CWE-499: Serializable Class Containing Sensitive Data

Description

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.

Example Vulnerable Codes

Example - 1

This code creates a new record for a medical patient:



this.SetName(name);this.SetSocialSecurityNumber(ssn);private String name;private String socialSecurityNum;public Patient(String name,String ssn) {}class PatientRecord {}

This object does not explicitly deny serialization, allowing an attacker to serialize an instance of this object and gain a patient's name and Social Security number even though those fields are private.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Go to

CWE-668: Exposure of Resource to Wrong Sphere

Go to

Visit http://cwe.mitre.org/ for more details.