CWE-767: Access to Critical Private Variable via Public Method

CWE-767: Access to Critical Private Variable via Public Method | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following example declares a critical variable to be private, and then allows the variable to be modified by public methods.

Vulnerable example

cpp

private: float price;

The following example could be used to implement a user forum where a single user (UID) can switch between multiple profiles (PID).

Vulnerable example

java

public class Client {

The programmer implemented setPID with the intention of modifying the PID variable, but due to a typo. accidentally specified the critical variable UID instead. If the program allows profile IDs to be between 1 and 10, but a UID of 1 means the user is treated as an admin, then a user could gain administrative privileges as a result of this typo.

CWE-767: Access to Critical Private Variable via Public Method

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-767?

What CVEs are caused by CWE-767?

How do you prevent CWE-767?

What are the consequences of CWE-767?

Is CWE-767 actively exploited?

References

Stay ahead of CWE-767

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-767?

What CVEs are caused by CWE-767?

How do you prevent CWE-767?

What are the consequences of CWE-767?

Is CWE-767 actively exploited?

References

Stay ahead of CWE-767