[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

ID: 9Date: (C)2012-05-14   (M)2012-11-08
Type: weaknessStatus: DRAFT
Abstraction Type: Variant





Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.

Applicable Platforms
None

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Other
 
Other
 
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
System Configuration
 
 Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.
 
  

Relationships

Related CWETypeViewChain
CWE-9 ChildOf CWE-901 Category CWE-888  

Demonstrative Examples   (Details)

  1. The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().

White Box Definitions
None

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  J2EE Misconfiguration: Weak Access Permissions
 
 

References:
None

© 2013 SecPod Technologies