CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable

VariantIncomplete

The product uses an environment variable to store unencrypted sensitive information.

View on MITRE
Back to CWE Lookup

Extended Description

Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Learn More

Find Related CVEs

Search for vulnerabilities that exploit CWE-526

CVE vs CWE: What's the Difference?

Understanding vulnerabilities vs weaknesses

Understanding CVSS Scoring

How vulnerability severity is measured

View Full MITRE Entry

Complete technical details and references