CWE-214: Invocation of Process Using Visible Sensitive Information
A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
View on MITREExtended Description
Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
No mitigation information available for this CWE.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
In the example below, the password for a keystore file is read from a system property.
If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.
Observed CVE Examples (7)
username/password on command line allows local users to view via "ps" or other process listing programs
View DetailsUsername/password on command line allows local users to view via "ps" or other process listing programs.
View DetailsKernel race condition allows reading of environment variables of a process that is still spawning.
View DetailsCode analysis product passes access tokens as a command-line parameter or through an environment variable, making them visible to other processes via the ps command.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-214: Invocation of Process Using Visible Sensitive Information?+
CWE-214: Invocation of Process Using Visible Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
What are the security consequences of Invocation of Process Using Visible Sensitive Information?+
If exploited, CWE-214 (Invocation of Process Using Visible Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Which programming languages are affected by Invocation of Process Using Visible Sensitive Information?+
CWE-214 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Invocation of Process Using Visible Sensitive Information?+
MITRE documents real CVEs mapped to CWE-214, including CVE-2005-1387, CVE-2005-2291, CVE-2001-1565, CVE-2004-1948 and CVE-1999-1270. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-214 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.