Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-214 (通过处理环境导致的信息暴露) — Vulnerability Class 15

15 vulnerabilities classified as CWE-214 (通过处理环境导致的信息暴露). AI Chinese analysis included.

CWE-214 represents a critical information exposure weakness where sensitive data is inadvertently passed to a new process via command-line arguments or environment variables. Because many operating systems permit users to inspect the process lists of other users, attackers can easily retrieve this visible information to extract credentials, tokens, or other confidential details. This vulnerability is typically exploited by monitoring active processes to harvest sensitive parameters that were intended to remain private within the application’s execution context. To mitigate this risk, developers should avoid embedding secrets in process invocations entirely. Instead, they must utilize secure mechanisms such as reading sensitive data from protected files, using dedicated secure memory buffers, or leveraging operating system-specific secure storage APIs that ensure data remains inaccessible to other processes and unauthorized users.

MITRE CWE Description
A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. Many operating systems allow a user to list information about processes that are owned by other users. Other users could see information such as command line arguments or environment variable settings. When this data contains sensitive information such as credentials, it might allow other users to launch an attack against the product or related resources.
Common Consequences (1)
ConfidentialityRead Application Data
Examples (1)
In the example below, the password for a keystore file is read from a system property.
String keystorePass = System.getProperty("javax.net.ssl.keyStorePassword"); if (keystorePass == null) { System.err.println("ERROR: Keystore password not specified."); System.exit(-1); } ...
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41357 OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends — OpenClaw 3.3 Low2026-04-23
CVE-2025-5452 AXIS OS 安全漏洞 — AXIS OS 6.6 Medium2025-11-11
CVE-2025-53860 F5OS-A FIPS HSM vulnerability — F5OS - Appliance 4.1 Medium2025-10-15
CVE-2025-1333 IBM MQ Operator information disclosure — MQ Operator 6.0 Medium2025-05-01
CVE-2025-32987 Arctera eDiscovery Platform 安全漏洞 — eDiscovery Platform 6.0 Medium2025-04-15
CVE-2024-28799 IBM QRadar Suite Software information disclosure — QRadar Suite Software 5.6 Medium2024-08-14
CVE-2024-39314 toy-blog administrative token leaked through the command line parameter — toy-blog 4.7 Medium2024-07-01
CVE-2024-4254 Secrets Exfiltration in gradio-app/gradio — gradio-app/gradio 6.5AIMediumAI2024-06-04
CVE-2024-1742 Information disclosure in mk_oracle Checkmk agent plugin — Checkmk 3.8 Low2024-03-22
CVE-2020-36771 CloudLinux CageFS 安全漏洞 — cagefs 7.8 -2024-01-22
CVE-2021-3859 Red Hat Undertow 资源管理错误漏洞 — undertow 7.5 -2022-08-26
CVE-2020-5422 UAA password may appear in BOSH System Metrics Server process arguments — BOSH System Metrics Server 6.5 -2020-10-02
CVE-2019-3869 Red Hat ansible-tower 信息泄露漏洞 — Tower 8.8 -2019-03-28
CVE-2018-17957 yast2-rmt leaks database passwords in process list — yast2-rmt 7.8 -2018-12-26
CVE-2018-16837 Ansible User模块信息泄露漏洞 — Ansible 7.1 -2018-10-23

Vulnerabilities classified as CWE-214 (通过处理环境导致的信息暴露) represent 15 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.