Tag Archives: CWE- 766

CWE-766 – Critical Data Element Declared Public

Read Time:38 Second

Description

The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-1061

 

Consequences

Integrity, Confidentiality: Read Application Data, Modify Application Data

Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.

Other: Reduce Maintainability

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

CVE References

 

  • CVE-2010-3860
    • variables declared public allows remote read of system properties such as user name and home directory.