VariantDraft

CWE-499Serializable Class Containing Sensitive Data

Category: data-exposure

Description

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.

Common consequences· 1

  • Confidentiality — Read Application Data
    an attacker can write out the class to a byte stream, then extract the important data from it.

Potential mitigations· 2

  • [Implementation]In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
  • [Implementation]Make sure to prevent serialization of your objects.

References

  1. https://cwe.mitre.org/data/definitions/499.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Cloneable Class Containing Sensitive Information
CWE
Insertion of Sensitive Information Into Sent Data
CWE
Public Static Field Not Marked Final
CWE
Public Static Final Field References Mutable Object
CWE
Use of Inner Class Containing Sensitive Data
CWE
Insufficient Encapsulation
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.