Category-485: 7PK -封装

ID: 485 Status: Draft

Summary

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."

Membership

ID	NAME
CWE-486	使用名称来比较对象
CWE-488	对错误会话暴露数据元素
CWE-489	遗留的调试代码
CWE-491	公开的可克隆方法（对象劫持）
CWE-492	使用包含敏感数据的内部对象
CWE-493	缺少Final Modifier的关键公开变量
CWE-495	从公开方法中返回私有的数组类型数据域
CWE-496	公开数据赋值给私有的数组类型数据域
CWE-497	将系统数据暴露到未授权控制的范围
CWE-501	违背信任边界

Notes

Other

The "encapsulation" term is used in multiple ways. Within some security sources, the term is used to describe the establishment of boundaries between different control spheres. Within general computing circles, it is more about hiding implementation details and maintainability than security. Even within the security usage, there is also a question of whether "encapsulation" encompasses the entire range of security problems.

References

REF-6 Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors