CWE-526 Variante Incomplet

Cleartext Storage of Sensitive Information in an Environment Variable

This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.

Définition

What is CWE-526?

This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.
Storing secrets in plain text within environment variables creates a broad attack surface. Many other processes within the same execution context can access these values, including child processes spawned by your application, third-party dependencies, and adjacent functions in serverless cloud environments. Since these components often don't actually need the secret, this practice unnecessarily exposes it. Furthermore, environment variable data can easily leak into unintended locations. Application code or logging libraries might inadvertently include these values in error messages, HTTP headers, debug outputs, or log files. This indirect exposure means that even if you don't directly read the variable in your core logic, a separate weakness elsewhere in your application stack could still disclose it.
Impact réel

Real-world CVEs caused by CWE-526

  • CVE-2022-43691

    CMS shows sensitive server-side information from environment variables when run in Debug mode.

  • CVE-2022-27195

    Plugin for an automation server inserts environment variable contents into build XML files.

  • CVE-2022-25264

    CI/CD tool logs environment variables related to passwords add Contribution to content history.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    Identifier un chemin de code qui traite des entrées non fiables sans validation.

  2. 2

    Élaborer une charge utile qui exploite le comportement non sécurisé — injection, traversal, débordement ou abus de logique.

  3. 3

    Délivrer la charge utile via une requête normale et observer la réaction de l'application.

  4. 4

    Itérer jusqu'à ce que la réponse divulgue des données, exécute le code de l'attaquant ou élève les privilèges.

Exemple de code vulnérable

Vulnerable pseudo

MITRE n'a pas publié d'exemple de code pour ce CWE. Le motif ci-dessous est illustratif — voir Ressources pour les références canoniques.

Vulnérable pseudo 
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
  // Untrusted input flows directly into the sensitive sink.
  return executeUnsafe(input);
}
Exemple de code sécurisé

Secure pseudo

Sécurisé pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-526

  • Architecture and Design Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
  • Implementation If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
Signaux de détection

How to detect CWE-526

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-526 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-526 ?

This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.

Quelle est la gravité de CWE-526 ?

MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.

Quels langages ou plateformes sont affectés par CWE-526 ?

MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.

Comment puis-je prévenir CWE-526 ?

Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to…

Comment Plexicus détecte et corrige CWE-526 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-526 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-526 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/526.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-526

CWE-312 Parent

Cleartext Storage of Sensitive Information

This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain…

CWE-313 Frère

Cleartext Storage in a File or on Disk

This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…

CWE-314 Frère

Cleartext Storage in the Registry

This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.

CWE-315 Frère

Cleartext Storage of Sensitive Information in a Cookie

This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…

CWE-316 Frère

Cleartext Storage of Sensitive Information in Memory

This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…

CWE-317 Frère

Cleartext Storage of Sensitive Information in GUI

This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…

CWE-318 Frère

Cleartext Storage of Sensitive Information in Executable

This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…

CWE-214 Pair

Invocation of Process Using Visible Sensitive Information

This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo