VariantDraft

CWE-9J2EE Misconfiguration: Weak Access Permissions for EJB Methods

Category: authz

Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Common consequences· 1

  • Other — Other

Potential mitigations· 1

  • [Architecture and Design, System Configuration]Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

References

  1. https://cwe.mitre.org/data/definitions/9.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
J2EE Misconfiguration: Entity Bean Declared Remote
CWE
J2EE Misconfiguration: Plaintext Password in Configuration File
CWE
J2EE Misconfiguration: Data Transmission Without Encryption
CWE
J2EE Misconfiguration: Missing Custom Error Page
CWE
J2EE Misconfiguration: Insufficient Session-ID Length
CWE
EJB Bad Practices: Use of Class Loader
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.