Description
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Modes of Introduction:
– Implementation
Related Weaknesses
Consequences
Confidentiality: Read Application Data
Potential Mitigations
Phase: Architecture and Design
Description:
Protect the application’s sessions from information leakage. Make sure that a session’s data is not used or visible by other sessions.
Phase: Testing
Description:
Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Phase: Architecture and Design
Description:
In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.