CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.10)  
ID

CWE-375: Returning a Mutable Object to an Untrusted Caller

Weakness ID: 375
Abstraction: Base
Status: Draft
Presentation Filter:
+ Description

Description Summary

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Extended Description

In situations where functions return references to mutable data, it is possible that the external code which called the function may make changes to the data sent. If this data was not previously cloned, the class will then be using modified data which may violate assumptions about its internal state.

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C

C++

Java

.NET

+ Common Consequences
ScopeEffect
Access Control
Integrity

Technical Impact: Modify memory

Potentially data could be tampered with by another function which should not have been tampered with.

+ Likelihood of Exploit

Medium

+ Demonstrative Examples

Example 1

This class has a private list of patients, but provides a way to see the list :

(Bad Code)
Example Language: Java 
public class ClinicalTrial {
private PatientClass[] patientList = new PatientClass[50];
public getPatients(...){
return patientList;
}
}

While this code only means to allow reading of the patient list, the getPatients() method returns a reference to the class's original patient list instead of a reference to a copy of the list. Any caller of this method can arbitrarily modify the contents of the patient list even though it is a private member of the class.

+ Potential Mitigations

Phase: Implementation

Declare returned data which should not be altered as constant or immutable.

Phase: Implementation

Clone all mutable data before returning references to it. This is the preferred mitigation. This way, regardless of what changes are made to the data, a valid copy is retained for use by the class.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory371State Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory849CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory963SFP Secondary Cluster: Exposed Data
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPMutable object returned
CERT Java Secure CodingOBJ04-JProvide mutable classes with copy functionality to safely allow passing instances to untrusted code
CERT Java Secure CodingOBJ05-JDefensively copy private mutable class members before returning their references
Software Fault PatternsSFP23Exposed Data
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings
2010-09-27CWE Content TeamMITREInternal
updated Name, Taxonomy_Mappings
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2012-05-11CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2012-10-30CWE Content TeamMITREInternal
updated Demonstrative_Examples
2014-06-23CWE Content TeamMITREInternal
updated Description, Other_Notes, Potential_Mitigations
2014-07-30CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2010-09-27Passing Mutable Objects to an Untrusted Method

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017