Python : Debug mode on

Classification

OWASP Mobile Top 10 2014

M4-Unintended Data Leakage

OWASP Mobile Top 10 2016

M2-Insecure Data Storage

OWASP MASVS

V7: 7.2.(L1/L2/L1+R/L2+R)V8: 8.2.(L1+R/L2+R)

PCI DSS 4.0

10.3

CWE

CWE-215

Overview

The launch of the server with debug mode is possible, which can lead to data confidentiality loss. The debug parameter, which is responsible for enabling the debug mode, is set to True. The debugger allows executing arbitrary Python code from the browser. It is protected by a PIN, but still represents a major security risk. Do not run the development server or debugger in a production environment.

References

Flask RCE Debug Mode - ghostlulz.com
Flask debug=True exploitation - security.stackexchange.com
Werkzeug / Flask Debug - book.hacktricks.xyz
CVE-2015-5306

MEDIUM

Python : Debug mode on

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Python : Debug mode on in your application?

See also

Python : Web3: Deprecated method

Python : Unsafe padding

Python : Error handling: generic exception