CWE-526 18 個 CVE MITRE 定義 ↗

CWE-526:Cleartext Storage of Sensitive Information in an Environment Variable

概覽

CWE-526(Cleartext Storage of Sensitive Information in an Environment Variable)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses an environment variable to store unencrypted sensitive information.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-49377 2026-05-29 In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
CVE-2026-45370 2026-05-14 python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with C…
CVE-2026-40153 2026-04-09 PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementin…
CVE-2025-36105 2026-03-10 IBM Planning Analytics Advanced Certified Containers 3.1.0 through 3.1.4 could allow a local privileged user to obtain sensitive information from environment variables.
CVE-2025-27899 2026-02-17 IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 discloses sensitive information in an environment variable that could aid in further attacks against the system.
CVE-2025-36017 2025-12-08 IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 stores unencrypted sensitive information in environmental variables files which can be obtained by an authentic…
CVE-2025-9162 2025-08-21 A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment v…
CVE-2025-28381 2025-06-13 A credential leak in OpenC3 COSMOS before v6.0.2 allows attackers to access service credentials as environment variables stored in all containers.
CVE-2023-43029 2025-03-21 IBM Storage Virtualize vSphere Remote Plug-in 1.0 and 1.1 could allow a remote user to obtain sensitive credential information after deployment.
CVE-2024-12604 2025-03-10 Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Rec…
CVE-2025-0985 2025-02-28 IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD stores potentially sensitive information in environment variables that could be obtained by a local user.
CVE-2024-11736 2025-01-14 A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout U…
CVE-2024-4369 2024-04-30 An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is l…
CVE-2024-2700 2024-04-04 A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting applic…
CVE-2023-5720 2023-11-15 A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access …
CVE-2023-47615 2023-11-09 A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81,…
CVE-2023-35931 2023-06-23 Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
CVE-2014-2377 2014-09-15 Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

曾用名

  • Information Leak Through Environmental Variables (2011-03-29)
  • Information Exposure Through Environmental Variables (2020-02-24)
  • Exposure of Sensitive Information Through Environmental Variables (2023-01-31)

內容提交

名稱
CWE Community
日期
2006-07-19
版本
Draft 3
評論
Submitted by members of the CWE community to extend early CWE versions

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-09-08 CWE Content Team 1.0 updated Relationships
2009-03-10 CWE Content Team 1.3 updated Relationships
2011-03-29 CWE Content Team 1.12 updated Name
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11 CWE Content Team 2.2 updated Relationships, Taxonomy_Mappings
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2020-02-24 CWE Content Team 4.0 updated Name, Relationships
2021-10-28 CWE Content Team 4.6 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Description, Name, Observed_Examples, Potential_Mitigations, References, Relationships
2023-04-27 CWE Content Team 4.11 updated Detection_Factors, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities

貢獻

類型 名稱 日期 評論
Content Drew Buttner 2023-01-11 Suggested improvements to name, description, relationships, and mitigations
cvelogic Threat Intelligence