Problem

While examining the file system for sensitive information, the path "<Transfer CFT installation directory>\home\bin\" contained a lot of PDB files.

Having PDB files in a production environment can introduce several security risks, including.

Information Disclosure: PDB files contain detailed debugging information, including function names, variable names, and possibly even file paths. This level of detail can give attackers insights into the internal workings of the application, making it easier to exploit vulnerabilities or reverse engineer the code.

Increased Attack Surface: Providing such detailed information in production could aid in discovering weak points in the system that would otherwise be obscured in a production binary, particularly when combined with other vulnerabilities or misconfigurations.

From a security perspective, PDB files should not be used in a production environment.

Resolution

From Transfer CFT 3.10 2406, the CFT package is not bundled with the PDB files. Hence, please update to Transfer CFT 3.10 2406 to mitigate the reported vulnerability.