CWE - CWE-766: Critical Variable Declared Public (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE List
Full Dictionary View
Development View
Research View
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research
CWE/SANS Top 25
CWSS

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

CWE-766: Critical Variable Declared Public

Critical Variable Declared Public

Weakness ID: 766 (Weakness Variant)

Status: Incomplete

Description

Description Summary

The software declares a critical variable or field to be public when intended security policy requires it to be private.

Time of Introduction

Architecture and Design
Implementation

Applicable Platforms

Languages

C++

Java

Common Consequences

Scope	Effect
Integrity Confidentiality	Making a critical variable public allows anyone with access to the object in which the variable is contained to alter or read the value.

Likelihood of Exploit

Low to Medium

Demonstrative Examples

Example 1

The following example declares a critical variable public, making it accessible to anyone with access to the object in which it is contained.

(Bad Code)

C++

public: char* password;

Instead, the critical data should be declared private.

(Good Code)

C++

private: char* password;

Even though this example declares the password to be private, there are other possible issues with this implementation, such as the possibility of recovering the password from process memory (CWE-257).

Potential Mitigations

Phase	Description
Implementation	Data should be private, static, and final whenever possible. This will assure that your code is protected by instantiating early, preventing access, and preventing tampering.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Class	485	Insufficient Encapsulation	Development Concepts (primary)699 Research Concepts1000
ChildOf	Weakness Class	668	Exposure of Resource to Wrong Sphere	Research Concepts (primary)1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Failure to protect stored data from modification

Content History

Submissions
Submission Date	Submitter	Organization	Source
2009-03-03			Internal CWE Team
2009-03-03

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us