Pyramid DebugToolbar enabled - Vulnerability Database

Pyramid DebugToolbar enabled

Description

The Pyramid DebugToolbar is enabled and accessible on this web application. This developer-focused debugging interface is designed for development environments only and should never be exposed in production systems. When enabled, it provides detailed technical information about application internals, configuration settings, database queries, request/response data, and system environment variables that can aid attackers in reconnaissance activities.

Remediation

Immediately disable the Pyramid DebugToolbar in production environments. Ensure that the toolbar is only enabled in development settings by configuring it to activate based on environment-specific conditions.

In your Pyramid application configuration file (e.g., production.ini), ensure the debugtoolbar is not included:

pyramid.includes =
    # pyramid_debugtoolbar  # Commented out or removed

If you need conditional enabling for development, use environment-based configuration in your application setup:

def main(global_config, **settings):
    config = Configurator(settings=settings)
    
    # Only enable in development
    if settings.get('env') == 'development':
        config.include('pyramid_debugtoolbar')
    
    return config.make_wsgi_app()

Additionally, implement IP-based access restrictions if the toolbar must remain accessible, limiting access to trusted development networks only.

References

pyramid_debugtoolbar

Related Vulnerabilities

Severity

Medium

Classification

CWE-200

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N