7PK - Encapsulation
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."
The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.
The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the und...
The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...
Assigning public data to a private array is equivalent to giving public access to the array.
The product mixes trusted and untrusted data in the same data structure or structured message.
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.
- Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
NIST Workshop on Software Security Assurance Tools Techniques and Metrics