Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-215:Insertion of Sensitive Information Into Debugging Code
Weakness ID:215
Version:v4.17
Weakness Name:Insertion of Sensitive Information Into Debugging Code
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

▼Extended Description

When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedC200Exposure of Sensitive Information to an Unauthorized Actor
ParentOfAllowedB489Active Debug Code
Nature: ChildOf
Mapping: Discouraged
Type: Class
ID: 200
Name: Exposure of Sensitive Information to an Unauthorized Actor
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 489
Name: Active Debug Code
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC199Information Management Errors
MemberOfProhibitedC717OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
MemberOfProhibitedC731OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
MemberOfProhibitedC933OWASP Top Ten 2013 Category A5 - Security Misconfiguration
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
MemberOfProhibitedC1417Comprehensive Categorization: Sensitive Information Exposure
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 199
Name: Information Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 717
Name: OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 731
Name: OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 933
Name: OWASP Top Ten 2013 Category A5 - Security Misconfiguration
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1417
Name: Comprehensive Categorization: Sensitive Information Exposure
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-280Separation of Privilege Strategy
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-280
Name: Separation of Privilege Strategy
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
▼Relevant To View
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC199Information Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 199
Name: Information Management Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
ConfidentialityN/ARead Application Data
N/A
Scope: Confidentiality
Likelihood: N/A
Impact: Read Application Data
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.

Note:

Phase:Architecture and Design
Mitigation ID: MIT-46
Strategy: Separation of Privilege
Effectiveness:
Description:

Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.

Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

The following program changes its behavior based on a debug flag.

Language: ( code)
N/A

Language: JSP(Bad code)
<% if (Boolean.getBoolean("debugEnabled")) { %> User account number: <%= acctNo %> <% } %>

Language: ( code)
N/A

The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true .

▼Observed Examples
ReferenceDescription
CVE-2004-2268
Password exposed in debug information.
CVE-2002-0918
CGI script includes sensitive information in debug messages when an error is triggered.
CVE-2003-1078
FTP client with debug option enabled shows password to the screen.
Reference: CVE-2004-2268
Description:
Password exposed in debug information.
Reference: CVE-2002-0918
Description:
CGI script includes sensitive information in debug messages when an error is triggered.
Reference: CVE-2003-1078
Description:
FTP client with debug option enabled shows password to the screen.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      Relationship

      This overlaps other categories.

      N/A

      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      PLOVERN/AN/AInfoleak Using Debug Information
      OWASP Top Ten 2007A6CWE More SpecificInformation Leakage and Improper Error Handling
      OWASP Top Ten 2004A10CWE More SpecificInsecure Configuration Management
      Software Fault PatternsSFP23N/AExposed Data
      Taxonomy Name: PLOVER
      Entry ID: N/A
      Fit: N/A
      Entry Name: Infoleak Using Debug Information
      Taxonomy Name: OWASP Top Ten 2007
      Entry ID: A6
      Fit: CWE More Specific
      Entry Name: Information Leakage and Improper Error Handling
      Taxonomy Name: OWASP Top Ten 2004
      Entry ID: A10
      Fit: CWE More Specific
      Entry Name: Insecure Configuration Management
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP23
      Fit: N/A
      Entry Name: Exposed Data
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found