Tag Archives: CWE- 8

CWE-8 – J2EE Misconfiguration: Entity Bean Declared Remote

Read Time:37 Second

Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean’s data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application’s expectations, potentially leading to other vulnerabilities.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-668

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Declare Java beans “local” when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

CVE References