Category-485: 7PK -封装

ID: 485 Status: Draft


This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when the product does not sufficiently encapsulate critical data or functionality. According to the authors of the Seven Pernicious Kingdoms, "Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not."


CWE-486 使用名称来比较对象
CWE-488 对错误会话暴露数据元素
CWE-489 遗留的调试代码
CWE-491 公开的可克隆方法(对象劫持)
CWE-492 使用包含敏感数据的内部对象
CWE-493 缺少Final Modifier的关键公开变量
CWE-495 从公开方法中返回私有的数组类型数据域
CWE-496 公开数据赋值给私有的数组类型数据域
CWE-497 将系统数据暴露到未授权控制的范围
CWE-501 违背信任边界



The "encapsulation" term is used in multiple ways. Within some security sources, the term is used to describe the establishment of boundaries between different control spheres. Within general computing circles, it is more about hiding implementation details and maintainability than security. Even within the security usage, there is also a question of whether "encapsulation" encompasses the entire range of security problems.


REF-6 Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors