What is the authoritative source for CWE-526?

Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

VariantIncomplete

CWE-526Cleartext Storage of Sensitive Information in an Environment Variable

Category: data-exposure

Description

The product uses an environment variable to store unencrypted sensitive information. Information stored in an environment variable can be accessible by other processes with the execution context, including child processes that dependencies are executed in, or serverless functions in cloud environments. An environment variable's contents can also be inserted into messages, headers, log files, or other outputs. Often these other dependencies have no need to use the environment variable in question. A weakness that discloses environment variables could expose this information.

Common consequences· 1

Confidentiality — Read Application Data

Potential mitigations· 2

[Architecture and Design]Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
[Implementation]If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.