CWE

Access to Critical Private Variable via Public Method

ID: 767		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: INCOMPLETE
Abstraction Type: Variant

Description

The software defines a public method that reads or modifies a private variable.

Extended Description

If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks.

Likelihood of Exploit: Low to Medium

Applicable Platforms
Language: C++
Language: C#
Language: Java

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Scope	Technical Impact	Notes
Integrity Other	Modify application data Other

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Implementation		Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data.

Relationships

Related CWE	Type	View	Chain
CWE-767 ChildOf CWE-895	Category	CWE-888

Demonstrative Examples   (Details)

1. The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID).
2. The following example declares a critical variable to be private, and then allows the variable to be modified by public methods.

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
CLASP		Failure to protect stored data from modification

References:
None