CWE-915 Detail

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes
Incomplete
2013-02-21
00h00 +00:00
2024-07-16
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CWE Description

If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability.

This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection.

General Informations

Modes Of Introduction

Architecture and Design
Implementation

Applicable Platforms

Language

Name: Ruby (Undetermined)
Name: ASP.NET (Undetermined)
Name: PHP (Undetermined)
Name: Python (Undetermined)
Class: Not Language-Specific (Undetermined)

Common Consequences

Scope Impact Likelihood
IntegrityModify Application Data

Note: An attacker could modify sensitive data or program variables.
IntegrityExecute Unauthorized Code or Commands
Other
Integrity		Varies by Context, Alter Execution Logic

Observed Examples

References Description

CVE-2024-3283

Application for using LLMs allows modification of a sensitive variable using mass assignment.

CVE-2012-2054

Mass assignment allows modification of arbitrary attributes using modified URL.

CVE-2012-2055

Source version control product allows modification of trusted key using mass assignment.

CVE-2008-7310

Attackers can bypass payment step in e-commerce product.

CVE-2013-1465

Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.

CVE-2012-3527

Use of PHP unserialize function on untrusted input in content management system might allow code execution.

CVE-2012-0911

Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.

CVE-2012-0911

Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.

CVE-2011-4962

Content management system written in PHP allows code execution through page comments.

CVE-2009-4137

Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.

CVE-2007-5741

Content management system written in Python interprets untrusted data as pickles, allowing code execution.

CVE-2011-2520

Python script allows local users to execute code via pickled data.

CVE-2005-2875

Python script allows remote attackers to execute arbitrary code using pickled objects.

CVE-2013-0277

Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.

CVE-2011-2894

Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.

CVE-2012-1833

Grails allows binding of arbitrary parameters to modify arbitrary object properties.

CVE-2010-3258

Incorrect deserialization in web browser allows escaping the sandbox.

CVE-2008-1013

Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.

Potential Mitigations

Phases : Implementation

If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.

For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.


Phases : Architecture and Design // Implementation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Phases : Implementation
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Phases : Implementation // Architecture and Design
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.

Detection Methods

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

NotesNotes

The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization.

References

REF-885

Shocking News in PHP Exploitation
Stefan Esser.
https://owasp.org/www-pdf-archive/POC2009-ShockingNewsInPHPExploitation.pdf

REF-886

"Two Security Vulnerabilities in the Spring Framework's MVC" pdf (from 2008)
Dinis Cruz.
http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html

REF-887

Two Security Vulnerabilities in the Spring Framework's MVC
Ryan Berg, Dinis Cruz.
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf

REF-888

Best Practices for ASP.NET MVC
ASPNETUE.
https://web.archive.org/web/20100921074010/http://blogs.msdn.com/b/aspnetue/archive/2010/09/17/second_2d00_post.aspx

REF-889

Mass assignment in Rails applications
Michael Hartl.
https://web.archive.org/web/20090808163156/http://blog.mhartl.com/2008/09/21/mass-assignment-in-rails-applications/

REF-890

Secure your Rails apps!
Tobi.
https://pragtob.wordpress.com/2012/03/06/secure-your-rails-apps/

REF-891

Ruby On Rails Security Guide
Heiko Webers.
https://guides.rubyonrails.org/security.html#mass-assignment

REF-892

Mass Assignment Vulnerability in ASP.NET MVC
Josh Bush.
https://web.archive.org/web/20120309022539/http://freshbrewedcode.com/joshbush/2012/03/05/mass-assignment-aspnet-mvc

REF-893

6 Ways To Avoid Mass Assignment in ASP.NET MVC
K. Scott Allen.
https://odetocode.com/blogs/scott/archive/2012/03/11/complete-guide-to-mass-assignment-in-asp-net-mvc.aspx

REF-894

PHP Object Injection
Egidio Romano.
https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection

REF-464

Unserializing user-supplied data, a bad idea
Heine Deelstra.
https://drupalsun.com/heine/2010/08/25/unserializing-user-supplied-data-bad-idea

REF-466

Why Python Pickle is Insecure
Nadia Alramli.
http://michael-rushanan.blogspot.com/2012/10/why-python-pickle-is-insecure.html

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2013-01-26 +00:00 2013-02-21 +00:00 2.4

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2013-07-17 +00:00 updated References
CWE Content Team MITRE 2017-05-03 +00:00 updated Potential_Mitigations
CWE Content Team MITRE 2017-11-08 +00:00 updated References
CWE Content Team MITRE 2019-06-20 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2020-06-25 +00:00 updated Alternate_Terms, Potential_Mitigations
CWE Content Team MITRE 2020-12-10 +00:00 updated Relationships
CWE Content Team MITRE 2021-10-28 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Description, Observed_Examples
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-02-29 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2024-07-16 +00:00 updated Observed_Examples
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.