Category: 7PK - Encapsulation
Draft
Summary
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
Membership
| ID | Name | Description |
|---|---|---|
| CWE-486 | Comparison of Classes by Name | This vulnerability occurs when an application determines an object's trustworthiness or behavior solely by checking its class name. Since multiple classes can share identical names across different packages or classloaders, this comparison can lead to using the wrong, potentially malicious, class. |
| CWE-488 | Exposure of Data Element to Wrong Session | This vulnerability occurs when an application fails to properly isolate data between different user sessions, allowing information from one user's session to leak into another's. |
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | This vulnerability occurs when a class implements a public clone() method without declaring it final. This allows attackers to create copies of objects without invoking their constructors, potentially leaving the cloned object in an inconsistent or insecure state. |
| CWE-492 | Use of Inner Class Containing Sensitive Data | Using inner classes to handle sensitive data can unintentionally expose that data because of how Java compiles them. The compiler transforms inner classes into separate, package-visible classes, which can bypass the intended private access restrictions. |
| CWE-493 | Critical Public Variable Without Final Modifier | This vulnerability occurs when a security-sensitive variable is declared as public but not marked as final, allowing untrusted code to unexpectedly change its value after initialization. |
| CWE-495 | Private Data Structure Returned From A Public Method | This vulnerability occurs when a public method directly returns a reference to a private, internal data structure. Because the reference is live, external callers can bypass intended controls and modify the data unexpectedly, corrupting the application's state. |
| CWE-496 | Public Data Assigned to Private Array-Typed Field | This vulnerability occurs when a developer stores sensitive data in a private array, but then assigns a publicly accessible reference to that same array. This effectively makes all the private array's contents available to unauthorized code, bypassing intended access controls. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | This vulnerability occurs when an application unintentionally reveals sensitive details about its underlying system, such as file paths, software versions, or environment data, to users who should not have access to that information. |
| CWE-501 | Trust Boundary Violation | This vulnerability occurs when an application incorrectly stores or processes trusted and untrusted data together within the same structure, such as an object, array, or message. |
| CWE-700 | Seven Pernicious Kingdoms | This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.