CWE-9: J2EE Misconfiguration: Weak Access Permissions for EJB Methods

Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE
Extended Description

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Example Vulnerable Codes

Example - 1

The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().



<role-name>ANYONE</role-name><method><ejb-name>Employee</ejb-name><method-name>getSalary</method-name><method-permission></method-permission>
...<assembly-descriptor></assembly-descriptor>...<ejb-jar></ejb-jar>

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

Visit http://cwe.mitre.org/ for more details.