Description

Go is an open source programming language. Go contains a package pprof that serves via its HTTP server runtime profiling data in the format expected by the pprof visualization tool.

When the pprof package is imported the Go application will publish runtime profiling data at /debug/pprof/.

This web application is using the pprof package and the /debug/pprof/ endpoints are publicly accessible.

Remediation

It's recommended to restrict access to the /debug/pprof/ endpoints or don't use the pprof package on production applications.

References

Package pprof

Related Vulnerabilities

Password found in server response

Zend framework configuration file information disclosure

JBoss status servlet information leak

ColdFusion Request Debugging information disclosure

Tornado debug mode

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure