The product defines a public method that reads or modifies a private variable.

What CVEs are caused by CWE-767?

4 recorded CVEs are attributed to CWE-767, including CVE-2020-26868, CVE-2024-36463, CVE-2024-34162.

How do you prevent CWE-767?

Use class accessor and mutator methods appropriately. Perform validation when accepting data from a public method that is intended to modify a critical private variable. Also be sure that appropriate access controls are being applied when a public method interfaces with critical data.

What are the consequences of CWE-767?

Exploiting CWE-767 can lead to: Modify Application Data, Other.

Is CWE-767 actively exploited?

4 recorded CVEs are caused by CWE-767; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-767: Access to Critical Private Variable via Public Method

CVE-2016-8380

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following example declares a critical variable to be private, and then allows the variable to be modified by public methods.

Vulnerable example

cpp

private: float price;

The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID).

Vulnerable example

java

public class Client {

The programmer implemented setPID with the intention of modifying the PID variable, but due to a typo. accidentally specified the critical variable UID instead. If the program allows profile IDs to be between 1 and 10, but a UID of 1 means the user is treated as an admin, then a user could gain administrative privileges as a result of this typo.

CWE-767: Access to Critical Private Variable via Public Method

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-767?

What CVEs are caused by CWE-767?

How do you prevent CWE-767?

What are the consequences of CWE-767?

Is CWE-767 actively exploited?

References

Stay ahead of CWE-767

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-767?

What CVEs are caused by CWE-767?

How do you prevent CWE-767?

What are the consequences of CWE-767?

Is CWE-767 actively exploited?

References

Stay ahead of CWE-767