Exposure of Data Element to Wrong Session
CWE-488
Per technology (GHSA, All time)
- 100%-Maven
Short description
Extended description
Data can "bleed" from one session to another through member variables of singleton objects, such as Servlets, and objects from a shared pool.
In the case of Servlets, developers sometimes do not understand that, unless a Servlet implements the SingleThreadModel interface, the Servlet is a singleton; there is only one instance of the Servlet, and that single instance is used and re-used to handle multiple requests that are processed simultaneously by different threads. A common result is that developers use Servlet member fields in such a way that one user may inadvertently see another user's data. In other words, storing user data in Servlet member fields introduces a data access race condition.
Best practices to prevent this CWE
Phase: Architecture and Design
Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.
Phase: Testing
Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Phase: Architecture and Design
In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.