Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  

CWE-214: Information Exposure Through Process Environment

Weakness ID: 214
Abstraction: Variant
Status: Incomplete
Presentation Filter:
+ Description

Description Summary

A process is invoked with sensitive arguments, environment variables, or other elements that can be seen by other processes on the operating system.

Extended Description

Many operating systems allow a user to list information about processes that are owned by other users. This information could include command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the software or related resources.

+ Time of Introduction
  • Architecture and Design
  • Implementation
  • Operation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Read application data

+ Demonstrative Examples

Example 1

In the example below, the password for a keystore file is read from a system property.

(Bad Code)
Example Language: Java 
String keystorePass = System.getProperty("");
if (keystorePass == null) {
System.err.println("ERROR: Keystore password not specified.");


If the property is defined on the command line when the program is invoked (using the -D... syntax), the password may be displayed in the OS process list.

+ Observed Examples
password passed on command line
password passed on command line
username/password on command line allows local users to view via "ps" or other process listing programs
Username/password on command line allows local users to view via "ps" or other process listing programs.
PGP passphrase provided as command line argument.
Kernel race condition allows reading of environment variables of a process that is still spawning.
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class200Information Exposure
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory634Weaknesses that Affect System Processes
Resource-specific Weaknesses (primary)631
ChildOfCategoryCategory963SFP Secondary Cluster: Exposed Data
Software Fault Pattern (SFP) Clusters (primary)888
+ Research Gaps

Under-studied, especially environment variables.

+ Affected Resources
  • System Process
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERProcess information infoleak to other processes
Software Fault PatternsSFP23Exposed Data
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2008-10-14CWE Content TeamMITREInternal
updated Description, Other_Notes
2009-10-29CWE Content TeamMITREInternal
updated Other_Notes
2011-03-29CWE Content TeamMITREInternal
updated Name
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Demonstrative_Examples, Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Process Information Leak to Other Processes
2011-03-29Process Environment Information Leak

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017