The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
View on MITREThe contents of the data structure can be modified from outside the intended scope.
Declare the method private.
Clone the member data and keep an unmodified version of the data private to the object.
Use public setter methods that govern how a private member can be modified.
No detection method information available for this CWE.
Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.
In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.
No relationship information available for this CWE.
CWE-495: Private Data Structure Returned From A Public Method is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.
If exploited, CWE-495 (Private Data Structure Returned From A Public Method) it can compromise Integrity, leading to outcomes such as Modify Application Data.
Recommended mitigations for CWE-495 include: Declare the method private. Clone the member data and keep an unmodified version of the data private to the object. Use public setter methods that govern how a private member can be modified.
CWE-495 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-495 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.