Critical Variable Declared PublicID: 766 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
The software declares a critical variable or field to be public
when intended security policy requires it to be private.
Likelihood of Exploit: Low to Medium
Applicable PlatformsLanguage: C++Language: C#Language: Java
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityConfidentiality | Read application
dataModify application
data | Making a critical variable public allows anyone with access to the
object in which the variable is contained to alter or read the value. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | Data should be private, static, and final whenever possible. This will
assure that your code is protected by instantiating early, preventing
access, and preventing tampering. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-766 ChildOf CWE-897 | Category | CWE-888 | |
Demonstrative Examples (Details)
- The following example declares a critical variable public, making it
accessible to anyone with access to the object in which it is
contained.
- The following example shows a basic user account class that includes
member variables for the username and password as well as a public
constructor for the class and a public method to authorize access to the
user account.
Observed Examples
- CVE-2010-3860 : variables declared public allows remote read of system properties such as user name and home directory.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CLASP | | Failure to protect stored data from
modification | |
CERT Java Secure Coding | OBJ01-J | Declare data members as private and provide accessible wrapper
methods | |
References:None