CVEbaza.plSłownik CWECWE-215
Common Weakness Enumeration

CWE-215

Insertion of Sensitive Information Into Debugging Code

Kategoria: BaseCVE: 17
Opis

Produkt wstawia poufne informacje do kodu debugowania, co może ujawnić te dane, jeśli kod debugowania nie zostanie wyłączony w środowisku produkcyjnym. Stanowi to zagrożenie bezpieczeństwa, gdy debugowanie pozostaje aktywne w wydanej wersji oprogramowania.

Description (EN)

The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production.

Podatności CVE z CWE-215 (17)
9.6
CVSS
CRITICAL
CVE-2024-7569

Podatność typu information disclosure w Ivanti ITSM (on-prem) oraz Neurons for ITSM w wersjach 2023.4 i wcześniejszych umożliwia nieuwierzytelnionemu atakującemu pozyskanie sekretu klienta OIDC za pośrednictwem informacji debugowania. Przejęcie tego sekretu może prowadzić do obejścia mechanizmów uwierzytelniania i przejęcia kontroli nad sesją lub kontem.

pub. 2024-08-13
9.4
CVSS
CRITICAL
CVE-2026-40173

Dgraph w wersjach 25.3.1 i wcześniejszych udostępnia endpoint /debug/pprof/cmdline bez uwierzytelnienia, co prowadzi do ujawnienia pełnej linii poleceń procesu, w tym tokenu administratora. Atakujący może wykorzystać ten token do uzyskania nieautoryzowanego dostępu do chronionych endpointów administracyjnych.

pub. 2026-04-15
8.8
CVSS
HIGH
CVE-2019-3781

Cloud Foundry CLI, versions prior to v6.43.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password.

pub. 2019-03-07
8.8
CVSS
HIGH
CVE-2018-1191

Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure vulnerability. A user with access to Garden logs may be able to obtain leaked credentials and perform authenticated actions using those credentials.

pub. 2018-03-29
7.5
CVSS
HIGH
CVE-2026-2250

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.

pub. 2026-02-11
7.5
CVSS
HIGH
CVE-2025-27684

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 allows Debug Bundle Contains Sensitive Data V-2022-003.

pub. 2025-03-05
7.4
CVSS
HIGH
CVE-2026-33247

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, if a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled. The `/debug/vars` end-point contains an unredacted copy of argv. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, configure credentials inside a configuration file instead of via argv, and do not enable the monitoring port if using secrets in argv. Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.

pub. 2026-03-25
6.9
CVSS
MEDIUM
CVE-2025-34081

The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7.

pub. 2025-07-01
6.6
CVSS
MEDIUM
CVE-2025-58598

Insertion of Sensitive Information Into Debugging Code vulnerability in Klarna Klarna Order Management for WooCommerce klarna-order-management-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Klarna Order Management for WooCommerce: from n/a through <= 1.9.8.

pub. 2025-09-03
6.5
CVSS
MEDIUM
CVE-2023-51390

journalpump is a daemon that takes log messages from journald and pumps them to a given output. A logging vulnerability was found in journalpump which logs out the configuration of a service integration in plaintext to the supplied logging pipeline, including credential information contained in the configuration if any. The problem has been patched in journalpump 2.5.0.

pub. 2023-12-21
6.5
CVSS
MEDIUM
CVE-2022-0721

Insertion of Sensitive Information Into Debugging Code in GitHub repository microweber/microweber prior to 1.3.

pub. 2022-02-23
5.3
CVSS
MEDIUM
CVE-2023-49194

Insertion of Sensitive Information Into Debugging Code vulnerability in importify Importify (Dropshipping WooCommerce) importify allows Retrieve Embedded Sensitive Data.This issue affects Importify (Dropshipping WooCommerce): from n/a through <= 1.0.4.

pub. 2024-12-09
5.3
CVSS
MEDIUM
CVE-2018-1002104

Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.

pub. 2020-01-14
4.2
CVSS
MEDIUM
CVE-2023-21462

The sensitive information exposure vulnerability in Quick Share Agent prior to versions 3.5.14.18 in Android 12 and 3.5.16.20 in Android 13 allows to local attacker to access MAC address without related permission.

pub. 2023-03-16
2.9
CVSS
LOW
CVE-2025-12616

W PHPGurukul News Portal 1.0 została wykryta podatność w nieznanej funkcji pliku /onps/settings.py. Manipulacja tym elementem umożliwia wstawienie wrażliwych informacji do kodu debugowania. Atak może być zainicjowany zdalnie, jednak wymaga wysokiego poziomu złożoności i trudności w eksploitacji. Exploit jest już publiczny i może być wykorzystywany.

pub. 2025-11-03
2.4
CVSS
LOW
CVE-2025-0895

IBM Cognos Analytics Mobile 1.1 for Android could allow a user with physical access to the device, to obtain sensitive information from debugging code log messages.

pub. 2025-03-02
2.2
CVSS
LOW
CVE-2024-22194

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in `cdo-local-uuid` at version `0.4.0`, and in `case-utils` in unpatched versions (matching the pattern `0.x.0`) at and since `0.5.0`, before `0.15.0`. The vulnerability stems from a Python function, `cdo_local_uuid.local_uuid()`, and its original implementation `case_utils.local_uuid()`.

pub. 2024-01-11
Informacje
ID: CWE-215
Typ: Base
Podatności: 17
MITRE CWE ↗
← Słownik CWE