CWE-1061: Insufficient Encapsulation

Description

The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.

Potential Impact

Access Control

Varies by Context, Bypass Protection Mechanism

Other

Reduce Maintainability, Increase Analytical Complexity

Demonstrative Examples

The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account.

Bad

#define MAX_PASSWORD_LENGTH 15#define MAX_USERNAME_LENGTH 15
               class UserAccount{
               public:
               UserAccount(char *username, char *password){if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");}strcpy(this->username, username);strcpy(this->password, password);}
             
             
             int authorizeAccess(char *username, char *password){
             if ((strlen(username) > MAX_USERNAME_LENGTH) ||(strlen(password) > MAX_PASSWORD_LENGTH)) {ExitError("Invalid username or password");}
             // if the username and password in the input parameters are equal to
             
             
             // the username and password of this account class then authorize access
             if (strcmp(this->username, username) ||strcmp(this->password, password))return 0;
             
             // otherwise do not authorize access
             elsereturn 1;
             
             }
               char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];
               };

However, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes.

Good

class UserAccount{public:...
               
               private:char username[MAX_USERNAME_LENGTH+1];char password[MAX_PASSWORD_LENGTH+1];};

Detection Methods

Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE ID	Description
CVE-2010-3860	variables declared public allow remote read of system properties such as user name and home directory.

Frequently Asked Questions

What is CWE-1061?

CWE-1061 (Insufficient Encapsulation) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Class-level weakness. The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke u...

How can CWE-1061 be exploited?

Attackers can exploit CWE-1061 (Insufficient Encapsulation) to varies by context, bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1061?

Follow secure coding practices, conduct code reviews, and use automated security testing tools (SAST/DAST) to detect this weakness early in the development lifecycle.

What is the severity of CWE-1061?

CWE-1061 is classified as a Class-level weakness (High abstraction). It has been observed in 1 real-world CVEs.