Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-499 (可序列化的类中包含敏感信息) — Vulnerability Class 1

1 vulnerabilities classified as CWE-499 (可序列化的类中包含敏感信息). AI Chinese analysis included.

CWE-499 represents a design weakness where a class containing sensitive data fails to explicitly prevent serialization, effectively rendering its internal state publicly accessible. This vulnerability arises because Java’s default serialization mechanism allows any other class to serialize the object, bypassing encapsulation controls that would normally restrict data access. Attackers typically exploit this by instantiating the vulnerable class, serializing it to a stream or file, and then deserializing it in a separate context to extract confidential information such as credentials or personal identifiers. To mitigate this risk, developers must implement the Externalizable interface or define private readObject and writeObject methods to control the serialization process. Alternatively, marking sensitive fields as transient ensures they are excluded from the serialized output, thereby preserving data confidentiality even if the class structure is compromised.

MITRE CWE Description
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class. Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.
Common Consequences (1)
ConfidentialityRead Application Data
an attacker can write out the class to a byte stream, then extract the important data from it.
Mitigations (2)
ImplementationIn Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
ImplementationMake sure to prevent serialization of your objects.
Examples (1)
This code creates a new record for a medical patient:
class PatientRecord { private String name; private String socialSecurityNum; public Patient(String name,String ssn) { this.SetName(name); this.SetSocialSecurityNumber(ssn); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-5657 CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure — CraftCMS Plugin - Two-Factor Authentication 3.7 Low2024-06-06

Vulnerabilities classified as CWE-499 (可序列化的类中包含敏感信息) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.