Description
Assigning public data to a private array is equivalent to giving public access to the array.
Potential Impact
Integrity
Modify Application Data
Demonstrative Examples
private String[] userRoles;public void setUserRoles(String[] userRoles) {this.userRoles = userRoles;}Mitigations & Prevention
Do not allow objects to modify private members of a class.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- 7 Pernicious Kingdoms: — Public Data Assigned to Private Array-Typed Field
- Software Fault Patterns: SFP25 — Tainted input to variable
Frequently Asked Questions
What is CWE-496?
CWE-496 (Public Data Assigned to Private Array-Typed Field) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. Assigning public data to a private array is equivalent to giving public access to the array.
How can CWE-496 be exploited?
Attackers can exploit CWE-496 (Public Data Assigned to Private Array-Typed Field) to modify application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-496?
Key mitigations include: Do not allow objects to modify private members of a class.
What is the severity of CWE-496?
CWE-496 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.