Patterns	SFP23		Exposed Data

文章来源于互联网:scap中文网

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

CWE-214 通过处理环境导致的信息暴露

CWE-214 通过处理环境导致的信息暴露

Information Exposure Through Process Environment

基本描述

扩展描述

相关缺陷

适用平台

常见的影响

示例代码

例

分析过的案例

Notes

分类映射

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

发表评论

在线咨询

微信