CWE-766 - Critical Data Element Declared Public

Read Time:38 Second

Description

The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

Related Weaknesses

CWE-1061

Consequences

Integrity, Confidentiality: Read Application Data, Modify Application Data

Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.

Other: Reduce Maintainability

Potential Mitigations

Phase: Implementation

Effectiveness:

Description:

Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

CVE References

CVE-2010-3860
- variables declared public allows remote read of system properties such as user name and home directory.

InCritical Data Element Declared Public, CVE-2010-3860, CWE- 766

White House to Tackle AI-Generated Sexual Abuse Images

Legacy Ivanti Cloud Service Appliance Being Exploited

Half of UK Firms Lack Basic Cybersecurity Skills

Advanced Phishing Attacks Put X Accounts at Risk

Apple to Drop Spyware Lawsuit Over Security Concerns

Tackling the Unique Cybersecurity Challenges of Online Learning Platforms

Meta Goes Ahead With Controversial AI Training in UK

23andMe Agrees to $30m Data Breach Settlement

UK Hosts International Cyber Skills Conference

CWE-766 – Critical Data Element Declared Public

Description

Related Weaknesses

Consequences

Potential Mitigations

CVE References

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

CWE-669 – Incorrect Resource Transfer Between Spheres

CWE-67 – Improper Handling of Windows Device Names

CWE-670 – Always-Incorrect Control Flow Implementation

CWE-671 – Lack of Administrator Control over Security