Pprof Debug Files Detected

medium Web App Scanning Plugin ID 113892

Language:

Synopsis

Pprof Debug Files Detected

Description

Pprof is a tool for visualization and analysis of profiling data. Output files may be located inside a hidden directory named debug/pprof/ & When exposed with the web application configuration, the files contained in this directory may expose sensitive information such as internal memory addresses, configuration, filesystem information and resource consumption which may be of use to external attackers.

Solution

Review the contents of the discovered debug/pprof directory and remove sensitive content, and/or adjust the web server's access controls to limit access to sensitive material.

See Also

https://github.com/google/pprof/blob/main/doc/README.md

Plugin Details

Severity: Medium

ID: 113892

Type: remote

Family: Data Exposure

Published: 5/5/2023

Updated: 5/5/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 538

OWASP: 2010-A6, 2013-A5, 2017-A6, 2021-A1

WASC: Predictable Resource Location

CAPEC: 95

DISA STIG: APSC-DV-002480

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API3, 2019-API7, 2023-API3, 2023-API8

PCI-DSS: 3.2-2.2