Property
Language
Severity
Vulnerability Type	misconfiguration

Description

Setting ‘hostIPC’ to true in Kubernetes pod specifications allows containers to share the host’s IPC namespace, enabling processes inside the container to communicate directly with processes on the host. This breaks container isolation and exposes sensitive host resources.

Impact

Exploiting shared IPC namespaces can let attackers in a compromised container access or interfere with host processes, potentially leading to sensitive data exposure, privilege escalation, or disruption of host system services.

Property
Language
Severity
Vulnerability Type	misconfiguration

Description

Enabling ‘hostNetwork: true’ in a Kubernetes pod or controller configuration allows the pod to share the host node’s network namespace, giving pod processes direct access to the host’s network interfaces and loopback adapter. This bypasses normal container network isolation.

Impact

Attackers gaining access to such pods could intercept or interfere with network traffic on the host, perform lateral movement, or exploit network services running on the host, increasing the risk of privilege escalation and broadening the attack surface within the cluster.

Property
Language
Severity
Vulnerability Type	misconfiguration

Description

Enabling the ‘hostPID’ setting in Kubernetes pod specifications allows containers to share the host’s process ID namespace, exposing details about processes running on the underlying node. This configuration can unintentionally leak sensitive information such as environment variables or system configurations.

Impact

If exploited, attackers inside compromised containers could view or interfere with host-level processes, increasing the risk of privilege escalation, information leakage, and lateral movement across the cluster, potentially compromising the security of the entire node.

Property
Language
Severity
Vulnerability Type	misconfiguration

Description

The configuration allows Kubernetes pods to bind container ports directly to host machine ports using the ‘hostPort’ setting. This practice bypasses network isolation between pods and the host, violating pod security standards.

Impact

Exposing host ports can enable attackers to access or interfere with services on the host, escalate privileges, or disrupt network traffic, increasing the risk of lateral movement and compromise of the entire cluster or underlying infrastructure.

Property
Language
Severity
Vulnerability Type	misconfiguration

Description

Enabling ‘hostProcess’ in the security context of Windows pods allows containers to run with privileged access to the underlying Windows node, bypassing normal isolation boundaries. This setting can expose the host to elevated risks by granting containers system-level permissions.

Impact

If exploited, an attacker gaining access to a hostProcess-enabled container could execute commands with high privileges on the Windows node, potentially leading to full host compromise, persistence, and lateral movement across the cluster or broader network.

Property
Language	apex
Severity
CWE	CWE-489: Active Debug Code
Confidence Level	High
Impact Level	Medium
Likelihood Level	Low

Description

In addition to debug statements potentially logging data excessively, debug statements also contribute to longer transactions and consume Apex CPU time even when debug logs are not being captured.

Property
Language
Severity
CWE	CWE-489: Active Debug Code
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Setting FLASK_ENV to ‘development’ automatically enables Flask’s debug mode, which exposes sensitive debugging information and can make the app vulnerable. This setting should not be used in production or shared environments.

Impact

If debug mode is enabled in a deployed application, attackers could access detailed error messages, view code, or even execute arbitrary code on the server, leading to data leaks or system compromise.

Property
Language	generic
Severity
CWE	CWE-489: Active Debug Code
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

Enabling debug options like ‘-Vdebug’ or ‘-Ydebug’ in Scala production builds exposes detailed internal information that should remain private. This can unintentionally reveal sensitive implementation details to anyone accessing the deployed application.

Impact

If left enabled, attackers could gain insights into the application’s internal logic, configurations, or stack traces, making it easier to exploit vulnerabilities. It can also degrade performance and reliability, potentially leading to service disruptions or data leaks.

Property
Language	regex
Severity
CWE	CWE-489: Active Debug Code
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The Django {% debug %} template tag outputs sensitive debugging information directly to the page when debug mode is enabled. Leaving this tag in your templates can unintentionally expose internal variables and environment details to users.

Impact

If this vulnerability is exploited, attackers could gain insight into your application’s internal state, including context variables and configuration details. This information can be leveraged to find further weaknesses, aiding in attacks such as privilege escalation or information disclosure.

Property
Language
Severity
CWE	CWE-489: Active Debug Code
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The Go pprof profiling endpoints are exposed on /debug/pprof in production, which can leak detailed information about your server’s internals. This happens when ’net/http/pprof’ is imported without restricting access to these routes.

Impact

If left open, attackers could access sensitive profiling data like memory usage, goroutine dumps, or CPU profiles, making it easier to exploit vulnerabilities or perform denial-of-service attacks. This exposure could aid in reconnaissance and weaken your application’s overall security.