CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Description
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
{"xhtml:p":["If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability.","This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection."]}
Parent Weaknesses (ChildOf)
Related Weaknesses
Common Consequences
Scope
Impact
Modify Application Data
Scope
Impact
Execute Unauthorized Code or Commands
Scope
Impact
Varies by Context, Alter Execution Logic
Potential Mitigations
If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists. For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment.
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified.
Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes.
CVE-2024-3283Application for using LLMs allows modification of a sensitive variable using mass assignment.
CVE-2012-2054Mass assignment allows modification of arbitrary attributes using modified URL.
CVE-2012-2055Source version control product allows modification of trusted key using mass assignment.
CVE-2008-7310Attackers can bypass payment step in e-commerce product.
CVE-2013-1465Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.
CVE-2012-3527Use of PHP unserialize function on untrusted input in content management system might allow code execution.
CVE-2012-0911Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.
CVE-2012-0911Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.
CVE-2011-4962Content management system written in PHP allows code execution through page comments.
CVE-2009-4137Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.
+8 more examples
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now