CWE-1061: Insufficient Encapsulation
The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.
Last updated
Overview
CWE-1061 (Insufficient Encapsulation) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Common consequences
What can happen when CWE-1061 is exploited.
Varies by Context, Bypass Protection Mechanism
Affects: Access Control
An attacker can access data or methods that were not intended to be accessible.
Reduce Maintainability, Increase Analytical Complexity
Affects: Other
This issue makes it more difficult to maintain the product, which indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. It also might make it easier to introduce vulnerabilities.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following example shows a basic user account class that includes member variables for the username and password as well as a public constructor for the class and a public method to authorize access to the user account.
Vulnerable example
#define MAX_PASSWORD_LENGTH 15Safe example
class UserAccountHowever, the member variables username and password are declared public and therefore will allow access and changes to the member variables to anyone with access to the object. These member variables should be declared private as shown below to prevent unauthorized access and changes.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2010-3860 — variables declared public allow remote read of system properties such as user name and home directory.
Frequently asked questions
Common questions about CWE-1061.
- What is CWE-1061?
- The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend.
- How is CWE-1061 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1061?
- Exploiting CWE-1061 can lead to: Varies by Context, Bypass Protection Mechanism, Reduce Maintainability, Increase Analytical Complexity.
References
- MITRE CWE definition (CWE-1061) (opens in a new tab)
- CWE-1061 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1061
Get alerted the moment a new CWE-1061 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.