The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.
View on MITREWhen debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.
Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.
No detection method information available for this CWE.
The following program changes its behavior based on a debug flag.
The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true .
CGI script includes sensitive information in debug messages when an error is triggered.
View DetailsNo relationship information available for this CWE.
CWE-215: Insertion of Sensitive Information Into Debugging Code is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.
If exploited, CWE-215 (Insertion of Sensitive Information Into Debugging Code) it can compromise Confidentiality, leading to outcomes such as Read Application Data.
Recommended mitigations for CWE-215 include: Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.
CWE-215 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
MITRE documents real CVEs mapped to CWE-215, including CVE-2004-2268, CVE-2002-0918 and CVE-2003-1078. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
A CWE (Common Weakness Enumeration) like CWE-215 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.