CWE-215: Insertion of Sensitive Information Into Debugging Code
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
扩展描述
When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
潜在缓解措施
阶段: Implementation
描述: Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.
阶段: Architecture and Design
策略: Separation of Privilege
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2004-2268
Password exposed in debug information.
参考: CVE-2002-0918
CGI script includes sensitive information in debug messages when an error is triggered.
参考: CVE-2003-1078
FTP client with debug option enabled shows password to the screen.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Infoleak Using Debug Information | - |
| OWASP Top Ten 2007 | A6 | Information Leakage and Improper Error Handling | CWE More Specific |
| OWASP Top Ten 2004 | A10 | Insecure Configuration Management | CWE More Specific |
| Software Fault Patterns | SFP23 | Exposed Data | - |