CWE-9
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Description
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Other
Potential Mitigations
Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now