A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
View on MITREMany operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
No mitigation information available for this CWE.
No detection method information available for this CWE.
In the example below, the password for a keystore file is read from a system property.
If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.
username/password on command line allows local users to view via "ps" or other process listing programs
View DetailsUsername/password on command line allows local users to view via "ps" or other process listing programs.
View DetailsKernel race condition allows reading of environment variables of a process that is still spawning.
View DetailsCode analysis product passes access tokens as a command-line parameter or through an environment variable, making them visible to other processes via the ps command.
View DetailsNo relationship information available for this CWE.
CWE-214: Invocation of Process Using Visible Sensitive Information is a Common Weakness Enumeration (CWE) entry maintained by MITRE. A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
If exploited, CWE-214 (Invocation of Process Using Visible Sensitive Information) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
CWE-214 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-214, including CVE-2005-1387, CVE-2005-2291, CVE-2001-1565, CVE-2004-1948 and CVE-1999-1270. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-214 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.