CWE

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

ID: 9		Date: (C)2012-05-14   (M)2022-10-10
Type: weakness		Status: DRAFT
Abstraction Type: Variant

Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.

Applicable Platforms
None

Time Of Introduction

• Architecture and Design
• Implementation

Common Consequences

Scope	Technical Impact	Notes
Other	Other

Detection Methods
None

Potential Mitigations

Phase	Strategy	Description	Effectiveness	Notes
Architecture and Design System Configuration		Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

Relationships

Related CWE	Type	View	Chain
CWE-9 ChildOf CWE-901	Category	CWE-888

Demonstrative Examples   (Details)

1. The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

Taxynomy	Id	Name	Fit
7 Pernicious Kingdoms		J2EE Misconfiguration: Weak Access Permissions

References:
None