Assigning public data to a private array is equivalent to giving public access to the array.
View on MITREThe contents of the array can be modified from outside the intended scope.
Do not allow objects to modify private members of a class.
No detection method information available for this CWE.
In the example below, the setRoles() method assigns a publically-controllable array to a private field, thus allowing the caller to modify the private array directly by virtue of the fact that arrays in Java are mutable.
No relationship information available for this CWE.
CWE-496: Public Data Assigned to Private Array-Typed Field is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Assigning public data to a private array is equivalent to giving public access to the array.
If exploited, CWE-496 (Public Data Assigned to Private Array-Typed Field) it can compromise Integrity, leading to outcomes such as Modify Application Data.
Recommended mitigations for CWE-496 include: Do not allow objects to modify private members of a class.
CWE-496 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-496 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.