Read Time:1 Minute, 0 Second

Description

The application is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

A common development practice is to add “back door” code specifically designed for debugging or testing purposes that is not intended to be shipped or deployed with the application. These back door entry points create security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the application.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-710
CWE-215

 

Consequences

Confidentiality, Integrity, Availability, Access Control, Other: Bypass Protection Mechanism, Read Application Data, Gain Privileges or Assume Identity, Varies by Context

The severity of the exposed debug application will depend on the particular instance. At the least, it will give an attacker sensitive information about the settings and mechanics of web applications on the server. At worst, as is often the case, the debug application will allow an attacker complete control over the web application and server, as well as confidential information that either of these access.

 

Potential Mitigations

Phase: Build and Compilation, Distribution

Description: 

Remove debug code before deploying the application.

CVE References