When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.
View on MITREDeclare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.
No detection method information available for this CWE.
The following example demonstrates the weakness.
CWE-8: J2EE Misconfiguration: Entity Bean Declared Remote is a Common Weakness Enumeration (CWE) entry maintained by MITRE. When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities.
If exploited, CWE-8 (J2EE Misconfiguration: Entity Bean Declared Remote) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Application Data and Modify Application Data.
Recommended mitigations for CWE-8 include: Declare Java beans "local" when possible. When a bean must be remotely accessible, make sure that sensitive information is not exposed, and ensure that the application logic performs appropriate validation of any data that might be modified by an attacker.
A CWE (Common Weakness Enumeration) like CWE-8 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.