If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
View on MITREIf the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.
Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.
No detection method information available for this CWE.
The following deployment descriptor grants ANYONE permission to invoke the Employee EJB's method named getSalary().
No relationship information available for this CWE.
CWE-9: J2EE Misconfiguration: Weak Access Permissions for EJB Methods is a Common Weakness Enumeration (CWE) entry maintained by MITRE. If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product. If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.
If exploited, CWE-9 (J2EE Misconfiguration: Weak Access Permissions for EJB Methods) it can compromise Other, leading to outcomes such as Other.
Recommended mitigations for CWE-9 include: Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.
A CWE (Common Weakness Enumeration) like CWE-9 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.