VariantIncomplete

CWE-8J2EE Misconfiguration: Entity Bean Declared Remote

Category: config

Description

When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.

Common consequences· 1

  • Confidentiality / Integrity — Read Application Data, Modify Application Data

Potential mitigations· 1

  • [Implementation]Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.

References

  1. https://cwe.mitre.org/data/definitions/8.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
CWE
J2EE Misconfiguration: Data Transmission Without Encryption
CWE
J2EE Misconfiguration: Plaintext Password in Configuration File
CWE
SQL Injection: Hibernate
CWE
J2EE Misconfiguration: Missing Custom Error Page
CWE
J2EE Misconfiguration: Insufficient Session-ID Length
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.