CWE-374
Passing Mutable Objects to an Untrusted Method
Średni
Draft
2006-07-19
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Powiadomienia dla konkretnego CWE
Bądź na bieżąco z wszelkimi zmianami dotyczącymi konkretnego CWE.
Nazwa: Passing Mutable Objects to an Untrusted Method
The product sends non-cloned mutable data as an argument to a method or function.
Opis CWE
The function or method that has been called can alter or delete the mutable data. This could violate assumptions that the calling function has made about its state. In situations where unknown code is called with references to mutable data, this external code could make changes to the data sent. If this data was not previously cloned, the modified data might not be valid in the context of execution.
Informacje ogólne
Sposoby wprowadzenia
ImplementationOdpowiednie platformy
Język
Class: Object-Oriented (Undetermined)Name: C (Undetermined)
Name: C++ (Undetermined)
Name: Java (Undetermined)
Name: C# (Undetermined)
Typowe konsekwencje
| Zakres | Wpływ | Prawdopodobieństwo |
|---|---|---|
| Integrity | Modify Memory Note: Potentially data could be tampered with by another function which should not have been tampered with. |
Potencjalne środki zaradcze
Phases : ImplementationPass in data which should not be altered as constant or immutable.
Phases : Implementation
Clone all mutable data before passing it into an external function . This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.
Uwagi dotyczące mapowania podatności
Uzasadnienie : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Komentarz : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Odniesienia
REF-18
The CLASP Application Security ProcessSecure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
REF-374
Does Java pass by reference or pass by value?Tony Sintes.
https://web.archive.org/web/20000619025001/https://www.javaworld.com/javaworld/javaqa/2000-05/03-qa-0526-pass.html
REF-375
Java: The Complete Reference, J2SE 5th EditionHerbert Schildt.
Zgłoszenie
| Nazwa | Organizacja | Data | Data wydania | Version |
|---|---|---|---|---|
| CLASP | Draft 3 |
Modyfikacje
| Nazwa | Organizacja | Data | Komentarz |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Name, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Common_Consequences, Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated References | |
| CWE Content Team | MITRE | updated Description | |
| CWE Content Team | MITRE | updated References, Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Weakness_Ordinalities |
