CWE-499: Serializable Class Containing Sensitive Data
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
扩展描述
Serializable classes are effectively open classes since data cannot be hidden in them. Classes that do not explicitly deny serialization can be serialized by any other class, which can then in turn use the data stored inside it.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: an attacker can write out the class to a byte stream, then extract the important data from it.
潜在缓解措施
阶段: Implementation
描述: In Java, explicitly define final writeObject() to prevent serialization. This is the recommended solution. Define the writeObject() function to throw an exception explicitly denying serialization.
阶段: Implementation
描述: Make sure to prevent serialization of your objects.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Information leak through serialization | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER03-J | Do not serialize unencrypted, sensitive data | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | SER05-J | Do not serialize instances of inner classes | - |
| Software Fault Patterns | SFP23 | Exposed Data | - |