VariantIncomplete

CWE-615Inclusion of Sensitive Information in Source Code Comments

Category: data-exposure

Description

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc. An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.

Common consequences· 1

  • Confidentiality — Read Application Data

Potential mitigations· 1

  • [Distribution]Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.

References

  1. https://cwe.mitre.org/data/definitions/615.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Inclusion of Sensitive Information in Source Code
CWE
Inclusion of Sensitive Information in an Include File
CWE
Inclusion of Sensitive Information in Test Code
CWE
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE
Exposure of Backup File to an Unauthorized Control Sphere
CWE
Suspicious Comment
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.