Keep design tooling in separate packages from the actual product and supply useful logging.
Design tooling for functional tests, performance tests, or troubleshooting increases the attackable surface making a product more vulnerable [MITRE 2023]. A need to include them in a final product typically originates from missing the concept of staged testing with separate packaging of the product and required design tooling. Designers only using high privileged users for troubleshooting is often the root cause for badly designed logging that forces the operator to also use highly privileged or shared accounts in production.
Anti-patterns:
Not knowing that a product must be deployed differently in production than in staging can leave well known entry points wide open. [Hammond 2022]. Well written test-driven design can avoid the need to have such excessive troubleshooting design tooling as seen in Flask.
Tool | Version | Checker | Description |
---|---|---|---|
Bandit | 1.7.4 on Python 3.10.4 | Not Available | |
Flake8 | 8-4.0.1 on Python 3.10.4 | Not Available |
Component | CVE | Description | CVSS Rating | Comment |
---|---|---|---|---|
ceph-isci-cli Red Hat Ceph Storage 2,3 | CVE-2018-14649 | ceph-isci-cli package as shipped by Red Hat Ceph Storage 2 and 3 is using python-werkzeug in debug shell mode. This is done by setting debug=True in file /usr/bin/rbd-target-api provided by ceph-isci-cli package. This allows unauthenticated attackers to access this debug shell and escalate privileges. | CVSS 3.xx: 9.8 | |
OpenStack ironic-inspector, ironic-discoverd | CVE-2015-5306 | When debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error. | CVSS 2.x: 6.8 |
[Monkey patch - Wikipedia 2023] | Wikimedia Foundation. (2024). Monkey patch [online]. Available from: https://en.wikipedia.org/wiki/Monkey_patch [accessed 3 January 2025] |
[Hammond 2022] | DANGEROUS Python Flask Debug Mode Vulnerabilities [online]. Available from: https://www.youtube.com/watch?v=jwBRgaIRdgs [accessed 3 January 2025] |