{"@ID": "915", "@Name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.", "Extended_Description": {"xhtml:p": ["If the object contains attributes that were only intended for internal use, then their unexpected modification could lead to a vulnerability.", "This weakness is sometimes known by the language-specific mechanisms that make it possible, such as mass assignment, autobinding, or object injection."]}, "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "913", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "PeerOf", "@CWE_ID": "502", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Name": "Ruby", "@Prevalence": "Undetermined"}, {"@Name": "ASP.NET", "@Prevalence": "Undetermined"}, {"@Name": "PHP", "@Prevalence": "Undetermined"}, {"@Name": "Python", "@Prevalence": "Undetermined"}, {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}], "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Alternate_Terms": {"Alternate_Term": [{"Term": "Mass Assignment", "Description": "\"Mass assignment\" is the name of a feature in Ruby on Rails that allows simultaneous modification of multiple object attributes."}, {"Term": "AutoBinding", "Description": "The \"Autobinding\" term is used in frameworks such as Spring MVC and ASP.NET MVC."}, {"Term": "PHP Object Injection", "Description": "Some PHP application researchers use this term for attacking unsafe use of the unserialize() function, but it is also used for CWE-502."}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}]}, "Common_Consequences": {"Consequence": [{"Scope": "Integrity", "Impact": "Modify Application Data", "Note": "An attacker could modify sensitive data or program variables."}, {"Scope": "Integrity", "Impact": "Execute Unauthorized Code or Commands"}, {"Scope": ["Other", "Integrity"], "Impact": ["Varies by Context", "Alter Execution Logic"]}]}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Implementation", "Description": {"xhtml:p": ["If available, use features of the language or framework that allow specification of allowlists of attributes or fields that are allowed to be modified. If possible, prefer allowlists over denylists.", "For applications written with Ruby on Rails, use the attr_accessible (allowlist) or attr_protected (denylist) macros in each class that may be used in mass assignment."]}}, {"Phase": ["Architecture and Design", "Implementation"], "Description": "If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified."}, {"Phase": "Implementation", "Strategy": "Input Validation", "Description": "For any externally-influenced input, check the input against an allowlist of internal object attributes or fields that are allowed to be modified."}, {"Phase": ["Implementation", "Architecture and Design"], "Strategy": "Refactoring", "Description": "Refactor the code so that object attributes or fields do not need to be dynamically identified, and only expose getter/setter functionality for the intended attributes."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-206", "Intro_Text": "This function sets object attributes based on a dot-separated path.", "Example_Code": [{"@Nature": "Bad", "@Language": "JavaScript", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "objectToModify[attr] = {};\n\t\t }"}, "#text": "if (typeof objectToModify[attr] !== 'object') {\n\t\t \n\t\t objectToModify = objectToModify[attr];\n\t\t }"}, "#text": "const pathArray = path.split(\".\");\n\t\t const attributeToSet = pathArray.pop();\n\t\t let objectToModify = object;\n\t\t for (const attr of pathArray) {\n\t\t \n\t\t objectToModify[attributeToSet] = value;\n\t\t return object;\n\t\t }"}, "#text": "function setValueByPath (object, path, value) {"}}, {"@Nature": "Bad", "@Language": "JavaScript", "xhtml:div": {"xhtml:br": [null, null], "#text": "setValueByPath({}, \"__proto__.isAdmin\", true)\n\t\t setValueByPath({}, \"constructor.prototype.isAdmin\", true)"}}, {"@Nature": "Good", "@Language": "JavaScript", "xhtml:div": {"xhtml:br": null, "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null, null, null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:i": "// Ignore attributes which resolve to object prototype", "xhtml:br": [null, null, null, null, null], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "continue;\n\t\t       }"}, {"@style": "margin-left:1em;", "xhtml:br": [null, null], "#text": "objectToModify[attr] = {};\n\t\t       }"}], "#text": "if (attr === \"__proto__\" || attr === \"constructor\" || attr === \"prototype\") {\n\t\t     \n\t\t     if (typeof objectToModify[attr] !== \"object\") {\n\t\t     \n\t\t     objectToModify = objectToModify[attr];\n\t\t     }"}, "#text": "const pathArray = path.split(\".\");\n\t\t   const attributeToSet = pathArray.pop();\n\t\t   let objectToModify = object;\n\t\t   for (const attr of pathArray) {\n\t\t   \n\t\t   objectToModify[attributeToSet] = value;\n\t\t   return object;\n\t\t   }"}, "#text": "function setValueByPath (object, path, value) {"}}], "Body_Text": ["This function does not check if the attribute resolves to the object prototype. These codes can be used to add \"isAdmin: true\" to the object prototype.", "By using a denylist of dangerous attributes, this weakness can be eliminated."]}}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-2024-3283", "Description": "Application for using LLMs allows modification of a sensitive variable using mass assignment.", "Link": "https://www.cve.org/CVERecord?id=CVE-2024-3283"}, {"Reference": "CVE-2012-2054", "Description": "Mass assignment allows modification of arbitrary attributes using modified URL.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-2054"}, {"Reference": "CVE-2012-2055", "Description": "Source version control product allows modification of trusted key using mass assignment.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-2055"}, {"Reference": "CVE-2008-7310", "Description": "Attackers can bypass payment step in e-commerce product.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-7310"}, {"Reference": "CVE-2013-1465", "Description": "Use of PHP unserialize function on untrusted input allows attacker to modify application configuration.", "Link": "https://www.cve.org/CVERecord?id=CVE-2013-1465"}, {"Reference": "CVE-2012-3527", "Description": "Use of PHP unserialize function on untrusted input in content management system might allow code execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-3527"}, {"Reference": "CVE-2012-0911", "Description": "Use of PHP unserialize function on untrusted input in content management system allows code execution using a crafted cookie value.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-0911"}, {"Reference": "CVE-2012-0911", "Description": "Content management system written in PHP allows unserialize of arbitrary objects, possibly allowing code execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-0911"}, {"Reference": "CVE-2011-4962", "Description": "Content management system written in PHP allows code execution through page comments.", "Link": "https://www.cve.org/CVERecord?id=CVE-2011-4962"}, {"Reference": "CVE-2009-4137", "Description": "Use of PHP unserialize function on cookie value allows remote code execution or upload of arbitrary files.", "Link": "https://www.cve.org/CVERecord?id=CVE-2009-4137"}, {"Reference": "CVE-2007-5741", "Description": "Content management system written in Python interprets untrusted data as pickles, allowing code execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2007-5741"}, {"Reference": "CVE-2011-2520", "Description": "Python script allows local users to execute code via pickled data.", "Link": "https://www.cve.org/CVERecord?id=CVE-2011-2520"}, {"Reference": "CVE-2005-2875", "Description": "Python script allows remote attackers to execute arbitrary code using pickled objects.", "Link": "https://www.cve.org/CVERecord?id=CVE-2005-2875"}, {"Reference": "CVE-2013-0277", "Description": "Ruby on Rails allows deserialization of untrusted YAML to execute arbitrary code.", "Link": "https://www.cve.org/CVERecord?id=CVE-2013-0277"}, {"Reference": "CVE-2011-2894", "Description": "Spring framework allows deserialization of objects from untrusted sources to execute arbitrary code.", "Link": "https://www.cve.org/CVERecord?id=CVE-2011-2894"}, {"Reference": "CVE-2012-1833", "Description": "Grails allows binding of arbitrary parameters to modify arbitrary object properties.", "Link": "https://www.cve.org/CVERecord?id=CVE-2012-1833"}, {"Reference": "CVE-2010-3258", "Description": "Incorrect deserialization in web browser allows escaping the sandbox.", "Link": "https://www.cve.org/CVERecord?id=CVE-2010-3258"}, {"Reference": "CVE-2008-1013", "Description": "Media library allows deserialization of objects by untrusted Java applets, leading to arbitrary code execution.", "Link": "https://www.cve.org/CVERecord?id=CVE-2008-1013"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-885"}, {"@External_Reference_ID": "REF-886"}, {"@External_Reference_ID": "REF-887"}, {"@External_Reference_ID": "REF-888"}, {"@External_Reference_ID": "REF-889"}, {"@External_Reference_ID": "REF-890"}, {"@External_Reference_ID": "REF-891"}, {"@External_Reference_ID": "REF-892"}, {"@External_Reference_ID": "REF-893"}, {"@External_Reference_ID": "REF-894"}, {"@External_Reference_ID": "REF-464"}, {"@External_Reference_ID": "REF-466"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Maintenance", "#text": "The relationships between CWE-502 and CWE-915 need further exploration. CWE-915 is more narrowly scoped to object modification, and is not necessarily used for deserialization."}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2013-01-26", "Submission_Version": "2.4", "Submission_ReleaseDate": "2013-02-21"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2013-07-17", "Modification_Version": "2.5", "Modification_ReleaseDate": "2013-07-17", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-05-03", "Modification_Version": "2.11", "Modification_ReleaseDate": "2017-05-05", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-06-25", "Modification_Version": "4.1", "Modification_ReleaseDate": "2020-06-25", "Modification_Comment": "updated Alternate_Terms, Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-12-10", "Modification_Version": "4.3", "Modification_ReleaseDate": "2020-12-10", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-10-28", "Modification_Version": "4.6", "Modification_ReleaseDate": "2021-10-28", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description, Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-07-16", "Modification_Version": "4.15", "Modification_ReleaseDate": "2024-07-16", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Relationships"}], "Contribution": {"@Type": "Feedback", "Contribution_Name": "Dan Amodio, Dave Wichers", "Contribution_Organization": "Aspect Security", "Contribution_Date": "2013-01-26", "Contribution_Comment": "Suggested adding mass assignment, provided references, and clarified relationship with AutoBinding."}}}
