Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1295 — Vulnerability Class 19

19 vulnerabilities classified as CWE-1295. AI Chinese analysis included.

CWE-1295 represents a critical information disclosure weakness where applications inadvertently expose sensitive internal states through debug messages. This vulnerability is typically exploited by attackers who intercept these logs via network traffic, file systems, or hardware interfaces like UART, allowing them to map system architecture, identify configuration errors, or extract credentials embedded in diagnostic output. Developers can mitigate this risk by implementing strict log management policies that disable verbose debugging in production environments. Utilizing structured logging frameworks with configurable severity levels ensures that only essential operational data is recorded. Furthermore, conducting regular code reviews to identify and remove hardcoded debug statements, alongside encrypting log storage and transmission, prevents unauthorized access to potentially compromising system details, thereby maintaining confidentiality and integrity.

MITRE CWE Description
The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages. Debug messages are messages that help troubleshoot an issue by revealing the internal state of the system. For example, debug data in design can be exposed through internal memory array dumps or boot logs through interfaces like UART via TAP commands, scan chain, etc. Thus, the more information contained in a debug message, the easier it is to debug. However, there is also the risk of revealing information that could help an attacker either decipher a vulnerability, and/or gain a better understanding of the system. Thus, this extra information could lower the "security by obscurity" factor. While "security by obscurity" alone is insufficient, it can help as a part of "Defense-in-depth".
Common Consequences (1)
Confidentiality, Integrity, Availability, Access Control, Accountability, Authentication, Authorization, Non-RepudiationRead Memory, Bypass Protection Mechanism, Gain Privileges or Assume Identity, Varies by Context
Mitigations (1)
ImplementationEnsure that a debug message does not reveal any unnecessary information during the debug process for the intended response.
Examples (1)
This example here shows how an attacker can take advantage of unnecessary information in debug messages.
CVE IDTitleCVSSSeverityPublished
CVE-2025-59109 UART Leaking Sensitive Data in dormakaba registration unit 9002 — dormakaba registration unit 9002 8.1AIHighAI2026-01-26
CVE-2025-46775 Fortinet FortiExtender 安全漏洞 — FortiExtender 5.2 Medium2025-11-18
CVE-2025-35031 Medical Informatics Engineering Enterprise Health includes session token in debug output — Enterprise Health 3.3 Low2025-09-29
CVE-2025-42604 Detailed Error Response Vulnerability in Meon KYC solutions — KYC solutions 5.3 -2025-04-23
CVE-2025-2469 Debug Messages Revealing Unnecessary Information in GitLab — GitLab 3.7 Low2025-04-10
CVE-2025-31001 WordPress GTM Kit plugin <= 2.4.0 - Sensitive Data Exposure vulnerability — GTM Kit 7.5 High2025-04-01
CVE-2025-2877 Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda 6.5 Medium2025-03-28
CVE-2025-20643 MediaTek Chipsets 缓冲区错误漏洞 — MT6739, MT6761, MT6765, MT6768, MT6771, MT6779, MT6781, MT6785, MT6833, MT6853, MT6873, MT6877, MT6885, MT6893, MT8167, MT8167S, MT8175, MT8185, MT8195, MT8321, MT8362A, MT8365, MT8385, MT8395, MT8666, MT8667, MT8673, MT8675, MT8678, MT8765, MT8766, MT8768, MT8771, MT8775, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8795T, MT8797, MT8798, MT8893 4.0 -2025-02-03
CVE-2024-11217 Oauth-server-container: oauth-server-container logs client secret in debug level 4.9 Medium2024-11-15
CVE-2024-45784 Apache Airflow: Sensitive configuration values are not masked in the logs by default — Apache Airflow 6.5AIMediumAI2024-11-15
CVE-2024-38516 Aimeos HTML client may potentially reveal sensitive information in error log — ai-client-html 8.8 High2024-06-25
CVE-2024-27179 Session disclosure inside the log files — Toshiba Tec e-Studio multi-function peripheral (MFP) 4.7 Medium2024-06-14
CVE-2023-5392 Honeywell C300 安全漏洞 — C300 7.5 High2024-04-11
CVE-2023-28077 Dell BSAFE 信息泄露漏洞 — Dell BSAFE SSL-J 4.4 Medium2024-02-10
CVE-2023-4215 Advantech WebAccess Debug Messages Revealing Unnecessary Information — WebAccess 6.5 Medium2023-10-16
CVE-2022-27597 QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) — QTS 2.7 Low2023-03-29
CVE-2022-34364 Dell BSAFE 安全漏洞 — BSAFE SSL-J 4.4 Medium2023-02-10
CVE-2021-25476 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.1 Medium2021-10-06
CVE-2021-31412 Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 — Vaadin 5.3 Medium2021-06-24

Vulnerabilities classified as CWE-1295 represent 19 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.