CWE-499 – Serializable Class Containing Sensitive Data

Read Time:45 Second

Description

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.

Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-668
CWE-200

 

Consequences

Confidentiality: Read Application Data

an attacker can write out the class to a byte stream, then extract the important data from it.

 

Potential Mitigations

Phase: Implementation

Description: 

In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.

Phase: Implementation

Description: 

Make sure to prevent serialization of your objects.

CVE References