When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.
Extended Description
N/A
ThreatScore
Threat Mapped score: 3.0
Industry: Finiancial
Threat priority: P2 - Serious (High)
Observed Examples (CVEs)
No observed examples available.
Related Attack Patterns (CAPEC)
N/A
Attack TTPs
N/A
Modes of Introduction
Phase
Note
Architecture and Design
N/A
Implementation
N/A
Common Consequences
Impact: Read Application Data, Modify Application Data — Notes:
Potential Mitigations
Implementation: Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker. (N/A)
Applicable Platforms
None listed.
Demonstrative Examples
Intro: The following example demonstrates the weakness.
Other: Entity beans that expose a remote interface become part of an application's attack surface. For performance reasons, an application should rarely use remote entity beans, so there is a good chance that a remote entity bean declaration is an error.