Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CWE-526 Variante Incompleto
Cleartext Storage of Sensitive Information in an Environment Variable
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.
Definição
What is CWE-526?
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.
Storing secrets in plain text within environment variables creates a broad attack surface. Many other processes within the same execution context can access these values, including child processes spawned by your application, third-party dependencies, and adjacent functions in serverless cloud environments. Since these components often don't actually need the secret, this practice unnecessarily exposes it.
Furthermore, environment variable data can easily leak into unintended locations. Application code or logging libraries might inadvertently include these values in error messages, HTTP headers, debug outputs, or log files. This indirect exposure means that even if you don't directly read the variable in your core logic, a separate weakness elsewhere in your application stack could still disclose it.
Impacto no mundo real
Real-world CVEs caused by CWE-526
-
CMS shows sensitive server-side information from environment variables when run in Debug mode.
-
Plugin for an automation server inserts environment variable contents into build XML files.
-
CI/CD tool logs environment variables related to passwords add Contribution to content history.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
Identificar um caminho de código que trata input não confiável sem validação.
- 2
Criar um payload que explora o comportamento inseguro — injeção, traversal, overflow ou abuso de lógica.
- 3
Entregar o payload através de um pedido normal e observar a reação da aplicação.
- 4
Iterar até que a resposta exponha dados, execute código do atacante ou escale privilégios.
Exemplo de código vulnerável
Vulnerable pseudo
A MITRE não publicou um exemplo de código para este CWE. O padrão abaixo é ilustrativo — consulte os Recursos para referências canónicas.
// Example pattern — see MITRE for the canonical references.
function handleRequest(input) {
// Untrusted input flows directly into the sensitive sink.
return executeUnsafe(input);
} Exemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-526
- Architecture and Design Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
- Implementation If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
Sinais de deteção
How to detect CWE-526
O Plexicus deteta automaticamente o CWE-526 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-526?
Qual a gravidade do CWE-526?
Que linguagens ou plataformas são afetadas pelo CWE-526?
Como posso prevenir o CWE-526?
Como é que o Plexicus deteta e corrige o CWE-526?
Onde posso saber mais sobre o CWE-526?
Frequently asked questions
O que é o CWE-526?
This vulnerability occurs when an application stores sensitive data, such as passwords or API keys, as plain text in an environment variable.
Qual a gravidade do CWE-526?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-526?
A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.
Como posso prevenir o CWE-526?
Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to…
Como é que o Plexicus deteta e corrige o CWE-526?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-526 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-526?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/526.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-526
CWE-312 Pai
Cleartext Storage of Sensitive Information
This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain…
CWE-313 Irmão
Cleartext Storage in a File or on Disk
This vulnerability occurs when an application writes sensitive data, such as passwords or personal information, directly to a file or disk…
CWE-314 Irmão
Cleartext Storage in the Registry
This vulnerability occurs when an application saves sensitive data, like passwords or keys, as plain text in the Windows Registry.
CWE-315 Irmão
Cleartext Storage of Sensitive Information in a Cookie
This vulnerability occurs when an application directly stores sensitive data, like session tokens or personal details, in a browser cookie…
CWE-316 Irmão
Cleartext Storage of Sensitive Information in Memory
This vulnerability occurs when an application stores sensitive data, such as passwords or encryption keys, in memory without any form of…
CWE-317 Irmão
Cleartext Storage of Sensitive Information in GUI
This vulnerability occurs when an application stores sensitive data, such as passwords or personal information, in plain text within its…
CWE-318 Irmão
Cleartext Storage of Sensitive Information in Executable
This vulnerability occurs when an application embeds sensitive information, like passwords or keys, directly within its executable code…
CWE-214 Par
Invocation of Process Using Visible Sensitive Information
This vulnerability occurs when a process is started with sensitive data, such as passwords or API keys, passed directly in its…
Recursos
Further reading
- MITRE — CWE-526 oficial https://cwe.mitre.org/data/definitions/526.html
- Analyzing the Hidden Danger of Environment Variables for Keeping Secrets https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-environment-variables-for-keeping-secrets.html
- Using environment variables is security-sensitive https://sonarsource.atlassian.net/browse/RSPEC-5304
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.