Base weakness

Incomplete

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Also known as: Mass Assignment, AutoBinding, PHP Object Injection

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability. This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-2024-3283 — Application for using LLMs allows modification of a sensitive variable using mass assignment.
CVE-2012-2054 — Mass assignment allows modification of arbitrary attributes using modified URL.
CVE-2012-2055 — Source version control product allows modification of trusted key using mass assignment.
CVE-2008-7310 — Attackers can bypass payment step in e-commerce product.
CVE-2013-1465 — Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
CVE-2012-3527 — Use of PHP unserialize function on untrusted input in content management system might allow code execution.
CVE-2012-0911 — Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
CVE-2012-0911 — Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
CVE-2011-4962 — Content management system written in PHP allows code execution through page comments.
CVE-2009-4137 — Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
CVE-2007-5741 — Content management system written in Python interprets untrusted data as pickles, allowing code execution.
CVE-2011-2520 — Python script allows local users to execute code via pickled data.
CVE-2005-2875 — Python script allows remote attackers to execute arbitrary code using pickled objects.
CVE-2013-0277 — Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.
CVE-2011-2894 — Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.
CVE-2012-1833 — Grails allows binding of arbitrary parameters to modify arbitrary object properties.
CVE-2010-3258 — Incorrect deserialization in web browser allows escaping the sandbox.
CVE-2008-1013 — Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-915?

What CVEs are caused by CWE-915?

How do you prevent CWE-915?

How is CWE-915 detected?

What are the consequences of CWE-915?

Is CWE-915 actively exploited?

References

Stay ahead of CWE-915

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Peer

Terminology & mappings

Alternate terms

Frequently asked questions

What is CWE-915?

What CVEs are caused by CWE-915?

How do you prevent CWE-915?

How is CWE-915 detected?

What are the consequences of CWE-915?

Is CWE-915 actively exploited?

References

Stay ahead of CWE-915