Description

Go is an open source programming language. Go contains a package pprof that serves via its HTTP server runtime profiling data in the format expected by the pprof visualization tool.

When the pprof package is imported the Go application will publish runtime profiling data at /debug/pprof/.

This web application is using the pprof package and the /debug/pprof/ endpoints are publicly accessible.

Remediation

It's recommended to restrict access to the /debug/pprof/ endpoints or don't use the pprof package on production applications.

References

Package pprof

Related Vulnerabilities

Version Disclosure (ASP.NET MVC)

Apache OFBiz Log4Shell RCE

WordPress Plugin File Manager Information Disclosure (6.4)

WordPress Plugin TRADIES Information Disclosure (2.2.6)

WordPress Plugin Video Conferencing with Zoom Information Disclosure (3.8.16)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure