目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-495 从公开方法中返回私有的数组类型数据域 类漏洞列表 1

CWE-495 从公开方法中返回私有的数组类型数据域 类弱点 1 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-495属于数据访问控制漏洞。当公共方法返回私有数据结构的引用时,攻击者可绕过封装限制,直接修改内部状态,导致程序逻辑混乱或数据泄露。开发者应避免直接暴露内部对象引用,转而返回数据的副本或只读视图,确保私有数据的完整性与安全性,从而有效防御此类越权访问风险。

MITRE CWE 官方描述
CWE:CWE-495 公共方法返回私有数据结构 英文:The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways. 中文:该产品具有一个被声明为 public 的方法,但该方法返回对 private 数据结构的引用,这可能导致该数据结构以非预期的方式被修改。
常见影响 (1)
IntegrityModify Application Data
The contents of the data structure can be modified from outside the intended scope.
缓解措施 (3)
ImplementationDeclare the method private.
ImplementationClone the member data and keep an unmodified version of the data private to the object.
ImplementationUse public setter methods that govern how a private member can be modified.
代码示例 (2)
Here, a public method in a Java class returns a reference to a private array. Given that arrays in Java are mutable, any modifications made to the returned reference would be reflected in the original private array.
private String[] colors; public String[] getColors() { return colors; }
Bad · Java
In this example, the Color class defines functions that return non-const references to private members (an array type and an integer type), which are then arbitrarily altered from outside the control of the class.
class Color { private: int[2] colorArray; int colorValue; public: Color () : colorArray { 1, 2 }, colorValue (3) { }; int[2] & fa () { return colorArray; } // return reference to private array int & fv () { return colorValue; } // return reference to private integer }; int main () { Color c; c.fa () [1] = 42; // modifies private array element c.fv () = 42; // modifies private int return 0; }
Bad · C++
CVE ID标题CVSS风险等级Published
CVE-2025-29868 Apache Answer 安全漏洞 — Apache Answer 6.5 -2025-04-01

CWE-495(从公开方法中返回私有的数组类型数据域) 是常见的弱点类别,本平台收录该类弱点关联的 1 条 CVE 漏洞。