The product is released with debugging code still enabled or active.
View on MITREActive debug code can create unintended entry points or expose sensitive information. The severity of the exposed debug code will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug code will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.
Remove debug code before deploying the application.
No detection method information available for this CWE.
Debug code can be used to bypass authentication. For example, suppose an application has a login script that receives a username and a password. Assume also that a third, optional, parameter, called "debug", is interpreted by the script as requesting a switch to debug mode, and that when this parameter is given the username and password are not checked. In such a case, it is very simple to bypass the authentication process if the special behavior of the application regarding the debug parameter is known. In a case where the form is:
Then a conforming link will look like:
No relationship information available for this CWE.
CWE-489: Active Debug Code is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product is released with debugging code still enabled or active.
If exploited, CWE-489 (Active Debug Code) it can compromise Confidentiality, Integrity, Availability, Access Control and Other, leading to outcomes such as Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity and Varies by Context.
Recommended mitigations for CWE-489 include: Remove debug code before deploying the application.
CWE-489 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-489 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.