1. Home
  2. CWE Database
  3. CWE-615
Variant · Low-Medium

CWE-615: Inclusion of Sensitive Information in Source Code Comments

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by...

CWE-615 · Variant Level ·3 CVEs ·1 Mitigations

Description

While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc.

An attacker who finds these comments can map the application's structure and files, expose hidden parts of the site, and study the fragments of code to reverse engineer the application, which may help develop further attacks against the site.

Potential Impact

Confidentiality

Read Application Data

Demonstrative Examples

The following comment, embedded in a JSP, will be displayed in the resulting HTML output.
Bad
<!-- FIXME: calling this with more than 30 args kills the JDBC server -->

Mitigations & Prevention

Distribution

Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2007-6197Version numbers and internal hostnames leaked in HTML comments.
CVE-2007-4072CMS places full pathname of server in HTML comment.
CVE-2009-2431blog software leaks real username in HTML comment.

CWE-540: Inclusion of Sensitive Information in Source Code

Source code on a web server or repository often contains sensitive information and should generally not be accessible to...

CWE-546: Suspicious Comment

The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.

Frequently Asked Questions

What is CWE-615?

CWE-615 (Inclusion of Sensitive Information in Source Code Comments) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by...

How can CWE-615 be exploited?

Attackers can exploit CWE-615 (Inclusion of Sensitive Information in Source Code Comments) to read application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-615?

Key mitigations include: Remove comments which have sensitive information about the design/implementation of the application. Some of the comments may be exposed to the user and affect the security posture of the application.

What is the severity of CWE-615?

CWE-615 is classified as a Variant-level weakness (Low-Medium abstraction). It has been observed in 3 real-world CVEs.