CWE-215: Insertion of Sensitive Information Into Debugging Code

BaseDraft

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

View on MITRE
Back to CWE Lookup

Extended Description

When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-215: Insertion of Sensitive Information Into Debugging Code?+

CWE-215: Insertion of Sensitive Information Into Debugging Code is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production. When debugging, it may be necessary to report detailed information to the programmer. However, if the debugging code is not disabled when the product is operating in a production environment, then this sensitive information may be exposed to attackers.

What are the security consequences of Insertion of Sensitive Information Into Debugging Code?+

If exploited, CWE-215 (Insertion of Sensitive Information Into Debugging Code) it can compromise Confidentiality, leading to outcomes such as Read Application Data.

How do you prevent or mitigate Insertion of Sensitive Information Into Debugging Code?+

Recommended mitigations for CWE-215 include: Do not leave debug statements that could be executed in the source code. Ensure that all debug information is eradicated before releasing the software.

Which programming languages are affected by Insertion of Sensitive Information Into Debugging Code?+

CWE-215 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Insertion of Sensitive Information Into Debugging Code?+

MITRE documents real CVEs mapped to CWE-215, including CVE-2004-2268, CVE-2002-0918 and CVE-2003-1078. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-215 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More