CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable
The product uses an environment variable to store unencrypted sensitive information.
View on MITREExtended Description
Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
Mitigation Strategies
Phase
Description
Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
Phase
Description
If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (3)
CMS shows sensitive server-side information from environment variables when run in Debug mode.
View DetailsPlugin for an automation server inserts environment variable contents into build XML files.
View DetailsCI/CD tool logs environment variables related to passwords add Contribution to content history.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable?+
CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses an environment variable to store unencrypted sensitive information. Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.
What are the security consequences of Cleartext Storage of Sensitive Information in an Environment Variable?+
If exploited, CWE-526 (Cleartext Storage of Sensitive Information in an Environment Variable) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
How do you prevent or mitigate Cleartext Storage of Sensitive Information in an Environment Variable?+
Recommended mitigations for CWE-526 include: Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption. If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
What are real-world examples of Cleartext Storage of Sensitive Information in an Environment Variable?+
MITRE documents real CVEs mapped to CWE-526, including CVE-2022-43691, CVE-2022-27195 and CVE-2022-25264. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-526 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.